SQL Injection in Rails
I got this from http://rails-sqli.org/. Their explanations were too technical and terse for me, so I got it running, picked out a few examples, and added more explanation.
The database has two tables:
|id *||user_id||total||created_at *||updated_at *|
|401||1||10||2016-12-18 02:22:39||2016-12-18 02:22:39|
|402||3||500||2016-12-18 02:22:39||2016-12-18 02:22:39|
|403||4||1||2016-12-18 02:22:39||2016-12-18 02:22:39|
* The id, created_at, and updated_at fields auto-generate after each query and change values.
|user_id *||name||password||age **||admin||created_at *||updated_at *|
|757||Bob||Bobpass||21||false||2016-12-18 02:12:41||2016-12-18 02:12:41|
|758||Jim||Jimpass||51||false||2016-12-18 02:12:41||2016-12-18 02:12:41|
|759||Sarah||Sarahpass||53||false||2016-12-18 02:12:41||2016-12-18 02:12:41|
|760||Tina||Tinapass||69||false||2016-12-18 02:12:41||2016-12-18 02:12:41|
|761||Tony||Tonypass||24||false||2016-12-18 02:12:41||2016-12-18 02:12:41|
|762||Admin||supersecretpass||65||true||2016-12-18 02:12:41||2016-12-18 02:12:41|
* The user_id, created_at, and updated_at fields auto-generate after each query and change values.
** The age field populates with fresh random values after each query.
This query is intended to sum data in the "orders" table.
To see the normal use case, delete all the text in the "Column" field
Click Run to see the sum of the "total" field for all orders.
This shows Bob's age:
This attempts to show Bob's password, but all it gets is the SUM of his password, which is interpreted as zero:
age) FROM users WHERE name = 'Bob';
password) FROM users WHERE name = 'Bob';
This query is intended to see if a user exists, from that user's name.
To see the normal use case, delete all the text in the "User" field
Click Run to see the result: "true".
Inject this to ask a question the developer won't like: "Is there a user with a password of Bobpass?". The answer is "true".
To prove that it's working, inject this to ask: "Is there a user with a password of bobpass?". The answer is "false".
') or (SELECT 1 AS one FROM 'users' WHERE password = "Bobpass" AND ''='
') or (SELECT 1 AS one FROM 'users' WHERE password = "bobpass" AND ''='
This query is intended to find transactions for
user_id = 1 and having a "total" larger than
the specified amount.
To see the normal use case, delete all the text in the "Total" field
Click Run to see the result: one transaction with a "total" of 10.
Inject this to dump all three records from the "orders" table:
5) UNION SELECT * FROM orders--
This query is a typical login function, intended to find information only
if the correct username and password are entered.
To see the normal use case, delete all the text in the "Name" field
Click Run. There are zero results, because this form doesn't allow
you to enter a password.
Inject this to see all user data:
') OR 1--
For More Details
Original "Rails SQL Injection" page
All demonstrations running live
Posted 12-17-16 by Sam Bowne