SQL Inyection

Hi guys, thanks for reading.

In this query without sanitization (in MySQL):

SELECT * FROM logins WHERE username= AND password= ;

I can bypass this with username= 'or '1'='1 and the same for password.

I know that if I input username= whatever' or '1'='1 then I log in with user "whatever" meanwhile "whatever" exists in the logins table and I no need to bypass password field.

But I don't understand why if I input username= whatever and password= 'or '1'='1, I log in but not like user "whatever". I don't catch the point...

Comments

  • The Operator Precedence of MySQL could be the answer.

    First case

    SELECT * FROM logins WHERE username='foo' OR '1'='1' AND password='bar'

    Insert brackets to show the operator precedence:

    SELECT * FROM logins WHERE username='foo' OR ('1'='1' AND password='bar')

    Reduce the constant part:

    SELECT * FROM logins WHERE username='foo' OR (true AND password='bar')

    Reduce the constant part:

    SELECT * FROM logins WHERE username='foo' OR password='bar'

    If foo is a user name in the logins table or if bar is a password in the logins table, then a record will be found and a login is possible.

    Second case

    SELECT * FROM logins WHERE username='foo' AND password='bar' OR '1'='1'

    Insert brackets to show the operator precedence ⇨

    SELECT * FROM logins WHERE (username='foo' AND password='bar') OR '1'='1'

    Reduce the constant part:

    SELECT * FROM logins WHERE (username='foo' AND password='bar') OR true

    Reduce the constant part:

    SELECT * FROM logins WHERE true

    In this case the condition is simply true, so the username foo and the password bar are not checked.

  • I mean a quick and dirty is just to comment out the password part.
    This is a very simple form of sql.

    you could put the user example'--+- and not even need a password

    there are many ways to comment out the line though so you have to play with it a bit sometimes.

    The information above is super legit though. 100%

  • Many thanks to both, I think that I understand better SQL inyection now.

Sign In to comment.