Login Form

SQL query being executed

This is a virtual representation of the SQL query being executed.


SQL query results

The results from your query will be shown here. This is the data which is returned from the database.


SQL Injection Demo

This demo only works in Chrome (maybe Safari and Opera).

This demo is to help teach you the basics of SQL injection and how they work. Hopefully this will help you write more secure code.
It is important note that this demo is very basic, so once you understand how it works here make sure to do your own research as well!

This application has been intentionally left vulnerable to SQL Injections, so do not copy the source code and use it as is. You have been warned.

SQL Injections, what is it even?

They are a type of attack which targets the, you guess it, SQL statements of an application. To put it very simply, SQL Injections are pieces of code which alters the SQL statement to do something other than what was intended.

For example, this demo simulates a login form. The user types their username and password and they are then logged in if the details are correct.

Now, what if we could just skip the password or username altogether, and just "choose" who to login as? Well, today is your lucky day! 😈

How does it work?

First, fill out the form with  test  as the username and password, and hit "submit". You should now see a visual representation of the SQL query which was executed, and the results returned (none, as there are no user with that username/password combo).
Now, what will happens if we add a  "  (quote) to the end of the username input 🤔? Try type the following into the username input (notice the " at the end):  test"  and hit submit.

Oh no we got a "Error! Invalid query" error!
Normally that is very bad, but because we actually want to make SQL Injections, this error is actually a good thing for us to see! What this error tells us is that an the application is likely to be vulnerable (just one of my indications).
If you look closely at the SQL query which was executed, you should be able to see that  username = "test""  got an extra  "  at the end, this syntax is invalid so the SQL server throws an error.

What can we do now? Let's modify the query to ignore the username and/or password! There are a lot of different ways we can achieve, but in this demo we will do it like this:
In your username field try type the following:  " OR 1 == 1 /* 

Oh boy! We just got a list of all the users!

So what did our SQL Injection do?

If you look at the SQL query, it should show a line looking something like this: username = "" OR 1 == 1 /*" 
I'll break down what each of the part of our injection did:

  •  "  OR 1 == 1 /*
    First we close the original comparison
  • "  OR  1 == 1 /*
    Then we add an OR comparison, which will alter the statement to read: if username is equal to "" or ??
  • " OR  1 == 1  /*
    here we finish our comparison statement from above. The statement now reads: if username is "" or 1 is equal to 1
    and since 1 is always equal to 1, the comparison statement is fulfilled and will be fulfilled so we get all users in the database!
  • " OR 1 == 1  /* 
    This is the opening tag for a multiline comment. Opening this tag and never closing it will make the parser thing the rest is just a comment and not part of the query and ignores anything after this tag.

Log in without password

So we know we can get the list of all users, but how to we login as one of these users?
To do this, we need to use some of what we learned above. I will let you try figure it out. Look at the parts of the injection we did above, and see which parts you need to login with "sirmre" without a password.
Hint: Since we know the usernames, you will need to inject your code into the password field.

You know you have succeeded when the SQL query results only shows once results for "sirmre", and not the other 2. Now there are many other ways to do this, so if your injection is different from the answer I provide, don't worry! The result is all that matters.

If you want to see the answer  {{ answer }}  but I suggest you give it at least a couple of tries first. Don't worry if its hard, remember that every master was once a beginner.

Protecting Your Applications

In short: Use parameterised queries and type check/sanitise all user input before using it!

Please do your own research for the language/library/driver you will be using, don't just take what I said as gospel. Be paranoid!

Liked this demo?

If you enjoyed this demo or if you have any feedback, I would also love to hear it! Reach me on [email protected]