June 2018
Intermediate to advanced
294 pages
7h 5m
English
When a user tries to authenticate to a system, the backend will execute a query that looks like this (for this example I'm using the credentials that I use to log in to Mutillidae):
select * from users where username='gus' and password='password123'
After executing the preceding query, the database will check if the record exists and if yes (the record exists) then a Boolean True value is returned and the user is authenticated. Hackers will take advantage of this theory to trick the database with a query that will always return a True value:
select * from users where username ='admin' or 1=1 -- and password = ''
or 1=1 will always return a true value and the -- symbol is telling MySQL that everything after it is a comment, ...
Read now
Unlock full access