SQL Injection Vulnerability Allowing Login Bypass
A Portswigger Lab
Lab Description:
This lab contains a SQL injection vulnerability in the login function.
To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user.
Notes:
This is going to be a very quick and easy lab. However, the lesson behind it is an important one to remember and can help you in all SQL injection (SQLi).
Getting Started:
Access the lab. We are brought to our shopping page again. This time with a ‘My account’ link in the upper right hand corner. Click here. We can use this to log in.
The lab description tells us we are logging in as ‘administrator’. If the site developer does not properly sanitize or validate user input here, or any site’s login page, gaining access to a user’s account is very easy.
Crafting the Payload:
The basic structure of the SQL query for username and password authentication looks something like the following:
-- Basic SQL query
SELECT * FROM users WHERE username = 'administrator' AND password = 'correct_password';Two things of note here.
- The hard-coded values ‘administrator’ and ‘correct_password’ are encased in single quotes (‘). In SQL, single quotes are used to denote string literals.
- The use of double hyphens (
--) to comment out in SQL. Anything following--on the same line is treated as a comment and ignored by the database when executing the query.
With these two things in mind, if we close ‘administrator’ with a single quote and comment out the rest of the query with a double hyphen, then our SQLi should work.
The query being sent to the server would look like the following:
-- SQL query with SQLi
SELECT * FROM users WHERE username = 'administrator' -- ' AND password = 'correct password';Lab Solution:
On our login page, enter administrator and our payload (‘--) for the ‘Username’.
-- Username:
administrator' --If you try to log in without entering a password, in this instance, you will be prompted with a JavaScript alert to ‘Please fill out this field.’
This is not reflected from the server. The site is telling us that it will not send the request unless these parameters are met.
You can fill in the ‘Password’ with a random string of your choosing.
Click ‘Log in’.
Congratulations! You have solved another one! Keep it up!
A valuable lesson learned from this lab is the importance of proper input validation and parameterization in preventing SQL injection attacks. Developers should never directly concatenate user input into SQL queries, as this can open the door to SQL injection vulnerabilities. Instead, they should use parameterized queries or other secure coding practices to sanitize user input and prevent malicious SQL injection attacks.
