Skip to main content

🗂️PortSwigger Lab Writeup: SQL Injection Vulnerability Allowing Login Bypass

PortSwigger lab description page for SQL Injection – Login Bypass

🎯 Objective

The objective of this lab is to exploit a SQL injection vulnerability in a web application where the application executes a SQL query to perform authentication in an unsafe way and our goal is to bypass the login function and logged in as an administrator.

💉 Payloads Used

  • Payload 1(in Username field) - ✅
administrator'--
  • Payload 2(in Password field) - ✅
' or 1=1--

🧪 Exploitation Steps

🕵️Step 1: Observe the Website

  • First open the lab URL in your browser, and observe what it is about and how login page works. SQLi lab instance showing vulnerable shopping site
    Login page of the vulnerable web application in PortSwigger lab
  • At first glance, the website seems to be a shopping website with a login page. In the lab description, it is mentioned that the vulnerability is in the login function where user-input is being used directly in a SQL query.

🚀Step 2: Inject the Payload

  • Here, we can bypass the login function using two methods - first by injecting payload in username field and second by injecting payload in password field.
  • Method - 1: You can inject the payload - administrator'-- in username to comment out the remaining SQL query - AND password = '$password' resulting in logging in without password and you can input anything in password field. SQL injection payload injected in the username field to bypass login
  • Method - 2: You can inject the payload - ' or 1=1-- in password and administrator in username which will always result in True for WHERE clause, resulting in logging in without password. Payload injected in the password field to achieve login bypass
  • By using any of the two method, you can bypass the login function and access the administrator account. Successful login as administrator after SQL injection
  • And Finally, the Lab is solved.

🧠 Conclusion

  • This lab involves a basic case of SQL injection vulnerability, where the username and password from login form fields are directly inserted in an SQL query to perform the authentication logic.
  • Since the application neither sanitizes the user-input nor uses prepared statement, an attacker can manipulate the SQL query by injecting any arbitrary SQL commands to bypass login function leading to unauthorized admin access as well as gain full access of the database.

🧾 Related CWEs

CWE IDTitleDescription
CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')The core vulnerability — input is not sanitized, allowing SQL injection into the authentication logic.
CWE-287Improper AuthenticationThe login mechanism is bypassed due to injection, meaning the authentication logic is flawed.
CWE-20Improper Input ValidationThe application fails to validate user input, enabling the injection of SQL meta-characters.
CWE-116Improper Encoding or Escaping of OutputLack of escaping SQL input contributes to successful injection.