SQL injection vulnerability allowing login bypass | Dec 3, 2022

Introduction

Welcome to my another writeup! In this Portswigger Labs lab, you’ll learn: SQL injection vulnerability allowing login bypass! Without further ado, let’s dive in.

• Overall difficulty for me (From 1-10 stars): ★☆☆☆☆☆☆☆☆☆

Background

This lab contains an SQL injection vulnerability in the login function.

To solve the lab, perform an SQL injection attack that logs in to the application as the administrator user.

Explotation

Home page:

We can see that there is a My account link, let’s enumerate that page!

It’s a login form!

We can try to guess the administrator user’s password! Like administrator:password

Nope. It didn’t work.

Now, let’s try to do a SQL injection to bypass the authentication!

Imagine this is the login SQL statement:

SELECT * FROM users WHERE username = '' AND password = ''

Since there is no protection against SQL injection, we can injection some malicious payloads in the username field!

To login as administrator without the password, we can:

Payload:

administrator'-- -

New SQL statement:

SELECT * FROM users WHERE username = 'administrator'-- -' AND password = ''

As you can see, we’ve commented out the AND clause, which means we don’t need the administrator password!

Let’s use that payload to bypass the authentication!

Note: The password can be anything.

We’re logged in as user administrator!

Conclusion

What we’ve learned:

1. SQL injection vulnerability allowing login bypass