SQL Injection

(MySQL) Modifying WHERE clauses to bypass authorization

Easy
30 min

Credit Card Numbers!

SQL is used for many purposes in addition to user authentication, one of which is access control.

If, for example, it has been identified that the user is Masa, and Masa goes to the page "Your Credit Cards" on the online bank, how does the page know how to display Masa's credit cards specifically, and not, for example, the neighboring Veera's, who also has an account in the same bank?

Usually the answer is that the credit cards in the database are linked to a specific user through some kind of ID field, and then the application retrieves only the cards whose identifier (user_id, etc) matches the identifier of the logged-in user to be displayed on the site in its code.

You can try this in the browser. Here is a query that returns all credit cards:

SQL Playground

And here is a query that returns only user number 1's credit cards.

SQL Playground

But what if the attacker manages to inject SQL into the end of the WHERE clause?

SQL Playground

By adding a condition to the end of the WHERE clause that also returns every row where 1 is 1, every row from the database will be returned.

This is the situation in this module's lab. The application allows the user to filter their own credit cards based on the card number, using the LIKE statement.

SQL Playground

Can you figure out what you could add inside the LIKE condition in the above query to make the application return all cards? Once you figure it out, open the lab and go to the "Credit Cards" page, and try to get all bank customers' credit cards out.

MySQLi - The Great Card Heist

In this lab, you will familiarize yourself with the LIKE statement and bypass the application's access control by injecting an SQL query into the WHERE clause with a condition that allows the application to return the credit card information of all online banking customers.

Objective

Steal all the credit card information of all online banking customers.

Exercises

Flag

Find the flag from the lab environment and enter it below.

hakatemia pro

Ready to become an ethical hacker?
Start today.

As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.