SQL Injection

username: admin password: password123

This not surprisingly didn't work and returned the following message.

In this step we want to test the sql syntax to see if it is possible to alter how the code executes on the database side.

username: admin' password: password123

As we can see adding a ' to the end of our username caused a syntax error confirming that we can alter the sql code and how it is executed.

With the sql injection, we want to try and alter the sql code to only require a username to return true and authenticate us as the admin user.

username: admin'-- password: password123

After entering this injection you should be logged in to the website as admin. What the additional '-- does is comments out the rest of our sql code.

Last updated 2 years ago