I’m going through the SQL Injection Fundamentals module and I am unable to obtain the flag for the exercise in the “Subverting Query Logic” section despite performing a successful bypass. There’s no flag on the page:
<link rel="stylesheet" href="./style.css">
<!-- partial:index.partial.html -->
Executing query: SELECT * FROM logins WHERE username='tom' AND password = 'admin' or '1'='1';<br /><br /><font color="green">Login successful as user: admin</font><br /><br />Click <a href='/'>here</a> to try again <!-- partial -->
Maybe it’s a bug? Not sure what to do at this point so I’m posting here.
I think I found the bug, the section wants me to login as
tom but the page says that I logged in as
admin (even though
username = 'tom').
The exercise in the next section works fine and doesn’t have this bug.
It’s actually a bug in my payload, not the application itself! Should’ve scrutinized it more closely but for some reason I thought the exercise itself got broken somehow, LOL.
Thanks to Ryan from the support team who gave a detailed explanation:
Hi there, I’m Ryan.
This is not a bug. This is exactly what is expected to happen.
You entering the username as tom does not mean you will be logged in as tom. This is an expected consequence of the query logic.
SELECT * FROM logins (WHERE username=‘tom’ AND password = ‘admin’) OR ‘1’=‘1’ is the query that got ran. There are no cases where the username is tom and the password is admin, so this WHERE always fails. However, the OR 1=1 matches on the very first row (which is the admin account), and thus you are logged in as admin.