SQL Injection Login Bypass

Understanding SQL injection attacks against login form

Login bypass is without a doubt one of the most popular SQL injection techniques. This article presents different ways an attacker can use to defeat a login form. Principles detailed here are simple but strongly related to SQL injection in string parameters. If you are not familiar with SQL injection this might help you understanding what follows.

The Script

The login form we will use in our examples is pretty straight forward. It contains 2 input fields (username and password) which are both vulnerable. The backend script generates a query to validate username and password provided by the user. Here is an overview of the page logic.

Build login query without sanitizing parameters.

$query = "SELECT * FROM users WHERE username='"..$_POST['username']."' AND password='".$_POST['password']."'";

If a row (or more) is returned by the query, the script grants access. Otherwize, authorization is denied. Let's now see how the attack can be achieved.

SQL Injection Login

To bypass login and gain access to restricted area, the hacker needs to build an SQL segment that will modify the WHERE clause and make it true. For example, the following login information would grant access to the attacker by exploiting the vulnerability present in the password parameter.

Username (1st line) and malicious password (2nd line) submitted by the attacker.

admin

wrongpassword' OR 'a'='a

 

Query generated (login bypass attack). Be careful, colors can be confusing here.

SELECT * FROM users WHERE username='admin' AND password='wrongpassword' OR 'a'='a'

Quotes are not correctly handled (escaped) by the application and it allows the attacker to modify the query. However, the last SQL statement needs further explanations.

Because of operator precedence, the AND condition is evaluated first. Then the OR operator is evaluated, making the WHERE clause true. In fact, the condition will be true for all rows of the users table. It means that the provided username is ignored and the attacker will be logged in as the first user in users table. It also means that the attacker does not have to know a username to gain access to the system; the query will find one for him! Now let's see how the attacker can choose which account he will log into.

Vulnerable Username Field

The username field being vulnerable too, it can also be exploited to gain access to the system. In fact, it would be easier and far more practical for the hacker to bypass authentication this way since he could choose which user's account he would like to log into. Here is what the SQL injection attack will look like.

Malicious username (1st line) and password (2nd line) submitted by the attacker.

admin' --

anypassword

 

Query generated (login bypass attack).

SELECT * FROM users WHERE username='admin' -- AND password='anyPassword'

Note : For compatibility reasons with some DBMS, a space was added before and after "--". 

By using line commenting, the attacker eliminates a part of the login condition and gains access. This technique will make the WHERE clause true only for one user (admin in this example).

Conclusion

In these simple examples, we have seen that an attacker can bypass an authentication system with SQL injection. Without minimizing the disastrous consequences this might have, it is important to mention that a SQL injection can have much bigger security impact than a login bypass.