How basic SQL injection works - with a demo
In this tutorial, we are going to be targeting my 'vulnerable cloud storage' program (https://vulnerable-cloudstorage--marcusweinberger.repl.co). The way it works is users can store and read data, with authentication. Usernames and passwords are stored in a sqlite3 database.
For this demo, the user 'test' has been added with a password of 'test' and has 4 files containing irrelevant data. The first example of SQL injection can be seen on line 13. In the request, you are supposed to supply a username and password. However, as you can see, this is not a regular password.
We gave the password "x' OR '1'='1" with the username "test". When inserted into the SQL command on the server, the command will look like this:
SELECT ID FROM USERS WHERE USERNAME='test' AND PASSWORD='x' OR '1'='1'
What we have just done is taken advantage of poorly written code to make the server execute commands that were not intended. The simple mistake I (purposefully) made in my code is using %s to format a string. In sqlite3, there is a way to do this correctly by not using any quotation marks and having question marks in place of data and passing a tuple with the data in the arguments.
To learn more about input sanitization and good practice, look here: https://www.hacksplaining.com/prevention/sql-injection
Anyway, this script uses SQL injection to bypass all authentication and replaces all the user's data with random characters.
SQL injection is the most common vulnerability found in websites. It is an easy mistake to allow and can have devastating results like someone taking complete access of your server or looking at confidential information (eg passwords).