SQL is used for many purposes in addition to user authentication, one of which is access control.

If, for example, it has been identified that the user is Masa, and Masa goes to the page "Your Credit Cards" on the online bank, how does the page know how to display Masa's credit cards specifically, and not, for example, the neighboring Veera's, who also has an account in the same bank?

Usually the answer is that the credit cards in the database are linked to a specific user through some kind of ID field, and then the application retrieves only the cards whose identifier (user_id, etc) matches the identifier of the logged-in user to be displayed on the site in its code.

You can try this in the browser. Here is a query that returns all credit cards:

And here is a query that returns only user number 1's credit cards.

But what if the attacker manages to inject SQL into the end of the WHERE clause?

By adding a condition to the end of the WHERE clause that also returns every row where 1 is 1, every row from the database will be returned.

This is the situation in this module's lab. The application allows the user to filter their own credit cards based on the card number, using the LIKE statement.

Can you figure out what you could add inside the LIKE condition in the above query to make the application return all cards? Once you figure it out, open the lab and go to the "Credit Cards" page, and try to get all bank customers' credit cards out.

Steal all the credit card information of all online banking customers.

In this lab, you will familiarize yourself with the LIKE statement and bypass the application's access control by injecting an SQL query into the WHERE clause with a condition that allows the application to return the credit card information of all online banking customers.

MySQLi - The Great Card Heist

## Credit Card Numbers!

SQL is used for many purposes in addition to user authentication, one of which is access control.

If, for example, it has been identified that the user is Masa, and Masa goes to the page "Your Credit Cards" on the online bank, how does the page know how to display Masa's credit cards specifically, and not, for example, the neighboring Veera's, who also has an account in the same bank?

Usually the answer is that the credit cards in the database are linked to a specific user through some kind of ID field, and then the application retrieves only the cards whose identifier (user\_id, etc) matches the identifier of the logged-in user to be displayed on the site in its code.

You can try this in the browser. Here is a query that returns all credit cards:

@embed 44eb9048dc4a

And here is a query that returns only user number 1's credit cards.

@embed b344c3fcf802

But what if the attacker manages to inject SQL into the end of the WHERE clause?

@embed 9b324373a145

By adding a condition to the end of the WHERE clause that also returns every row where 1 is 1, every row from the database will be returned.

This is the situation in this module's lab. The application allows the user to filter their own credit cards based on the card number, using the LIKE statement.

@embed c5547f6d26fb

Can you figure out what you could add inside the LIKE condition in the above query to make the application return all cards? Once you figure it out, open the lab and go to the "Credit Cards" page, and try to get all bank customers' credit cards out.

@exercise 2ca2283bcd31


(MySQL) Modifying WHERE clauses to bypass authorization

SQL injection is probably the cause of the majority of serious data breaches, mainly because vulnerability is very likely in a large application if the technology choices are bad, and the result is usually leaking the entire database to the attacker.

SQL injection is likely the cause of the majority of serious data breaches, mainly because vulnerability is very likely in a large application if the technology choices are poor, and the consequence is usually the leakage of the entire database to the attacker.

Fundamentals

What are SQL Injections?

Intro

(MySQL) Changing WHERE clauses to bypass authentication (specific user)

(MySQL) Using the UNION technique to steal data

(MySQL) Modifying WHERE clauses to bypass authorization

Credit Card Numbers!

Learn to hack — start here