Website Login Bypass Using SQL INJECTION

Posted by Ganesh Murugaraju

Sql injection is a hacking tecnique used to inject sql queries to output arbitrary files or data's. Suppose, a site has a login form & only the registered users are allowed to enter the site. Now, say u wanted to bypass the login and enter the site as the registered user. If the login script is not properly sanitized by the coder, u may have luck to enter the site. you might be able to login into the site without knowing the real username and real password by just interacting with the DB server. So, this technique is known as Sql injection login bypass.
Let's see an example, where the username admin with the password pass123 can login to the site. Suppose, the SQL query for this is carried out as below:



SELECT USER from database WHERE username='admin' AND password='pass123'


And if above SELECT command evaluates true, user will be given access to the site otherwise not. Think what we could do if the script block is not sanitized. This opens a door for the hackers to gain illegal access to the site.
In this example, the attacker can enter the following user data in the login form:

username: a or 1=1--
password:blank
So, this would make our query as:

SELECT USER from database WHERE username='a' or 1=1-- AND password=''

Note that -- is the comment operator and anything after it will be ignored as a comment. There exists another comment operator which is /*.
So our above query becomes:

SELECT USER from database WHERE username='a' or 1=1

Now this query evaluates true even if there is no user called 'a' because 1=1 is always true and using OR makes the query return true when one of the query is true. And this gives access to the site admin panel.
There can be various other username and password combinations to play with the vulnerable sites. U can create your own new combinations for the site login.
Few such combinations are:

username:' or 1='1 password:' or 1='1
username:' or '1'='1' password:' or '1'='1'
username1=1 password1=1
username:blank password:" or "a"="a