This lab contains an SQL injection vulnerability in the login function.
To solve the lab, perform an SQL injection attack that logs in to the application as the
administratoruser.
Head over to the login page.
When we input a username and password, the query string will look like:
SELECT * FROM users WHERE username = ‘administrator’ AND password = ‘password’I input a single quote in the username and login (same with password). Both result in an internal server error, which shows that it might be vulnerable to SQL injection.
In this case if I input: administrator’ or 1=1--
The query string:
SELECT * FROM users WHERE username = ‘administrator' or 1=1--’ AND password = ‘password’Regardless if‘administrator’ is a valid username or not, since 1=1 will always return true, and the -- will comment out the rest of the statement. This means I will get to log in to the very first user based on the user table.
or
If we input:
administrator’ or 1=1--
SELECT * FROM users WHERE username = ‘administrator'--’ AND password = ‘password’In the above query this time since the 'AND password = ‘password’ is commented out, and the username is ‘administrator’, it will log us into the administrator account.
Both will help us to solve the lab.
