Startingpoint APPOINTMENT SQL query

Hi all,

so I have done the starting point box “appointment” and got a successful sql injection but I do not understand why the query actually works, as to my understanding it should not. Searching for an explanation as I would like to understand it.

In the walkthrough.pdf the query is shown to be:
SELECT * FROM users WHERE username=‘username’ AND password=‘password’

I have entered
username: '–
password: '–

It seems to be a mysql database since the walkthrough states that # is the character for comments and based on SQL injection cheat sheet | Web Security Academy only mysql has that. So my input does not comment out anything and therefore should not work (as long as there is no empty user but I confirmed that there isn´t with other inputs).

Does someone understand why my input works and gives me the flag?

1 Like

If you look closer, you’ll notice that MySQL has more than one way to comment and so
'-- (mind the space here, it tripped me up)
will both work to cut the password check part of the clause off.

thank you for your response.
I understand that there are multiple ways to comment in mysql and, as you also emphasized in your reply, in mysql the
only works as comment when it is trailed by a space. Thats exactly my problem. It works for me even when just entering
without a trailing space for username and password. But only if I entered it for both parameters at the same time. Thats what I do not understand. Why do I manage to login providing these without spaces?

First off, I stand corrected.

So I ran a test, here’s an excerpt the php code they claim is running:

└─$ cat appointment.php 

$sql="SELECT * FROM users WHERE username='$username' AND password='$password'";

echo $sql;

└─$ php -f ./appointment.php 
SELECT * FROM users WHERE username=''--' AND password=''--'

I created a table:

MariaDB [joel]> create table users (username varchar(255), password varchar(255));
Query OK, 0 rows affected (0.018 sec)

MariaDB [joel]> insert into users values ('admin', 'foobar');
Query OK, 1 row affected (0.002 sec)

And the output:

MariaDB [joel]> SELECT * FROM users WHERE username=''--' AND password=''--'
    -> ;
| username | password |
| admin    | foobar   |

Wait, wtf?


I think this has to have something to do with it.

MariaDB [joel]> SELECT * FROM users WHERE username=''--'';
| username | password |
| admin    | foobar   |
1 row in set, 3 warnings (0.000 sec)

MariaDB [joel]> show warnings;
| Level   | Code | Message                                   |
| Warning | 1292 | Truncated incorrect DOUBLE value: 'admin' |
| Warning | 1292 | Truncated incorrect DOUBLE value: ''      |
| Warning | 1292 | Truncated incorrect DOUBLE value: ''      |
3 rows in set (0.000 sec)