We're first presented with a basic login screen:
Let's look at the code:
It looks like the request parameters are being passed directly into the SQL query string. This is good news for us, because if we use the quotation (") character, we can have the data we pass in be interpreted as part of the control logic.
If we pass in a" or 1=1 -- ", the query that gets executed will be SELECT * from users where username="a" or 1=1 -- "" and password="".
This is great for us. The "--" comment characters mean the rest of the line will be ignored, so the core of the query is SELECT * from users where username="a" or 1=1 -- meaning ALL entries in the users table will be selected because 1=1 always returns true.
That's more than enough for us to pass the login test, which only requires a single record to be present.
No comments:
Post a Comment