Lab: SQL injection vulnerability allowing login bypass

Lab: SQL injection vulnerability allowing login bypass | Web Security AcademyWebSecAcademy

This lab contains a SQL injection vulnerability in the login function.

To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user.

Solving

Let's try solving this thing out.

There's one famous SQL injection trick where we input the username and password like:

username: admin'--
password: <anything>

Let's try if this works for this lab.

On the web page we'll see the 'My account' button, which leads to the login page.

Let's try our trick !

In this scenario, I tried using the username administrator'-- and password 1234. And yes, it works just fine. I just bypassed into the administrator account.

Let's find out why.

Assuming the original sql query for the login would be something like:

SELECT * FROM users WHERE username = 'admin' AND password = '1234';

And this is how our query looks like:

SELECT * FROM users WHERE username = 'admin'--' AND password = '1234';

It's just bypassed any password in the world 🤯 That's why it works.

And that's how we solved this lab.

PreviousLab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data NextLab: Reflected XSS into HTML context with nothing encoded

Last updated 1 year ago