SQL Injection
Tutorial Video
Requirements
Computer
Internet access
Proxy (if you want to stay anonymous)
Step 1: Try a commonly used username and password.
username: admin password: password123
This not surprisingly didn't work and returned the following message.

Step 2: testing sql syntax
In this step we want to test the sql syntax to see if it is possible to alter how the code executes on the database side.

username: admin' password: password123

As we can see adding a ' to the end of our username caused a syntax error confirming that we can alter the sql code and how it is executed.
Step 3: Changing the sql code
With the sql injection, we want to try and alter the sql code to only require a username to return true and authenticate us as the admin user.
username: admin'-- password: password123

After entering this injection you should be logged in to the website as admin. What the additional '-- does is comments out the rest of our sql code.

Last updated