SQL injection login bypass

SQL injection, The classical example of web application vulnerabilities. Actually, the term SQL injection login bypass is pretty old and SQL injection is rare in modern web applications. But if you are a total newbie to web application hacking, this will be a great starting point. In this document, we are going to see what is SQL injection and what is happening under the hood.

SQL stands for structured query language and is used to handle SQL databases. With SQL we can do things like creating, deleting, modifying data tables, Fetching, Inserting data, etc. Here we can see the login page.

So it asks for a username and password. Then the web application asks the database "Do you have a user with username 'Test' and password is 'cat'. ? " If the database says the login details are accurate then the web application lets the user enter. let's see how the back-end script handles the user-entered data.

<?php

$username = $_POST['username'];
$password = $_POST['password'];
$query = "select username, password from users where username='.$username.' and password='.$password.' limit 0,1";
$result = mysql_query($query);
$rows = mysql_fetch_array($result);
if($rows)
{
    echo "Login successful" ;
    create_session();
}else{
    echo "login data invalid";
} 
/>

First, it gets post data and puts them directly in a SQL quarry. It does not check what type of data is submitted. Here is the SQL quarry that is used.

SELECT username,password FROM users WHERE username='$username' AND password='$password' LIMIT 0,1 ;

So we are going to fuzz the web application. Wait what does that mean fuzzing? Fuzzing is we give the web application some random data. Long strings/integers etc. We know if we want to break a SQL quarry we input an apostrophe ' or a double quote. ".

This time I enter user as the username and pass' as the password. Did you notice a single quote after 'pass'? So the quarry becomes.

SELECT username,password FROM users WHERE username='user' AND password='pass'' LIMIT 0,1 ;

So I get this error.

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near
'test''' at line 1

Do you think 'What happened to hear?' Let me explain this. Think only about this part.

AND password='test'' LIMIT 0,1

it takes our input and puts it inside two quotes. If I enter test Then it'll become password = 'test'. Due to the quote which are we entered after test quarry thinks our input is over.

AND password='test' 

If there is nothing more the quarry is fine and O.K.But there is another quote and some other code also after this string. ( 'LIMIT 0,1 ) So accordion to SQL syntax rules this is not correct. That caused me to throw an error. Is this all thing we wanted. No, we want to try to break this web application and bypass the login. For this purpose, we want some logic. Think that what if I add this string as the input?

test' or 1 = 1 --

This time our quarry become

SELECT username,password FROM users WHERE username='user' AND password='test' or 1 = 1 --' LIMIT 0,1 ;

In SQL we use - - or --+ as the pound character. so if we want to comment on something or block some part of code we can use this. In this quarry, all things after -- are ignored. We can only care about the part that before --. Only that part of our quarry is affected.

SELECT username,password FROM users WHERE username='user' AND password='test' or 1 = 1

This is the time logic is come to play. If you take care of the below part of the code you can understand what's happening.

password ='test' or 1 = 1

The interesting thing about the OR operator is that it checks two Boolean statements, and if one or both of them are correct, it will return true.

so if the password is similar to the string test or 1 = 1 it'll return true. As 1 is always similar to 1 this quarry ignores if the password is not correct. So we could bypass the password check. Great. But wait what if we don't know both the password and user name?

Then we can use this string as the username and anything as the password.

user' or 1 = 1 --

This time our quarry is.

SELECT username,password FROM users WHERE username='user' or 1 = 1 --' AND password='xxxx' LIMIT 0,1 ;

As it'll ignore all things after -- it doesn't care about the password. It will give us entry to the web application.

So guys hope you got an idea about what's SQL injection.