Authentication Bypass using SQL Injection on Login Page
Last Updated :
23 Feb, 2023
SQL injection is a technique used to exploit user data through web page inputs by injecting SQL commands as statements. Basically, these statements can be used to manipulate the application’s web server by malicious users.
- SQL injection is a code injection technique that might destroy your database.
- SQL injection is one of the most common web hacking techniques.
- SQL injection is the placement of malicious code in SQL statements, via web page input.
Pre-requisites: Basic SQL Commands.
Checking the form for SQL Injection:
The Simplest way is to put “‘”(without quotes) at the username or password field. If the server returns any kind of SQL error in the Response then the website is most probably vulnerable to SQL Injection attack.
DISCLAIMER: Attacking targets without prior mutual consent is illegal. This article is for knowledge purposes.
Bypassing Authentication:
1. After we confirm that the site is vulnerable to SQL injection, the next step is to type the appropriate payload(input) in the password field to gain access to the account.
2. Enter the below-mentioned command in the vulnerable field and this will result in a successful Authentication Bypass.
Select id from users where username=’username’ and password=’password’ or 1=1--+
In the above command:
- Since 1=1 is always true, and we combined 1=1 with an OR operator, now we don’t have to know username or password as whatever be the username, password, our 1=1 will always be true thus giving us access to our account.
- ‘ or 1=1--+(in the password field) ‘ before OR operator is used to terminating the single quotes of password(ie- Select id from users where username=’username’ and password=’password’)
- So after that we insert ‘ before OR operator, our SQL command becomes: Select id from users where username=’username’ and password=’’ or 1=1--+
- --+ is used to ignore the rest of the command. Its main use is to ignore the ‘ after the password and if we won't use that ,we will get the following error.
- Lets try the payload on our login portal(without writing --+ at the end of the payload)
Ie-if we don’t use --+, then our sql command will be: Select id from users where username=’username’ and password=’’ or 1=1’
Why that ‘ at end of 1?
It’s the passwords closing single quote. Remember we already gave a closing single quote of our password. But the websites SQL command just puts ‘ at the end of our password. (ie- whatever we write in the password field, it gets stored inside the ‘’ of password Suppose, our password is hello The SQL command corresponding to this will be: Select id from users where username=’username’ and password=’hello’. Here, we didn’t add the quotes, but the SQL command added quotes in our input field). Since the SQL command puts ‘ at end of our 1=1, our mission fails. So, in order to ignore that closing single quote of password, we use --+.
Executing the Injection:
Just insert the command in the password or vulnerable field and then click login then the authentication would be bypassed.
As we can see, we finally cracked the login portal and logged in successfully.
Note: Sometimes, some websites block --+, in such cases use #. Both do the same work.
Similar Reads
SQL Injection that Gets Around mysql_real_escape_string() Function SQL injection is a serious security vulnerability that occurs when an attacker can manipulate SQL queries executed in a database. In an attempt to prevent SQL injection, developers often use functions like mysql_real_escape_string() in PHP to escape special characters. However, it's crucial to under
4 min read
Basic SQL Injection and Mitigation with Example SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL Injection can be used in a range of ways to cause serious problems. By leve
4 min read
Mitigation of SQL Injection Attack using Prepared Statements (Parameterized Queries) SQL injection is one of the most common and dangerous vulnerabilities that can affect a database-driven application. Attackers can exploit these vulnerabilities by injecting malicious SQL code into input fields which can lead to unauthorized access, data breaches, or even complete loss of data. In t
6 min read
PHP | Inserting into MySQL database Inserting data into a MySQL database using PHP is a crucial operation for many web applications. This process allows developers to dynamically manage and store data, whether it be user inputs, content management, or other data-driven tasks. In this article, We will learn about How to Inserting into
6 min read
MySQL | DATABASE() and CURRENT_USER() Functions In MySQL, certain functions provide crucial information about the current session which can be particularly useful when working with multiple databases or managing user permissions. Two such important functions are DATABASE() and CURRENT_USER().In this article, We will learn about the MySQL DATABASE
3 min read