Learn to Code via Tutorials on Repl.it!

← Back to all posts
How basic SQL injection works - with a demo
MarcusWeinberger (678)

In this tutorial, we are going to be targeting my 'vulnerable cloud storage' program (https://vulnerable-cloudstorage--marcusweinberger.repl.co). The way it works is users can store and read data, with authentication. Usernames and passwords are stored in a sqlite3 database.

For this demo, the user 'test' has been added with a password of 'test' and has 4 files containing irrelevant data. The first example of SQL injection can be seen on line 13. In the request, you are supposed to supply a username and password. However, as you can see, this is not a regular password.

We gave the password "x' OR '1'='1" with the username "test". When inserted into the SQL command on the server, the command will look like this:


What we have just done is taken advantage of poorly written code to make the server execute commands that were not intended. The simple mistake I (purposefully) made in my code is using %s to format a string. In sqlite3, there is a way to do this correctly by not using any quotation marks and having question marks in place of data and passing a tuple with the data in the arguments.

To learn more about input sanitization and good practice, look here: https://www.hacksplaining.com/prevention/sql-injection

Anyway, this script uses SQL injection to bypass all authentication and replaces all the user's data with random characters.

SQL injection is the most common vulnerability found in websites. It is an easy mistake to allow and can have devastating results like someone taking complete access of your server or looking at confidential information (eg passwords).

TheDrone7 (1649)

MongoDB > SQL. Change my mind. But still, good tutorial.

HappyFakeboulde (237)

solution to sql injection risk: don't use sql

MarcusWeinberger (678)

@HappyFakeboulde SQL is very useful and is used everywhere, it's not hard to protect against SQL injection and using SQL can be very helpful.

HappyFakeboulde (237)

@MarcusWeinberger people say r/whoooosh outside of reddit

MarcusWeinberger (678)

@HappyFakeboulde and it's horrible and needs to stop, I would say r/ihavereddit but that's hypocritical

HappyFakeboulde (237)

@MarcusWeinberger well, it's not going to stop
accept it

MarcusWeinberger (678)

@HappyFakeboulde i will continue to fight the good fight


@MarcusWeinberger r/whoosh is good

BinaryBreaker (18)

@HappyFakeboulde -> Solution: store all of you usernames in passwords in plain text that anyone can download

HappyFakeboulde (237)

@BinaryBreaker all your usernames and passwords, and it's quite possible and advisable to hash passwords and keep the database private without using sql

BinaryBreaker (18)

@HappyFakeboulde even if there hashed they can still be cracked especially if your using md5

MarcusWeinberger (678)

@BinaryBreaker Well it's the best solution out there - just use a strong password