SQL Injection 05
Bookmarked!This exercise is one of our challenges on SQL Injections
In this challenge, we have an SQL injection vulnerability in a login form where spaces and tabulations are blocked by the developer. To bypass this filter, you can avoid using spaces between the keywords in your injection and utilize SQL comments like /**/
to separate keywords. Additionally, you can use #
as an alternative to --
for commenting out the rest of the SQL query, if needed.
The architecture of the challenge involves sending an HTTP request to a web server, which then processes it through PHP, communicates with a database, and returns a response to your browser. The PHP code uses preg_match
to detect whitespace characters and throws an error if any are found in the input. By leveraging SQL comments and avoiding spaces, you can craft a payload that successfully bypasses the filter and exploits the SQL injection to gain unauthorized access.