{% extends 'core/Injections/injections.html' %} {% load static %}
First, let's look at examples of how we operate SQL language to understand this issue better. We will start with basic queries and see how they look in SQLI (SQL Injection) attacks. But for that, we need data to work on.
The showcase will be done on a database with this structure. However, you can follow along on your own testing database.
SELECT * FROM testDatabase.auth_user WHERE username='user1';
Here we can see simple query onto the database - testDatabase, and table - auth_user. It selects all the
columns for the user named 'username1'.
The result of this query will look like this:
As we can see, the result is all the information about the user1. Now that we know how simple SQL query looks and works, let's look at some more useful queries.
SELECT * FROM testDatabase.auth_user;
Here we can see a query that shows all the columns and rows from our table, including our admin user. This
query is much more dangerous as it can reveal all the data.
Those are some examples of queries that show us data. Now, let's see some that modify them.
UPDATE auth_user
SET username = 'user1'
WHERE username = 'alteredUser1'
As you can see, queries like these allow us to change data in the database. If attackers were allowed to
perform such actions, it could lead to denial of access by changing all the passwords.
Attackers could perform many malicious actions once they are allowed to execute SQL Injections.
Let's
look at queries that attackers would usually use:
As you may see these queries look a bit different from previous examples, but they are actually similar, lets see why. Starting with the first picture the query looks like this:
SELECT * FROM users Where username ='admin' OR '1'='1' AND password='randompassword'
This query selects everything from table username if username equals admin OR
1 is equal to 1,
since 1 will always equal 1 this query will execute no matter the wrong password. As we hit signup the query
will be sent to backend and handled. As this website
is made using django such attempts won't even reach database.
As for the second one, it will look like this:
SELECT * FROM users Where username ='' OR 1='1'
Difference between these being, first query tries to get information about admin, the second one gains
information
about every entry in the table, it uses the same principle of one equals one but leaving username as empty
string
selects everything.
SELECT * FROM database WHERE id = 1; DROP users--
This query is meant to drop the table users. Other parameters here don't matter.
Since you can't see the fourth query fully, here is what it looks like:
user2' OR '1'='1';Update auth_user SET username='newUser' WHERE id=1;
This UPDATE query changes any information in the table as long as you know the table and column name.
user2' OR '1'='1';INSERT INTO auth_user VALUES ('12','asdasd','2023-03-31 15:26:48.454159', '0', 'InjectedUser', '', '', '', '0', '1', '2023-03-31 15:26:48.454159');
And here, we have an INSERT query. With such a query, you can insert your own users and even admin users.
If you want to, below is a button where you can test the SQL attacks yourself. You can play around and try different kinds of attacks. My advice would be to start with the SELECT Injection. You can use that later to check if the other types work. However, populating the database first is recommended, so register a few users you want to work with.
These are the basics of SQL injections, let's take a look at how to prevent them on the next Tab.
If you want to learn more your can watch this video from PortSwigger: