Example of SQL Injection Attack
- Attacker enters malicious SQL into form of web browser.
- Website does not adequately check input for SQL statements.
- Malicious SQL is executed and gives attacker full access to database.
- Can be used for stealing data, deleting data and defacing websites.
In server-side script (e.g. PHP) userName is read in from user:
statement = “SELECT * FROM users WHERE name ='” + userName + “‘;“
The attacker types this into the browser:
‘ OR ‘1’=’1
This statement is executed:
SELECT * FROM users WHERE name = ‘’ OR 1=1;
which returns a full list of user names.
Attacker can also execute multiple statements:
In server-side script userName is read in from user:
statement = “SELECT * FROM users WHERE name ='” + userName + “‘;“
The attacker types:
a’; DROP TABLE users; SELECT * FROM userinfo WHERE ‘t’ = ‘t
And the users table is deleted.
NoSQL Injection Attacks
Injection attacks also work with NoSQL databases, such as MongoDB.
Suppose we have a login page that checks username and password:
db.users.find({username: myUserName, password: myPassword})
This should return a single user if myUserName and myPassword are in the database.
Example of NoSQL Injection Attacks
Instead of username and password we pass in:
{$gt: “”}
The search becomes:
db.users.find({username: {$gt: “”}, password: {$gt:“”})
All non-empty strings are greater than ($gt) an empty string
So this search command returns all users.
We could also use this attack to log in as administrator:
