Via ST04 SQL commands, an administrator, or hacker can fire any SQL statement provided he has the authorizations.
Once the authorizations on S_DBCON are there, any SQL can be used to read and update any table.
Firing SQL command via ST04
Start transaction ST04 and open the SQL editor in the Diagnostics section:
Now enter your SQL statement and press execute.
Result is shown:
How to avoid this?
If you don’t want people to use this function, withdraw the rights to do so. Authorization object S_DBCON is used to protect this.
Note that the SQL is fired using the SAP user of the system, not the ABAP user logged on.