SQL injection login bypass

HacksLand | The computer science playground

Posted by Thilan Dissanayaka on Aug 12, 2019

SQL injection, The classical example of web application vulnerabilities. Actually the term SQL injection login bypass is pretty old and SQL injection is rare in modern web applications. But if you are total newbie to web application hacking, this will be a great starting point to you. In this document we are going to see what is SQL injection and what is happening under the hood.

SQL stands for structured query language and used to handle SQL databases. With SQL we can do things like creating, deleting, modifying data tables, Fetching, Inserting data etc.

Hear is the login page.

So it asks for username and password. Then the web application asks the database "Do you have a user with username 'Test' and password is 'cat'. ? " If the database say the login details are true then web application let the user to enter. let's see how the back-end script handle the user entered data.


<?php

$username = $_POST['username'];
$password = $_POST['password'];
$query = "select username, password from users where username='$username' and password='$password' limit 0,1";
$result = mysql_query($query);
$rows = mysql_fetch_array($result);
if($rows)
{
	echo "Login successful" ;
	create_session();
}else{
	echo "login data invalid";
} 
/>

First it get post data and put them directly in a SQL quarry. It does not check what type of data is submitted. Hear is the SQL quarry which is used.

SELECT username,password FROM users WHERE username='$username' AND password='$password' LIMIT 0,1 ;

So we are going to fuzz the web application. Wait what does mean fuzzing?. Fuzzing is we give the web application some random data. Long strings / integers etc. We know if we want to break a SQL quarry we input an apostrophe ' or a double quote. ".

This time I enter user as the username and pass'as the password.Did you noticed a singe quote after 'pass'. So the quarry becomes.

SELECT username,password FROM users WHERE username='user' AND password='pass'' LIMIT 0,1 ;

So I get the this error.

You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near
'test''' at line 1

Do you think 'What happened hear?' Let me explain this.Think only about this part.

AND password='test'' LIMIT 0,1

it takes our input and put inside two quotes. If I enter test Then it'll become password = 'test' . Due to quote which is we entered after test quarry think our input is over.

AND password='test' 

If there is nothing more the quarry is fine and O.K.But there is another quote and some other code also after this string. ( 'LIMIT 0,1 ) So accordion to SQL syntax rules this is not correct.That caused to throw an error. Is this all thing we wanted. No we want to try break this web-application and bypass the login.For this purpose we want some logic. Think that what if I add this string as the input.

test' or 1 = 1 --

This time our quarry become

SELECT username,password FROM users WHERE username='user' AND password='test' or 1 = 1 --' LIMIT 0,1 ;

In SQL we use - - or --+ as the pound character. so if we want to comment some thing or block some part of a code we can use this.In this quarry all things after -- is ignored. We can only care about part that before --. Only that part of our quarry is affected.

SELECT username,password FROM users WHERE username='user' AND password='test' or 1 = 1

This is the time logic is come to play.If you take care about below par of code you can understand what's happening.

password ='test' or 1 = 1

The interesting thing about OR operator is it checks two Boolean statements and if one of them or both of them are correct it will return true.

so if password is similar to the string test or 1 = 1 it'll return true. As 1 is always similar to 1 this quarry ignore if password is not correct. So we could bypass the password check. Great. But wait what if we don't know both password and user name? .

Then we can use this string as the username and anything as the password.

user' or 1 = 1 --

This time our quarry is.

SELECT username,password FROM users WHERE username='user' or 1 = 1 --' AND password='xxxx' LIMIT 0,1 ;

As it'll ignore all thing after -- it doesn't care about password. It will give us enter to the web-application.

So guys hope you got an idea about what's SQL injection.

Hi, I'm Thilan. An engineering student from SriLanka. I love to code with Python, JavaScript PHP and C.

Comments