> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/sqli/web-sqli-authentication-bypass.md).

# Authentication Bypass

## Manual SQL Injection Authentication Bypass

Attempt authentication bypass by injecting a SQL comment into the username field. The goal is to make the SQL query's `WHERE` clause evaluate to true, ignoring the password check.

The original query structure might resemble:

```sql
SELECT * FROM users WHERE username = '<username>' AND password = '<password>';
```

Input a payload like the following into the username field:

```sql
' OR 1=1 -- -
```

This payload closes the original username string (`'`), adds an `OR` condition that is always true (`1=1`), and then uses the comment syntax (`-- -`) to discard the rest of the original query (including the password check). When this payload is used in the username field, the query could become:

```sql
SELECT * FROM users WHERE username = '' OR 1=1 --' AND password = '<password>';
```

Because the `--` comments out the rest of the line, the password check is ignored, and the `WHERE` clause becomes `username = '' OR 1=1`, which is always true.

Another variation of this payload is:

```sql
' OR '1'='1
```

This results in a query structure like:

```sql
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '<password>';
```

Since `'1'='1'` is always true, the `WHERE` clause evaluates to true, allowing access.

Adapt the comment syntax (`--` , `#`) based on the backend database type if `-- -` (with a space after `--`) doesn't work. For instance, `--` is commonly used in MySQL and SQL Server, while `#` is also used in MySQL for comments. Using `' OR 1=1 --` in the username field with any password is a classic authentication bypass technique.

***

## Sqlite Alternate Comment Bypass

When facing SQL injection where the standard `--` comment syntax is filtered, try using the `/* ... */` block comment syntax to comment out the remainder of the query. To bypass checks following your input, inject the comment start:

```sql
admin' /*
```

This transforms a query structure like `SELECT * FROM users WHERE username='input' AND password='pass'` into `SELECT * FROM users WHERE username='admin' /* AND password='pass'`, effectively commenting out the password check if the username 'admin' exists.

SQL databases support various comment syntaxes that can be leveraged in injection attacks to ignore the rest of the original query after the injected code. Common comment types include:

* Inline comments starting with `--`
* Inline comments starting with `#` (especially in MySQL)
* Block comments enclosed by `/*` and `*/`

Attackers can use these comments to truncate a query, preventing subsequent parts of the original query from being executed. For instance, if a query is structured as `SELECT * FROM users WHERE username = '...' AND password = '...'`, injecting `' OR '1'='1` followed by a comment character can make the rest of the query (like the password check) ignored.

Examples of using comments to truncate a query:

```sql
' OR 1=1--
```

```sql
' OR 1=1#
```

```sql
' OR 1=1/*
```

Injecting `' OR '1'='1` followed by `--` or `#` comments out the rest of the line. Similarly, injecting `' OR '1'='1` followed by `/*` comments out the rest of the query block.

Specifically, when `--` or `#` are blocked, the block comment `/*` can be used. For example, injecting `admin'/*` into a username field in a query like `SELECT * FROM users WHERE username = '...' AND password = '...'` results in `SELECT * FROM users WHERE username = 'admin'/*' AND password = '...'`. The `/*'` effectively comments out the rest of the query, including the password check. The final `*/` is often not needed if the injected comment is the last part of the input string and the database doesn't require the block comment to be closed at the end of the statement.

Another example using the block comment to bypass subsequent checks:

```sql
SELECT * FROM users WHERE username = 'admin' /*' AND password = ''*/;
```

Here, the injected `/*' AND password = ''*/` comments out the original password check `AND password = ''`, potentially allowing login with just the correct username.

***

## Sqlite Union Select Authentication Bypass

Use a `UNION SELECT` query to bypass authentication by directly selecting data, typically the administrator's row, from the user table. In SQLite, `/**/` comments can often be used as replacements for spaces to bypass simple filters. `LIMIT 1` is frequently added to fetch only the first row returned, which is often the administrator's entry.

```sql
sobatista'/**/UNION/**/SELECT/**/*/**/FROM/**/users/**/LIMIT/**/1;
```

This command, when injected into a login field expecting a username like `sobatista`, attempts to combine the query result with the first row from the `users` table. If successful and the application checks for a valid user row, it might authenticate the attacker as the fetched user (e.g., admin).

Another common approach with `UNION SELECT` is to specifically target the `username` and `password` columns from the user table. This requires knowing the column names and potentially using `null` values to match the number of columns in the original query.

```sql
' UNION SELECT null,username,password,null FROM users LIMIT 1--
```

This payload attempts to select the `username` and `password` columns from the `users` table. The `null` values are used as placeholders for other columns in the original query to ensure the column count matches, which is a requirement for `UNION` queries. The `--` at the end is a common way to comment out the rest of the original query. The `LIMIT 1` clause ensures only the first row is returned, often targeting the administrative user.
