SQL Injection in Rails

I got this from http://rails-sqli.org/. Their explanations were too technical and terse for me, so I got it running, picked out a few examples, and added more explanation.

The database has two tables:

Orders

id *user_idtotalcreated_at *updated_at *
4011102016-12-18 02:22:392016-12-18 02:22:39
40235002016-12-18 02:22:392016-12-18 02:22:39
403412016-12-18 02:22:392016-12-18 02:22:39

* The id, created_at, and updated_at fields auto-generate after each query and change values.

Users

user_id *namepasswordage **admincreated_at *updated_at *
757BobBobpass21false2016-12-18 02:12:412016-12-18 02:12:41
758JimJimpass51false2016-12-18 02:12:412016-12-18 02:12:41
759SarahSarahpass53false2016-12-18 02:12:412016-12-18 02:12:41
760TinaTinapass69false2016-12-18 02:12:412016-12-18 02:12:41
761TonyTonypass24false2016-12-18 02:12:412016-12-18 02:12:41
762Adminsupersecretpass65true2016-12-18 02:12:412016-12-18 02:12:41

* The user_id, created_at, and updated_at fields auto-generate after each query and change values.
** The age field populates with fresh random values after each query.

Calculate Methods

This query is intended to sum data in the "orders" table.

To see the normal use case, delete all the text in the "Column" field and insert:

total
Click Run to see the sum of the "total" field for all orders.

Injections

This shows Bob's age:
age) FROM users WHERE name = 'Bob';
This attempts to show Bob's password, but all it gets is the SUM of his password, which is interpreted as zero:
password) FROM users WHERE name = 'Bob';

Exists? Method

This query is intended to see if a user exists, from that user's name.

To see the normal use case, delete all the text in the "User" field and insert:

Bob
Click Run to see the result: "true".

Inject this to ask a question the developer won't like: "Is there a user with a password of Bobpass?". The answer is "true".

') or (SELECT 1 AS one FROM 'users' WHERE password = "Bobpass" AND ''='
To prove that it's working, inject this to ask: "Is there a user with a password of bobpass?". The answer is "false".
') or (SELECT 1 AS one FROM 'users' WHERE password = "bobpass" AND ''='

Having Method

This query is intended to find transactions for user_id = 1 and having a "total" larger than the specified amount.

To see the normal use case, delete all the text in the "Total" field and insert:

5
Click Run to see the result: one transaction with a "total" of 10.

Inject this to dump all three records from the "orders" table:

5) UNION SELECT * FROM orders--

Where Method

This query is a typical login function, intended to find information only if the correct username and password are entered.

To see the normal use case, delete all the text in the "Name" field and insert:

Bob
Click Run. There are zero results, because this form doesn't allow you to enter a password.

Inject this to see all user data:

') OR 1--

For More Details

Original "Rails SQL Injection" page

All demonstrations running live

References

https://github.com/presidentbeef/inject-some-sql
https://www.digitalocean.com/community/tutorials/how-to-install-ruby-on-rails-with-rvm-on-ubuntu-16-04
https://www.digitalocean.com/community/tutorials/how-to-create-a-sudo-user-on-ubuntu-quickstart
https://gorails.com/setup
http://stackoverflow.com/questions/17643897/cannot-load-such-file-sqlite3-sqlite3-native-loaderror-on-ruby-on-rails
http://stackoverflow.com/questions/36963018/error-incompatible-library-version-sqlite3-1-3-11-in-rails
http://edgeguides.rubyonrails.org/security.html
http://stackoverflow.com/questions/1988249/how-do-i-use-su-to-execute-the-rest-of-the-bash-script-as-that-user

Posted 12-17-16 by Sam Bowne