SQL Injection Authentication Bypass

Subverting the application's logic

Let's imagine there is an application where users log in with their respective usernames and passwords. By sending the username "admin" and the password "admin123," the application will verify the credentials by querying the database. For example:

$user = $_GET['user'];
$pass = $_GET['pass'];

$sql = "SELECT * FROM users WHERE user = '$user' AND pass = '$pass'";

If the request returns user results, such as a dashboard, it implies that the login was successful. Otherwise, the login was not successful.

However, in the given query, an attacker can take advantage of the situation to log in with any user without any password, just by subverting the logic of that query. For example, by sending the username teste' or 1=1 limit 1;# in the login field, it will result in a query like this:

SELECT * FROM users WHERE user = 'teste' or 1=1 limit 1;# ' AND pass = ' '

In this case, the attacker can authenticate as an administrator without needing a password due to the subverted logic of the query. Basically, the valid query in this case becomes only SELECT * FROM users WHERE user = 'teste' or 1=1 limit 1;, where we changed the AND operator to the OR operator. In this scenario, it is only necessary for one of the statements to be true to authenticate. We know that the user "teste" does not exist in the database, but 1=1 is true, so the application authenticates, and limit 1 specifies that it wants only one result in the query. The ;# at the end of the query finalizes it and makes the rest of the line a comment.

PreviousSQL Injection NextSQL injection vulnerability in WHERE clause allowing retrieval of hidden data

Last updated 1 year ago