oaass Posted May 5, 2013 Share Posted May 5, 2013 I saw an SQL injection vector today to bypass auth which makes the vulnerable query look like this SELECT * FROM table WHERE username=''-0||username='' AND password='' I understand everything except the -0 part Link to comment https://forums.phpfreaks.com/topic/277636-what-does-0-do/ Share on other sites More sharing options...
mac_gyver Posted May 5, 2013 Share Posted May 5, 2013 by subtracting a zero, the value is converted to a number. Link to comment https://forums.phpfreaks.com/topic/277636-what-does-0-do/#findComment-1428284 Share on other sites More sharing options...
oaass Posted May 5, 2013 Author Share Posted May 5, 2013 So why is it that this actually works? What is it that it actually compared the first username against? Link to comment https://forums.phpfreaks.com/topic/277636-what-does-0-do/#findComment-1428285 Share on other sites More sharing options...
mac_gyver Posted May 5, 2013 Share Posted May 5, 2013 it causes the username column to be treated as a number and any username that doesn't start with a numerical character will be a zero value and will be matched. Link to comment https://forums.phpfreaks.com/topic/277636-what-does-0-do/#findComment-1428286 Share on other sites More sharing options...
oaass Posted May 5, 2013 Author Share Posted May 5, 2013 Thanks mac_gyver! Really helped me understand what was going on Link to comment https://forums.phpfreaks.com/topic/277636-what-does-0-do/#findComment-1428288 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.