Intents

1. Extracting data
2. Adding or modifying data
3. DOS
4. Privilege escalation
5. Bypassing authentication

Entry Points

1. Headers
2. Fields ( name, username, address )

Case 1

def user_exists(username: str) -> bool:
    with connection.cursor() as cursor:
        cursor.execute("""
            SELECT
                Id
            FROM
                users
            WHERE
                username = '%s'
        """ % username)
        result = cursor.fetchone()
    id, = result
    return id

The attack:

user_exists('test')
#False #select id from users where username = 'test'
user_exists("'; select 1=1; --")
#True #select id from users where username = ''; select true; --'

Case 2:

def user_exists(username: str) -> bool:
    with connection.cursor() as cursor:
        cursor.execute("""
            SELECT
                Id
            FROM
                users
            WHERE
                username = '%s'
        """ % username.replace("'", "''"))
        result = cursor.fetchone()
    id, = result
    return id

The attack:

user_exists("'; select 1=1; -—")
#False #select id from users where username = '''; select true; --'

user_exists("\\\\'; select 1=1; --")
#True #select id from users where username = '\\\\''; select true; --'

Case3:

def user_exists(username: str) -> bool:
    with connection.cursor() as cursor:
        cursor.execute("""
            SELECT
                Id
            FROM
                users
            WHERE
                username = %(username)s
        """, {'username': username})
        result = cursor.fetchone()
    id, = result
    return id

select * from credentials where username = '$username' and password = '$password'