Login Form

SQL query being executed

This is a virtual representation of the SQL query being executed.

{{query}}

SQL query results

The results from your query will be shown here. This is the data which is returned from the database.

{{result}}

SQL Injection Demo

This demo only works in Chrome (maybe Safari and Opera).

This demo is to help teach the basics of SQL injection and how they work, so you (less likely) fall victim to this type of attack.
It is important note that this demo is very basic, so once you understand how it works here make sure to do your own research as well!

This application has been intentionally left vulnerable to SQL Injections, an no measures to mitigate this form of attack has been made.

SQL Injections, what is it even?

They are a type of attack which targets the, you guess it, SQL statements of an application. To put it very simply, SQL Injections are pieces of code which alters the SQL statement to do something else than what was intended.

For example, this demo simulates a (poorly written) login form. The user types their username and password and they are logged in if the details are correct.

What if we could just skip the password or username altogether, and just "choose" who to login as? Well, today is your lucky day! }:)

How does it work?

First fill out the form with "test" as the username and password, and hit "submit". You should now be able to see a visual representation of the SQL query which was executed. What happens if we add a " (quote) to the end of the username input? Try type the following into the username input: test".

Oh no! The query broke! .. actually that is a good thing! This is just one of my indications that an application might be vulnerable. If you look closely on the SQL query which was executed, you can see the username = "test"" as an extra " at the end, this syntax is invalid so the SQL server throws an error.

What can we do now? Let's modify the query to ignore the username and/or password. There are so many ways we can do this, but in this demo, let do it like this: in your username field type the following: " OR 1 == 1 /*

Oh mah lawd! We just got a list of all the users!

OK, so how did that work? If you look at the SQL Query, it should show this username = "" OR 1 == 1 /*". What out SQL Injection did was:

  • " OR 1 == 1 /*
    First we close the original comparison
  • " OR 1 == 1 /*
    Then we add an OR comparison, which will alter the statement to read: "if the username is equal to "" OR"
  • " OR 1 == 1 /*
    here we finish out comparison statement, which we will always make sure returns true. The statement now reads: "if the username is "" OR 1 is equal to 1" and since 1 will always be = to 1, all users will be returns since that statement always returns true!
  • " OR 1 == 1 /*
    Here we tell it to ignore anything else after this point, which means the password comparison is ignored!

Log in without password

Since we now have all the users, lets login with one of them shall we! To do this, we need to use of what we learned above. I will let you try figure it out ;). Hint: it's likely much simpler than you think! Just remember what we did above, and see which parts you need to login with "sirmre" without a password!

You know you have succeeded when the SQL query results only shows once results for "sirmre", and not the other 2.

If you want to see the answer {{ answer }}, but I suggest you give it at least a couple of tries first. Don't worry if its hard, remember that every master was once a beginner!

Protecting Your Applications

In short: Use parameterised queries and type check/sanitise all user input before using it!

Please do your own research for whichever given language/library/driver you will be using, don't just take what I said as gospel. Be paranoid!

Liked this demo?

If you enjoyed this demo or if you have any feedback, I would also love to hear it: [email protected]