1. Home
  2. Training Library
  3. Introduction to SQL Injection

The OR Technique

The course is part of this learning path

Start course
Overview
Difficulty
Intermediate
Duration
31m
Students
8
Description

Now that you know about SQL fundamentals, we're going to deep dive into SQL Injection in this course. We're going to see how to find vulnerabilities, how to inject comments using said vulnerabilities, and other techniques that allow you to penetrate SQL databases.

Transcript

Hi. Within this lecture, we're going to learn another technique so that we can bypass this authentication, it's much more common than what we have seen so far. So again, maybe it will not be so frequent when you do this pen testing but this may come across and this is one of the things that you can find frequently. So, this is much more important. Okay. So, as you can see we are in our SQL injection or sequel injection.txt. We have covered this right now. We have nullified this and we didn't even have to give any password in this case.

And right now I'm just going to go for another thing in which we will give the user name as a regular user name like admin or atil. Okay. Just continue with atil because we have been working on that one. And for the password, we're going to give some values but this time aside from the values we're going to do an ore as well. So, let me show you what I mean. I'm going to write something over here like one or test. It really doesn't matter because we're going to pretend that we don't know the password at this point. Okay. And let me copy this statement and paste it over here and just see what's going on.

So, we're going to give some password. It will run this. Okay. Like if I give one this statement will get executed, right? So, rather than this, I want to add some new codes over here and if it doesn't work, if this user name equals to atil and password equals to one doesn't work, then I'm going to check for something else and if that works then I'm going to be logged in. So, how does this work? We're not going to do AND right now, we're going to do OR. So, OR means either of this left side or right side is true, then whole statement will get executed. Okay? So, rather than doing AND one equals to one, then I'm just going to say OR one equals to one. So, since 1=1 is always right, is always true. Then, if the left side of the left side of the things doesn't work, then we're going to check for the right side of the things and since it's going to work we know it's going to work because 1=1, then we will be logged in and of course, we're going to have to write it like this. So, with one single quotation mark over here. Okay. Like after 1 one single quotation mark.

Okay. So, and say OR 1=1 and end with a hashtag or double, too. So, it will become like this or 1=1. And to avoid this, of course we're going to write hashtag or double dashes. So, it will put this at the end of this sequel comment and it won't execute the other thing. So, like that. Okay. So, let me delete this and after this we're going to have it like that. Okay. So, it's basically the same thing like we have done in end, 1=1. So, I'm just going to copy this rather than AND we're going to say OR and we're not giving the password as the right password at this time.

So, I'm going to go for atil and I'm going to paste this and I'm going to say Login. Here you go. We are logged in and as you can see, we are not logged in as atil, we are logged in as admin. So, it's a little bit different, right ? It's a little bit surprising actually because we haven't even used the admin account in here but we are logged in as admin. So, what's happening in here even though we specified the atil as user name, since we have controlled for this. So, we controlled for user name being equal to atil and password being equal to one. So, this didn't halt, right? It found the atil as user name but it couldn't match the password with one.

So, it went on to the other statement where a right side of the OR I mean. So, it looked for 1=1 and found it to be true. So, this is true, right? So, since it's true then it tried to execute it and it actually logged in as the first user. So, the user having the first Id. So, the first Id is admin at this point at this case. And it's most probably the administrator user or one of the administrator users in many cases. So, if you find a vulnerability like this then it will be logging you as an administrator user which is very good, right? So, it really didn't matter what we have written in the user name. So, if you find a vulnerability like this you don't even have to have a user account in that case. So, we can register a user over here to test these things. But even if we didn't have the authorization to register a user, we still could have logged in using this. Select everything from accounts, write user name is this and password is this or 1=1 thingy. So, it's basic but it works in many scenarios. Okay. So, this is another opportunity that may lead us to bypass authentication.

So, let's stop here because we actually started to learn about this thing. We started to understand about this thing. We're going to see different kind of things that we can try for when it comes to sequel injections. And then we will actually start digging deeper and learning new techniques regarding to sequel injection as well. So, let's meet in the new lecture.

 

About the Author
Students
634
Courses
55
Learning Paths
3

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.