Let’s Learn SQL Injection and Bypass Login
If you are a guy who is concerning about security or hacking… then you may surely hear about the SQL injection. It is the most common web hacking technique even a grade five child can exploit.
What is SQL Injection?
The SQL injection is a code injection technique where you can include some malicious content in SQL statements. For this kind of attacks mostly using web inputs as an entry point and overcome security controls in a system.
How SQL Injection Works?
When you enter your login credentials in a Login page like following
Ultimately it will execute a table lookup in your database in order to check whether you are a valid user or not. For that, you have to use a SQL query to check whether the provided data is existing in the database. Below SQL query is one of the basic query to check if the user exists in the database for given username and password (Hope you have a basic understanding of SQL 😉).
If this query returns a not null value, that basically means there is a user who has such credentials. Since others do not have the user’s password, there’s no way to make this query return a value ( Since ‘And’ term is there both username and the password should be matched in order to return a value)
But Attackers (malicious users) try to modify this query using the input fields rather than providing the actual username and passwords
Look at the below example first,
If you have given the below string as your username and anything as a password, let's look what will happen.
' OR 1=1;--Lets simply copying this value and paste it to the above SQL statement and examine what has happened from each element in the above text.
- single-quote (‘) has closed the opening quote in the user name field.
- OR keyword has become a SQL keyword.
- 1=1 is a statement which always returns a value true.
- The semicolon (;) mark the SQL statement has ended
- double dashes (- -) commented out the rest part of the SQL statement
Since or gate is present in the SQL statement, if one condition satisfies it will give value. Since 1=1 statement is always true, it will return not null value even if the username doesn’t match.
So, if the application is vulnerable to SQL injection, this method will land you inside the account of the very first user in the Users table (usually its admin 😂).
This is not the only way to inject SQL and you can try out more if you understood the concept. As an example can you guess what will happen if you paste the following code in the username field.
yourenimyemail@email.com' AND 1=1 ;--Where Can I Use This?
Hey wait.., this kind of malicious activities are illegal to tryout in any production environment and you will end up in jail. So if you need to practice this you may have to create a vulnerable app first and then you can try. ( I know that you also lazy like me 🤣).
Luckily, OWASP Juice Shop has solved our problem. It’s a web application which has almost all the vulnerabilities (they have purposely planted it for geeks to try out). So with the help of Heroku, you can deploy the application within minutes and try out any kind of attack.
First, create an account in the Heroku. Then go to Juice Shop and scroll down to Readme area. Click on Deploy on Heroku button.
Then you have to give an app name to deploy your web site and click on Deploy app button.
This will take a couple of minutes(it took six minutes to me 😜) to deploy your web application.
Once it deployed by Clicking on view button you can access deployed web application. Click on login and try out the above exercises.
By Clicking on Manage App button or Login to Heroku account and picking up the created app, you can customize your application.
Make sure to Go to the settings tab and turn on the maintenance mode once you complete your exercises in order to save your monthly free quota.
The web site will be not available unless you turn off the maintenance mode again.
Fortunately, most of the applications are nowadays immune to this kind of attacks and let's discuss how to write secure code in another article.
Disclaimer: Any actions and or activities related to the material contained within this article is solely your responsibility.The misuse of the information on this article can result in criminal charges brought against the persons in question.
