-2

There is a query like:

select * from tablename where username='value1' and password='value2';

If I set to the fields the following:

username ='admin' and password ='admin';

Then I sign in into the website as administrator.

Now, If I wanted to SQL inject my query, I would enter to the username field the value
'or 1=1, after which the query would be executed like:

select * from tablename where username ='' or 1=1

Assuming everything after this the query is executed successfully.

My question is based on above example, what user we will be logged in as?

As:
   1. Admin
   2. Or first row in table?
   3. Or any other user and how?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
thuk
  • 263
  • 3
  • 7
  • 21
  • 1
    Not nearly enough info to guess. And this seems like a very suspicious question to ask; Just fix the vulnerability. – Andrew Barber Sep 11 '12 at 18:35
  • It depends on the rest of the login code. There's not enough info in just the SQL to be sure. Probably the first user in the table. Try it and see. The only way to be sure is to test it. – David Sep 11 '12 at 18:36
  • @djadmin how do you say it can u pls explain – thuk Sep 11 '12 at 18:39
  • @thuk Please read my recent post about SQL injections, you could find it interesting: http://stackoverflow.com/questions/11939226/sql-injections-and-adodb-library-general-php-website-security-with-examples – Ilia Ross Sep 11 '12 at 18:52

2 Answers2

3

That is just a SQL query, it does not login or do any other application functionality. What is done with the data retrieved is entirely dependent on the specific application.

The code may happily consume the first row in the resulting recordset and assume that is the user to be logged in. It may also throw an exception, e.g., if the query is being done with LINQ and .SingleOrDefault() is used. Without seeing the application code, there is no way to know.

D'Arcy Rittich
  • 167,292
  • 40
  • 290
  • 283
  • yes thats right. but i need to know as what user we wll be logged in if above query is used in backend for login to website.. since it returns all rows frm table because cnd is true for all recrds then application must issue error or it must not login but some how we r logged in. then @ this case what is happening inside is my qustion? – thuk Sep 11 '12 at 18:48
  • @thuk What is happening inside is determined by your code, which you have not provided. So you are in a better position to answer this than we are :) – D'Arcy Rittich Sep 11 '12 at 18:51
2

All rows in the tablename table will be returned to whatever is running this query. The order in which these rows are returned isn't well defined (and tables don't have an order, so your guess of "first row" is wrong for a number of reasons)

We'd then need to see the consuming code to know what happens - it might take the first row it's given, it might take the last row it's given (different runs of this query could have different first and last rows, because as I said, the order isn't well defined). It may attempt to (in some manner) merge all of the resulting rows together.

You shouldn't try to reason about what happens when your code is subject to SQL injection, you should just apply adequate defenses (e.g. parameterized queries) so you don't have to think about it again.

For example, lets say, for the sake of argument, that this query always returned the rows in some particular order (so long as the moon is full), such that the lowest UserID (or similar) is the first row, and that the consuming code uses the first returned row and ignores other rows. So you decide to "cunningly" create a dummy user with UserID 0 which can't do anything and warns you of an attack.

Well, guess what - all the attacker has to do is inject an ORDER BY CASE WHEN UserName='Admin' THEN 0 ELSE 1 END into the query - and bingo, the first row returned is now guaranteed to be the Admin user.

Damien_The_Unbeliever
  • 234,701
  • 27
  • 340
  • 448
  • yes thats right. but i need to know as what user we wll be logged in if above query is used in backend for login to website.. since it returns all rows frm table because cnd is true for all recrds then application must issue error or it must not login but some how we r logged in. then @ this case what is happening inside is my qustion? – thuk Sep 11 '12 at 18:45
  • 1
    @thuk - (going meta for a moment here) - you ask a question that you imagine has one, well defined and clear cut answer. You receive 3 answers, and they're all different. How are *we* meant to know how *you* will react to multiple answers? – Damien_The_Unbeliever Sep 11 '12 at 18:48
  • no.the 3 answers is not mine. it was said by others when i ask the same questions to thm. this is not imagine question this is the situvation of sql inection attack against many of web application today.. – thuk Sep 11 '12 at 18:52
  • @thuk - I meant that, whatever is running this query expected 1 row, and received 3 instead. How it reacts to that situation is not knowable, without you also showing that code. I was making an analogy. – Damien_The_Unbeliever Sep 11 '12 at 18:54