Hey All,

I've been trying to work more on learning SQL syntax to better understand injection statements.  I came across an example, and I'm not sure I understand it completely.

They are detailing a sample authentication bypass, initially they put a purposefully wrong statement of:

SELECT * FROM admins WHERE (user = '' OR '1'='1') AND (pass = '')

They said it was wrong, as it would only match user's with blank passwords and I can see that, the parentheses change the order of operation.

This is what they suggested as the correct statement:

SELECT * FROM admins WHERE user = '' OR 1=1 OR '1'='1' AND pass = ''

Why are the two true conditions in there.. not sure why that fixes it?

If anyone could explain that, I would really appreciate it - it's stuck in my head, so I've been trying to find an answer!

Thanks in advance for all the help!

-DV

Hi digitalvampire,

Where did you get these examples? You are right that two true statements are not necessary. But sometimes when fuzzing, we would try many, many different things to see if something crashes the application.

Take a look at http://code.google.com/p/fuzzdb/source/browse/#svn%2Ftrunk%2Fattack-payloads%2Fsql-injection to find many useful SQL Statements that may help you understand/fuzz for SQLi vulnerabilities.

But the two examples you posted aren't too good:

This:
SELECT * FROM admins WHERE (user = '' OR '1'='1') AND (pass = '')
Should be:
SELECT * FROM admins WHERE user = '' OR '1'='1'

And this one:
SELECT * FROM admins WHERE user = '' OR 1=1 OR '1'='1' AND pass = ''
Should also be something like:
SELECT * FROM admins WHERE user = '' OR '1'='1'

Note: Depending on a few factors (WAF, Database vendors, Application logic, etc), SQLi techniques can vary greatly , so experiment!! 

Hey Guys!

Thanks for the information, and links.
I actually got these out of the SQL Injection Attack and Defense book from syngress.

It was in their section detailing inline sql injection.  The examples you gave actually make much more sense.

So, now I'm curious - in regards to the statement:


How would that be interpreted?

Would it evaluate the AND pass = '' at the end still, I thought maybe they used the two OR's so that it would never reach the pass section?

Thanks again for all of your help!

user = '' or '1' = '1' will always evaluate to true since 1 will always equal 1, regardless of what the user is. With OR, you only need one condition to evaluate to true for the statement to be evaluated as true.

This effectively makes the SQL query: SELECT * FROM admins WHERE TRUE AND pass = ''

With AND, you need both conditions to be true in order for a record to be returned. pass = '' will only evaluated to true for blank passwords, so that is correct.

I'm answering this one out-of-order since it will make the last response make more sense:

http://dev.mysql.com/doc/refman/5.0/en/operator-precedence.html

In other words: SELECT * FROM admins WHERE user = '' OR 1=1 OR ('1'='1' AND pass = '')



'1'='1' AND pass = '' will similarly evaluate to true only for users with blank passwords. However, consider how the additional OR changes the equation with the possibilities of blank usernames and passwords.

Non-Blank User, Blank Password: SELECT * FROM admins WHERE FALSE OR TRUE OR TRUE

Non-Blank User, Non-Blank Password: SELECT * FROM admins WHERE FALSE OR TRUE OR FALSE

Blank User, Blank Password: SELECT * FROM admins WHERE TRUE OR TRUE OR TRUE (Why bother with SQLi though? Just hit "submit" )

Blank User, Non-Blank Password: SELECT * FROM admins WHERE TRUE OR TRUE OR FALSE

Both of those statements will now evaluate to true since only one condition has to be true.

What you are trying to do is make the AND pass = '' irrelevant, and you need an OR to do that. However, you can't just add another OR since your statement would then be SELECT * FROM admins WHERE user = '' OR 1=1 OR AND pass = '', which would cause your query to break. You could also do OR '1'='2' AND pass = '' and have it evaluate to false every time; it wouldn't matter since you already have a TRUE in a series of ORs, and you only need one.

Edit: Man, Hayabusa always manages to ninja a response in when I go on a rant. His name is well-deserved

<evil grin>  Never know when I'm lurking, for the day...  

@digitalvampire - glad to give you the good idea!