1. The Topic of the Month for June, 2017 is "Organization" Please join the discussion on the forum.

New bumper sticker

Discussion in 'Technical' started by VisuTrac, Nov 13, 2012.


  1. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

    That's it. I'm going to be making a bumper sticker that i can slap on the back of my truck right next to my license plate. It's going to read as:

    or 1=1; EXEC sp_MSforeachtable @command1 = "DROP TABLE ?"

    I'm crossing fingers they have backup problem. w00t!
     
  2. scrapman21009

    scrapman21009 Chupacabra Hunter

    EXEC sp_MSforeachtable @command1 = “DELETE FROM ?”

    Table still intact, just no data, less likely to load backups :rolleyes:

    shame it wouldn't work
     
  3. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

    Yeah, bastards are probably using MySQL instead of MSSQL. Guess it'll just have to be an inside job.
     
    scrapman21009 likes this.
  4. kellory

    kellory An unemployed Jester, is nobody's fool. Banned

    You gentlemen are speaking a foreign language. I am guessing it is a computer command, that would cause a negative result through curiosity? Like telling an operating system to delete itself?
     
  5. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

    It's called Sql Injection.
    basically the premise is their license plate scanner scans my plate number and adds what it reads to a query that is sent to a database.

    my OR 1=1 will always be true so in theory it should run the command right after.

    EXEC sp_MSforeachtable @command1 = "DROP TABLE ?" to delete all of the tables in that exist in the database, Like; License plate, driver licenses, driver name, driver history, infraction database, car owner ship etc.

    DELETE FROM ? Would delete all the data recursively from each table in the database
    another command would be
    TRUNCATE FROM ? Would do the same but deletes all the data in one call per table instead of row by row.

    Basically it would just be fun if the (po po ) haven't protected their lookup algorithm to prevent sql injection.

    But the command is specialized to attack Microsoft SQL servers. If it's another database, I'd probably have it query a webservice on the internet that would perform the same thing but I could make it do much more. ;)
     
  6. kellory

    kellory An unemployed Jester, is nobody's fool. Banned

    If this ran true, would it delete your info, or ALL info of all drivers in their databanks? Would it be possible to insert the command that you were "exempt" ? I would think that missing info, would make for long traffic stops.
     
  7. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

    LOL, no this would send it back to the main data storage. thought is it would wipe it all out. An with the new cameras that are looking at all the license plates as the officer drives, just looking for those with warrants, stolen cars, individuals of interest, etc. So just the act of scanning and searching not necessarily as part of a traffic stop is good enough.

    Again, this is purely for 'Educational and Theoretical Purposes only' real life practice it may include being tasered. Anything worth doing is worth doing to the utmost.
     
  8. UGRev

    UGRev Get on with it!

  9. scrapman21009

    scrapman21009 Chupacabra Hunter

    I think Kellory is thinking that it deletes all data in the DMV database, no this only deletes data in the camera server, all you DL info is still available for LEO's to access
     
  10. kellory

    kellory An unemployed Jester, is nobody's fool. Banned

    True enough. I was not clear on the scope of the command. Thank you. I also remember a polarized lens licence plate cover, that prevented a camera from taking a readable photo. They post traffic cameras on the front and back of bridges in californication, to get your face, and your tag as you pass. Cops got mad if they caught you with them, and would right an additional ticket for "illegal obstruction" I think, it's been a few years.
     
  11. VisuTrac

    VisuTrac Ваша мать носит военные ботинки Site Supporter+++

    Well, that depends on where the executed query is sent. If the query is sent to the dmv database server .. well it may. Lots of variables. Plus database triggers could go up the food change to make updates to the 'deleted' or changed data.

    Anyway, it's mostly theoretical. ;)
    mostly
     
    gunbunny likes this.
survivalmonkey SSL seal        survivalmonkey.com warrant canary
17282WuJHksJ9798f34razfKbPATqTq9E7