I am learning SQL injection and I created a web application (PHP + MYSQL (5.6)) without the protection of SQL injection.
In short, my web application uses
SELECT * FROM XXX.USER WHERE user_name='${USERNAME}' AND password='${PASSWORD}'
to handle the login (if this sql returns only 1 row, then the input is completed successfully).
In the beginning I found the input USERNAME Sayakiss' --, then my SQL:
SELECT * FROM XXX.USER WHERE user_name='Sayakiss'
Thus, an attacker can log in as Sayakisswithout a password.
Then I find something more interesting (the sentence selectmay be in a function if) - the input of the attacker USERNAME as
Sayakiss' and if((select ascii(mid(z,p,1)) from x.y limit n,1)=c,1,0)
This can check the ascii character of the character pposition of the nith row of the ztable column is x.yequal cor not.
, , ascii c.
, !
, ( ) ?