Examples SQL Injection


SQL injection can typically be avoided by ensuring all inputs that execute within a SQL query are suitably escaped. Within some languages and frameworks, this is done automatically but if you are writing raw queries you may need to escape this manually by using functions such as

mysqli_real_escape_string()
within PHP.

Methods of Exploitation

All the following examples assume that an unescaped input text box is used to inject foreign queries into a form - in the examples, we'll be using the username field as passwords would typically be hashed before inserting into a query. An example is shown below:

SELECT * FROM users WHERE username = '<insert here>' AND password = ''

Privilege escalation

The simplest form of SQL injection is anything involving selecting something erroneous to what is expected. This is due to many functions within languages only supporting one query per function call. However, many applications do not use these and therefore can result in the remaining exploits being possible.

If a user knows the username of an administrator (for example, "admin"), it would be quite easy to circumvent any security by typing in something similar to this in the query box:

' OR username = 'admin'; ---
This would give a query of:

SELECT * FROM users WHERE username = '' OR username = 'admin'; ---' AND password = ''
This query performs a lookup for a user with a blank username or one with the username 'admin'. It then finishes the query and puts the remainder of the query within a comment.

There is another method to perform privilege escalation, using an input such as this:

' OR id = 5; ---
This allows you to log in to any user account assuming you have their given user ID. It would output a query similar to:

SELECT * FROM users WHERE username = '' OR id = 5; ---' AND password = ''
The query performs a lookup for a user with a blank username OR one with the given user ID (in this case, 5). It then completes the query and puts the remainder of the query in a comment.

Arbitrary database updates

In a similar manner to the standard privilege escalation method, using an arbitrary database update you can, for instance, upgrade your own access privileges on a system to administrator or update product information in an online shop. An example entry to the text box in order to upgrade oneself to administrative privileges is shown below:

dan'; UPDATE users SET usergroup = 0 WHERE username = 'dan'; ---

Please note, a series of assumptions are made for this example. The username is 'dan'. The table schema contains a column called 'usergroup', and an integer of 0 will indicate administrative access. The query that it is inserted within does not necessary have to execute with results, it just needs to not throw an error when executed.

This would give a query of:

SELECT * FROM users WHERE username = 'dan'; UPDATE users SET usergroup = 0 WHERE username = 'dan'; ---' AND password = ''
This query, as you can see, logs the user in with just the username and then continues to perform an additional standard UPDATE on the table giving the user 'dan' administrative access. The remainder of the query is commented out.

Data loss

The most data critical method of SQL injection involves removing data from a given table. This is fairly self explanatory given the previous examples - you would enter text similar to the following in the textbox:

dan'; DROP TABLE 'groups'; ---

This would give a query of:

SELECT * FROM users WHERE username = 'dan'; DROP TABLE 'groups'; ---' AND password = ''
This query, as before, logs the user in with just the username and then continues to delete the table groups from the database.