This lab contains a SQL injection vulnerability in the login function.
To solve the lab, perform a SQL injection attack that logs in to the application as the administrator user.
Explanation
The login form is vulnerable to SQL injection due to improper handling of user-supplied input. When credentials are submitted, the application constructs a SQL query that checks if the user exists and if the password matches. By injecting SQL logic into the username field, we can manipulate the query to always return true, effectively bypassing the authentication process and logging in as any user, including the administrator.
Resolution
Go to the My Account section to access the login form.
In the Username field, input the following payload:
administrator' OR 1=1-- -
Enter any arbitrary value in the Password field (e.g., test), since it will be ignored by the SQL logic.
The injection transforms the backend query into something like:
SELECT*FROM users WHERE username ='administrator'OR1=1-- -' AND password = 'test'
The OR 1=1 condition always evaluates to true, and the -- - sequence comments out the rest of the query.
This bypasses the password check and logs you in as the administrator, solving the lab.
Mitigation
To prevent SQL injection in authentication functions:
Always use parameterized queries or ORMs that safely handle user input.
Avoid directly embedding input into SQL statements.
Implement multi-factor authentication (MFA) to add an additional layer of security.
Regularly test login endpoints with automated tools and manual review to detect injection flaws.
