SQL Injection

Tutorial Video

Requirements

• Computer

• Internet access

• Proxy (if you want to stay anonymous)

Step 1: Try a commonly used username and password.

username: admin password: password123

This not surprisingly didn't work and returned the following message.

Step 2: testing sql syntax

In this step we want to test the sql syntax to see if it is possible to alter how the code executes on the database side.

username: admin' password: password123

As we can see adding a ' to the end of our username caused a syntax error confirming that we can alter the sql code and how it is executed.

Step 3: Changing the sql code

With the sql injection, we want to try and alter the sql code to only require a username to return true and authenticate us as the admin user.

username: admin'-- password: password123

After entering this injection you should be logged in to the website as admin. What the additional '-- does is comments out the rest of our sql code.