SQL Injection 05

Bookmarked!

This exercise is one of our challenges on SQL Injections

PRO
Tier
Easy
< 1 Hr.
9222

In this challenge, we have an SQL injection vulnerability in a login form where spaces and tabulations are blocked by the developer. To bypass this filter, you can avoid using spaces between the keywords in your injection and utilize SQL comments like /**/ to separate keywords. Additionally, you can use # as an alternative to -- for commenting out the rest of the SQL query, if needed.

The architecture of the challenge involves sending an HTTP request to a web server, which then processes it through PHP, communicates with a database, and returns a response to your browser. The PHP code uses preg_match to detect whitespace characters and throws an error if any are found in the input. By leveraging SQL comments and avoiding spaces, you can craft a payload that successfully bypasses the filter and exploits the SQL injection to gain unauthorized access.

Want to learn more? Get started with PentesterLab Pro! GOPRO