Logging In Without Password
Start course

Now that you know about SQL fundamentals, we're going to deep dive into SQL Injection in this course. We're going to see how to find vulnerabilities, how to inject comments using said vulnerabilities, and other techniques that allow you to penetrate SQL databases.


Hi. In this lecture, we're going to see how we can use this technique in order to bypass the log-in authentication. So, we know that we can inject SQL Comments over here.

So, we have confirmed this by coming over here and inserted the password with AND 1=1 comment. So, rather than that, maybe we don't know the password. But maybe we know the username and we try to log-in without the password. So, how we can do that? So, it's selecting everything from accounts. That's cool. That's okay.

And maybe we can do something like this, we can say, yet choose the username being equal to atil in this case, but don't run the rest of this statement. So, we know how to not run the rest of the statement. We can use hashtag or we can use double dashes like nullifying things, and we have tested this in the AND here. We've put the # at the end of this comment, so when they put the single quotation mark, automatically it nullified that and it didn't get executed. So, we can do the same thing for the password as well.

So, what we are going to try and see if we can just cut the SQL Comment in half and just don't run the AND password thingy at all. So, we don't even have to give any password in that case. So, this is one of the techniques that we can use and try to bypass the authentication. Of course, we can have other techniques as well and we're going to see a lot of those in the upcoming lectures. But we're going to start from scratch. We're going to start from the most basic one. So, this is not probably going to show up unless you're not doing this for a very small company.

So, it in big portals or big companies you don't get this SQLite Injection at this easy, but it's good to know about this. So, what we are trying to do is to cut this in half and just put a # in here. Okay, if we can put a # in here, the rest of the statement will not get executed at all. So, it really doesn't matter what we put over here. We can just put the password is 123456, or we can just put the password like in anything that we want. Okay like 1. But if we nullify this, if we make this invalid, if we make this into a comment, this won't get executed at all.

So, it will try and see if there is any username called atil in the accounts database table, and if there is one then it will log us in. So, in order to do that, I am going to give atil an # in the username section, and for the password it really doesn't matter. However, if I just add this, it will add the two single quotation marks in the beginning and at the end of this, and it won't work. So, rather than doing this, I am just going to do it like this.  Atil, one single quotation mark, and then just this hashtag thing. So, if I do this, it will become like that.

So, let me write it over here. So, it will become exactly like that, even though it adds another extra quotation mark over here, it won't matter because it will be coming after the # and it won't get executed at all. So, what I am trying to do over here is to put this atil with a single quotation mark on its own and the #. So, you're going to have to do it like that. And again, password doesn't matter. You can just give 1, you can just give test, whatever you want. So, it's exactly like this. So, we have given password like that and now we're going to give username like that in this case. I am just writing those things to get notes, to take notes, so that I can just share this video after this section ends. So, I am going to give a random password over here.

If I say 'Login', here you go. Now, we bypass the authentication even though we didn't know the password that we managed to get in. So, it's pretty easy. We can do this with admin as well. If there is a vulnerability then it will work for every account that we can imagine. Here you go. Now, we are logged in as admin user. So far so good. This is the most basic one. As I said before, maybe it won't be frequent in your web application pen testing, but it's the start point. You're going to have to know this. So, you're going to have to actually learn the hard stuff, learn the advanced stuff in a most comprehensive way later on. So, let me come over here and try to logout because we're going to learn about other techniques in the upcoming lecture.


About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.