I'm assembling an explanation of command injection for my upcoming textbook Elementary Information Security
. (yes, yes, it should be finished by now and in production, but things were delayed). This yielded a couple of diagrams that I've managed to squeeze onto a single sheet of 8.5 x 11 paper. Here's a JPEG preview:
It is also available as a PDF file.
The upper half of the poster illustrates a more-or-less legitimate transaction with a content management system and its back-end SQL database. This is followed in the lower half by an SQL injection attack. For those who are terrified by the massive graphic, be assured that it's split into two separate pages in the actual text. The separate diagrams work pretty well on separate pages.
To set the stage, we have a web site with users Alice, Kevin, and Bob. Eve wants to log in, but she's not registered with the site. She uses command injection to log in as Alice.
The web site handles login with a series of two screens: the first screen collects and validates the user ID and the second screen collects and validates the password. In the first step, the server retrieves Alice's login record from the list of users and saves it in a temporary table. The table's name is saved as part of the browser's session state. To make things nice and explicit (though dangerous) in this example, the table name itself is passed around in the cookie. (Yes, it's a terrible idea but this is an example in an introductory text, and yes, the text reiterates that it's a Bad Idea).
[I'm stopping for now, but eventually I'll include a step-by-step explanation for those who aren't familiar with all this. Or wait till the book comes out next summer.]