This is a virtual representation of the SQL query being executed.
{{query}}
{{result}}
This demo only works in Chrome (maybe Safari and Opera).
This demo is to help teach you the basics of SQL injection and how they work. Hopefully this will help you write more secure code.
It is important note that this demo is very basic, so once you understand how it works here make sure to do your own research as well!
This application has been intentionally left vulnerable to SQL Injections, so do not copy the source code and use it as is. You have been warned.
They are a type of attack which targets the, you guess it, SQL statements of an application. To put it very simply, SQL Injections are pieces of code which alters the SQL statement to do something other than what was intended.
For example, this demo simulates a login form. The user types their username and password and they are then logged in if the details are correct.
Now, what if we could just skip the password or username altogether, and just "choose" who to login as? Well, today is your lucky day! 😈
First, fill out the form with test as the username and password, and hit "submit". You should now see a visual representation of the SQL query which was executed, and the results returned (none, as there are no user with that username/password combo).
Now, what will happens if we add a " (quote) to the end of the username input 🤔? Try type the following into the username input (notice the " at the end): test" and hit submit.
Oh no we got a "Error! Invalid query" error!
Normally that is very bad, but because we actually want to make SQL Injections, this error is actually a good thing for us to see! What this error tells us is that an the application is likely to be vulnerable (just one of my indications).
If you look closely at the SQL query which was executed, you should be able to see that username = "test"" got an extra " at the end, this syntax is invalid so the SQL server throws an error.
What can we do now? Let's modify the query to ignore the username and/or password! There are a lot of different ways we can achieve, but in this demo we will do it like this:
In your username field try type the following: " OR 1 == 1 /*
Oh boy! We just got a list of all the users!
If you look at the SQL query, it should show a line looking something like this: username = "" OR 1 == 1 /*"
I'll break down what each of the part of our injection did:
So we know we can get the list of all users, but how to we login as one of these users?
To do this, we need to use some of what we learned above. I will let you try figure it out. Look at the parts of the injection we did above, and see which parts you need to login with "sirmre" without a password.
Hint: Since we know the usernames, you will need to inject your code into the password field.
You know you have succeeded when the SQL query results only shows once results for "sirmre", and not the other 2. Now there are many other ways to do this, so if your injection is different from the answer I provide, don't worry! The result is all that matters.
If you want to see the answer {{ answer }} but I suggest you give it at least a couple of tries first. Don't worry if its hard, remember that every master was once a beginner.
In short: Use parameterised queries and type check/sanitise all user input before using it!
Please do your own research for the language/library/driver you will be using, don't just take what I said as gospel. Be paranoid!
If you enjoyed this demo or if you have any feedback, I would also love to hear it! Reach me on [email protected]