There is a related question: What is SQL injection and how can I avoid it? which has excellent answers on the topic of SQL Injection.
I think many of us, when we see queries like this:
"SELECT * FROM tabla WHERE id=$valor";
O well:
"INSERT INTO tabla (columna) VALUES ($valor)";
O well:
"UPDATE tabla SET columna=$valor";
or something similar, we scream to heaven (and rightly so), warning the OP that his code is vulnerable .
Indeed, we understand that the variable $valor
is supplied by the user, through a form, a URL or any other external source .
If such a variable depends on the user and the programmer creates code so that the query is executed without any prevention , any malicious user can write malicious code where the external data is collected and said code will be executed.
The question
In many cases, when vulnerable code is noticed, some argue that it is test data and that it is a test database. In other words, it doesn't matter if tables are deleted or if control of the database is taken, after all it is test data.
But... what if our system itself is at risk?
My question is if SQL Injection has an impact only at the database level or if any malicious user can also access our system (not only the database) and execute commands within it .
Or put another way: could SQL Injection go further than SQL? .
The short answer is yes.
Until where? Depending on the type of attack, it could range from "bringing down" the server to taking control of a system user. Among other effects:
LOAD_FILE()
SELECT … INTO DUMPFILE
How? There are several practices, which I am not going to delve into so as not to give an idea to people who can use it to do harm. Summarizing:
Techniques can be considered in 3 broad categories:
1; DELETE FROM tabla; DELETE FROM otra-tabla; DELETE FROM todas-las-que-quiera;
It all depends on what the database itself allows you to do, but the following scenario comes to mind:
This would allow you to do something like (in pseudo-code):
I've put the del command, but it could be anything else, like doing an Invoke-WebRequest, which is the equivalent of the Linux "wget" command, and downloading and running a trojan.