Q3.2 — SQL Injection: Modifying Another User's Profile

This video demonstrates a SQL injection attack on an UPDATE statement While logged in as Ted using SQL injection from Q3.1, Boby's nickname, email and address are all modified simultaneously using a single SQL injection payload in the NickName field of the Edit Profile form — without knowing Ted's password or Boby's password. The attack exploits the fact that user input in the NickName field is placed directly into the UPDATE SQL query without any sanitisation, allowing the attacker to close the nickname value early and add additional SET clauses targeting a completely different user. Key concepts demonstrated: SQL injection in UPDATE statement Modifying multiple fields in a single injection Changing the WHERE clause to target a different user Unauthorised profile modification without knowing passwords Tools used: PHP, MySQL, Docker, Firefox, Ubuntu 24.04 LTS Environment: Lab 9 Labsetup (ARM version for Apple Silicon)