Bypass Login with SQL Injection Attack

                              SQL Injection - one of the most common & Dangerous vulnerabilities in Database, that can completely take over DB. SQL Injection occurs when an attacker Inject malicious code (SQL Command) into website through URL (Parameter) or any Input Box that is connect to Database Server. An attacker can also bypass login & can enter into any users account without username & password. Here today we gonna learn that only - How can you bypass login with SQL Injection Attack using SQL Strings.

#  What is SQL Injection Bypass login ?
                       Basically, this is one of the most easiest way to exploit the SQL Injection Vulnerability. I hope you might know about SQL Injection and here we are talking about Bypass login using SQL Injection strings. While defacing a Website using SQL Injection attack there is a database of that website which stores login ID and passwords, and if the website is vulnerable to SQL Injection attack then an attacker will try to get admin password using SQL Injection Bypass login. An attacker will insert SQL String in website login form in order to bypass login and Exploit the Vulnerability.

#  How to Bypass login using SQL String ?
Requirements :

I'm using a Penetration testing lab (Vulnerable Web App) :NOWASP Mutiallidae: to show a tutorial on SQL Injection string code attack to bypass login. Suppose, we have to bypass login on a website and Enter's into Admin A/c and access website.

For E.g  This is the real ID and Password of victim website and it is vulnerable to SQL Injection Attack : username = admin & password =monkey & we've to enter into Admin's account without username & Password, simply we'll use SQL Injection techniques.

# Steps to Bypass Login with SQL Injection

  • Suppose NOWASP Mutillidae is target site, & your aim is to enter into Admin account without any credential details & website is Vulnerable to SQL Injection.

  • Okay, start your Pentest lab - Mutillidae, Click on Login/Register.

  • As you know the web app is already vulnerable, Download SQL Injection Strings Cheat Sheet, and try all strings command until you get into Admin's account.

  •  For Eg. : I'm using this SQL String ' or 1=1-- & Same in Password also.

    Click on Image to Enlarge it

  • After all click on login and you will be in Admin account. *Cool*

    Click on Image to Enlarge it

  • Okay, finally we bypassed login :) - Always remember that every web application have their own types of Firewall Protection against XSS & SQL Injection. we've to make our own way to bypass it, and This is for educational Purpose only = as you all know we only use Penetration testing lab.

Thank you for reading my Article, Please Share it. Alwayseel free to comment and let me know your problem. *Best of Luck*