SQL injection vulnerability allowing login bypass

Hi, my fellow hackers. This is Rayofhope. I have over 5 years of experience and am currently working as a consultant with a Big 4 firm.

It’s Day 2 of posting all the PortSwigger labs, not just the solutions. I’ll break down why we take each step, because once the ‘why’ is clear, the ‘how’ becomes easy.

Let’s Start:

Before you go for this blog, make sure to read the Previous one

Link to First Blog: https://medium.com/@arayofhope7/sql-injection-vulnerability-in-where-clause-allowing-retrieval-of-hidden-data-portswigger-12342def10ec

Video Walkthrough — You can watch the video or read the blog, totally up to you. But if you ask me, start with the video, then read the blog to connect all the dots.

What are the types of SQL Injection?

Well, well, there are many types of SQL injection, but in this module, we’re focusing on the POST and GET methods.

Get Method: When data is sent through a URL (typically via query parameters, like ?key=value). Here you can perform the GET method SQL injection.

POST Method: Sends data in the body of the request, making it invisible in the URL. Commonly used in forms, such as login pages, search boxes, and comment sections.

Note: Remember that both POST and GET methods can be vulnerable to all four types of SQL Injection: Union-based, Error-based, Blind-based, and Time-based Blind.

This blog won’t cover the details of each attack type. I’ll explain them individually in separate posts.

Ram Baan (Quick Tip)

There are just five characters you need to mess with to spot SQL injection', ", ), "), and a space. If they break the query or change the app's behavior, you’ve probably got a vuln on your hands."

Cool 😎 with the fundamentals out of the way, let’s dive into the lab 🧠⚔️ and see these concepts in action.

Here’s what the application looks like. We’ve got a ‘My Account’ option.

My Account link leads us to a login page.

As we discussed earlier, there are two main types of attacks — GET and POST. In this case, we’re going to perform a POST-based SQL injection on the login page

Here, we tried to bypass authentication, but the application responded with an ‘Invalid credentials’ message ❌. However, we know there’s a user named administrator.So now we'll try using that username to see if we can break in.

Tried the username administrator to see if we could bypass authentication and gain access to the account

And, we have the Admin account — cool

Now, some of you might be wondering, but in a real-world scenario, we don’t know the username, so how would this work? Fair question. This is just a lab, but in real-life situations, there are a few default usernames you should always try: admin, administrator, root, and so on 👨‍💻. These are commonly used and often overlooked by developers, making them a great starting point during testing.

Happy Hunting — Do hit a like and follow for the best content

My Social:

LinkedIn: https://www.linkedin.com/in/ray-of-hope/

YouTube Channel: www.youtube.com/@arayofhope7

Twitter: https://x.com/ray_of_hope7

Instagram: https://www.instagram.com/a_rayofhope7/