trinetra.
cyber defense — learn
tutorials · lab 04 · sql injection login bypass
04 / 10 · DEFEND
04step · module overview

You finished Lab 04. Here's what stuck.

A quick recap of the five steps that broke the login. The same idea — your typing should stay plain words, never turn into a command — protects you against a whole family of similar attacks.

Module complete · sqli-login-bypass

You sent the sneaky text, watched the database question change, and pulled the admin account out of acme-bank. It makes sense now — one quote mark to break out, one "always-true" trick, two dashes to delete the rest, and the password check just disappears.

XP earned+200xp
DifficultyBeginner
Time spent~25min
TrackDefend
Recap · the five beats keep close
  1. 01 Entry · you type a sneaky command, not a name. A login form looks like two text boxes. But the website turns your typing into a question for its database — and if the builder forgot one safeguard, your quote mark slips out of the text box and into the question itself.
  2. 02 Build · the server glues your text straight into its question. The website pastes your typing right inside the database question. Spotting "WHERE name='" + u + "'" — text being glued together with + to build a command — is the warning sign. Handing the database your text through a separate, labelled slot fixes it at the source.
  3. 03 Execute · the database runs your rewritten question. OR 1=1 means "or 1 equals 1" — always true, so it matches everyone; the two dashes -- tell the database to ignore the rest of the line, deleting the password check. The database obeys perfectly — it was just told the wrong thing.
  4. 04 Leak · the first account is the admin account. When every account matches, the database hands back the first one it has. The first account ever created is almost always the boss (admin). The website believes the login worked and gives you an entry pass in the admin's name.
  5. 05 Own · you're admin now — use labelled slots to close it. You got the exact same entry pass a real admin gets. The fix is simple and never forgets: cur.execute("… name=? AND password=?", (n, p)). The ? marks are slots that hold your words as plain text — so they can never turn into commands.
Next module

Lab 05 · Stored XSS Cookie Theft

Same root cause — your typing treated as code instead of plain words — but in a different place. Hide a tiny script inside a comment, wait for the admin to open the page, and watch their login cookie get quietly sent to you.

start · lab 05 →