Note: These tutorials assume a basic knowledge of SQL. If you are unfamiliar with SQL, please visit http://www.w3schools.com/sql/default.asp
If you type a username of Student into the "Injection String" field and click "Inject", this SQL query is executed:
Here's a brief description of the parts of this statement:
Our SQL query looks like this initially:
SELECT username FROM users WHERE username = 'OUR_INPUT_HERE' GROUP BY username ORDER BY username ASCIf the query looked like the following, we would retrieve all usernames from the database, not just the one named "myuser":
SELECT username FROM users WHERE username = 'myuser' or 'a'='a' GROUP BY username ORDER BY username ASCIf we place a single quote into our injection string as such:
myuser'
Our SQL query looks like this and is syntactically incorrect due to unmatched single quotes, resulting in an error:
SELECT username FROM users WHERE username = 'myuser'' GROUP BY username ORDER BY username ASCOur input is not sanitized before being placed in an SQL query, and so we can modify the query as we like. In order to turn our initial query into the one which returns all users, we can use the following string:
myuser' or 'a'='a
When you perform this attack, note the resulting query shown. Your injection portion is underlined to highlight how your input modified the query without losing sight of the form the query was initially intended to take.
SELECT username FROM users WHERE username = 'myuser' or 'a'='a' GROUP BY username ORDER BY username ASCThis is a valid SQL query qhich returns all the usernames in the "users" table.
Posted 12-31-12 by Sam Bowne