The OWASP Top 10 is a great starting point when learning web application security. HackTheBox offers a track called "The OWASP Top 10," designed to teach these common vulnerabilities through hands-on challenges. In this article, I’ll walk you through the challenge called “sanitize“.
Let’s Start
Here is what the web page looks like:
Let's try the test credentials to see how the application works. When I try admin:admin on the page, I see the error message below.
So we can see the query we send. Let's try to manipulate the input and see how the query changes. To attempt logging in as a user, we can use SQL injection to manipulate the query. Here’s how it works:
The original query typically looks like this:
SELECT * FROM users WHERE username = '<username>' AND password = '<password>';
We want to force the query to always return a user. To achieve this, we can inject a condition that is always true, such as 1=1
.
For example, by entering:
admin' OR 1=1
The query becomes:
SELECT * FROM users WHERE username = 'admin' OR 1=1 AND password = 'password';
This modification causes the database to compare the username with admin
. If the username doesn’t match, the condition 1=1
ensures the check still passes. However, the password condition remains an obstacle since it must also match.
To bypass the password requirement, we can append a comment marker to ignore everything after our injection. By entering:
admin' OR 1=1;--
The query is transformed into:
SELECT * FROM users WHERE username = 'admin' OR 1=1;-- AND password = 'password';
The ;--
The SQL injection query serves two purposes:
;
(Semicolon): It ends the current SQL statement. In some SQL systems, a semicolon is used to signify the end of one statement, and anything that follows is treated as a new command. In this case, it ensures that anything after1=1
is ignored as part of the query logic.--
(Comment): This is an SQL comment marker. It tells the SQL engine to ignore everything that follows it on the same line. This is used to "comment out" the rest of the original query, effectively removing it from execution.
This effectively tricks the database. The 1=1
condition ensures the query is always accurate and the comment --
disables the password check, making the injection successful.