For demonstration purposes we are using PortSwigger’s SQL Injection lab.

This lab contains a SQL injection vulnerability in the login function.

To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user.

Theory:

Using SQL Injection, An attacker can bypass login mechanisms by just using simple payloads.

We just have to understand the logic behind it.

Let’s look with an example:

Assume, we have a users table with following data:

And The query used by the server is:

SELECT * FROM Users WHERE username = ’Wiener’ AND password = ‘bluecheese’;

Which returns the data:

If the query returns the details of a user, then the login is successful. Otherwise, it is rejected.

But, An attacker can get advantage of this, Because it only requires the details of a user as an output, attacker can manipulate the query and get any user details as an output.

Now, Assume if we use malicious payload and manipulate the query using below.

SELECT * FROM Users WHERE username = ‘administrator’ — — ’ AND password = ‘’;

Actual payload as username: administrator’ — —

As username we are specifying administrator, so the server will look for user with username: “administrator”.

Then, we have used single quote to end the string and then used two hyphens to comment out rest of the query.

Now, It doesn't matter if you put anything as password, because it will eventually will comment out.

Now, the Most important thing is that the user must be exist in the table to successfully login. In our Demonstration lab (PortSwigger) we have a user with username: administrator.

Practical:

Now, Open the lab in the burpsuite built-in browser.

We can see, there is a login portal on the “My Account” link.

Let’s try to login with usename: administrator and type anything as password.

We are getting Error: “Invalid username or password”

Let’s review the request on burpsuite history tab.

We can see, this is a POST Request and the data being sent is:

CSRF token, username and password

Send this request to the repeater by right clicking on the request header and selecting “Send to repeater” option or by simply pressing: CTRL + R

In repeater, we can send this request multiple times, and review and analyze the response.

Add the SQL Injection payload demonstrated in the theory part:

Payload: administrator’ or 1=1 — —

Click on “Follow redirect” button.

Another way, we can simply add the payload on the username field from the login page.

Congratulations!! we have successfully logged in.

This way if the user input is not properly sanitized then, an attacker can login with any user he wants. This can lead to account takeover or even Privilege Escalation.