For my practice of SQL Injections, I used Hack the Box to practice this website penetration testing technique.
In this example, I was tasked to to login to a website as the user “Tom” without being given any information on the full username or the password information on the log in screen.
To accomplish this task, I performed an SQL injection where I inserted “tom’ OR ‘1’=’1 —” on the Username field and left the password section blank. Performing this injection allowed me to bypass the log in screen and successfully gain access to the user or “Tom.”
Below is an image of the successful login screen for user “Tom” after performing the SQL injection on the login screen.
I was also tasked to only login as user with the ID 5. to a accomplish this task, I needed to conform to the correct syntax when importing my query. The query I used to bypass the login screen for the username field is “; OR id=5″ —“
