U Hack It!
Register

SQL Injection Attacks

Caused when raw, unfiltered data entered by a user is used in an SQL query.

Use an SQL Injection to hack this site's login form yourself...

Authentication By-pass

Use of unfiltered user input in the login script creates a vulnerability that allows a hacker to login to the site without having an account!

Here's how it works:

  1. Use the "Sign In" form to the right, which exposes this exploit.
  2. Start by logging in with your own username and password (register first if you don't have one yet).
    Carefully examine the SQL query generated by your login attempt (shown at top of page).
  3. Logout, and now, instead of your real username and password, enter:
    • hacker' OR 'a'='a
    in both fielss. Be sure to enter it exactly as shown, with the mis-matched quotation marks.
  4. Press "Sign In" and Voila! You are logged into the site under someone elses account!
  5. How did that happen? Examine the "Authentication query" revealed during login.
    What we did here was to "inject" a fragment of SQL code into the query to change its meaning.
    In so doing, we fooled the software into believing the authentication was successful.
  6. You'll notice this hack only works on this page. The other pages use a harder to crack (although still insecure) authentication script.
    To learn more, look at the code in class-user.php::authenticate()

Try it yourself!

See if you can derive a different "SQL injection" string that also by-passes authentication.
Hint: press the "Sign In" button with an empty form to see the basic layout of the query - what text can be added to the "username" value to create a query that returns valid results?

Here's one that makes the password check completely redundant - can you see how it works?
  • Email: hacker' OR 1=1 OR 'a'='a
Here's one that allows you to take over ANY account by switching up the user's id...
  • Email: hacker' OR ('a'='a
  • Password: hacker' OR 'a'='a') and id='6

Making Things a Little Trickier...

The attack above works because the password is verified in the SQL query itself - if we can trick the query into ignoring the password, we're in.

Like most programmers, the login form to the right performs an explicit password check - Try It!
the hack above won't work on this form. But that still won't stop a determined hacker ...

Here's how it works:

  1. the hacker will actually inject a fake record into the query, with a fake username and password.
  2. To do this, the hacker needs to understand the structure of the DB table so they can get the SQL right, but that's not usually too hard to figure out.
  3. Once we have figured out the correct injection code for the user name field, we simply enter the fake password, and voila - we're in.

Try it yourself!

See if you can create an "SQL injection" that by-passes authentication on the form to the right.
Hint: the user DB table has 4 columns: id, username, password, personalInfo
2nd Hint: the UNION command in SQL combines the results of two SELECT queries.

This injection code UNION's the programmed query with a fake DB record containing its own password - can you see how it works?
  • Email: ' UNION SELECT '2','hacker','abc','
  • Password: abc

Notice that by changing the ID number in the injected SELECT, we can use this injection to login as any user on the system!

Note: this attack will not work on this page - try it on any other page (which all use the explicit password check authentication script).