oaass Posted May 5, 2013 Share Posted May 5, 2013 I saw an SQL injection vector today to bypass auth which makes the vulnerable query look like this SELECT * FROM table WHERE username=''-0||username='' AND password='' I understand everything except the -0 part Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted May 5, 2013 Share Posted May 5, 2013 by subtracting a zero, the value is converted to a number. Quote Link to comment Share on other sites More sharing options...
oaass Posted May 5, 2013 Author Share Posted May 5, 2013 So why is it that this actually works? What is it that it actually compared the first username against? Quote Link to comment Share on other sites More sharing options...
Solution mac_gyver Posted May 5, 2013 Solution Share Posted May 5, 2013 it causes the username column to be treated as a number and any username that doesn't start with a numerical character will be a zero value and will be matched. Quote Link to comment Share on other sites More sharing options...
oaass Posted May 5, 2013 Author Share Posted May 5, 2013 Thanks mac_gyver! Really helped me understand what was going on Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.