8

I have come across a CTF challenge that has a part with an SQL injection (MySQL DB). I have completed it, but I do not know why or how the injection works. The query in the PHP application would probably be like this:

 SELECT * FROM users WHERE email = '[email protected]' AND password = md5('1234');

And the injection code I entered in the text field :

[email protected]' OR 1 = 1 LIMIT 1 -- ' ]

Would probably result in a query like this:

SELECT * FROM users WHERE email = '[email protected]' OR 1 = 1 LIMIT 1 -- ' ] AND password = md5('1234');

It doesn't work without the ], but I do not understand the use of ] here. Please explain it to me!

Improve this question
6
  • Is the ] necessary? The -- is an SQL comment, so theoretically nothing after that should matter anyway. Naively, I would expect this to work equally well without the ]
    – Conor Mancone
    CommentedMar 11, 2020 at 19:22
  • 1
    Is it to circumvent some very low-class validation? For example, a regex that filters out input that ends with the normal --. Are there any other characters that work in place of ]?
    – Fire Quacker
    CommentedMar 11, 2020 at 19:42
  • 4
    So it doesnt work if your remove ], but does it work if you replace it with something else lika a X?
    – Anders
    CommentedMar 11, 2020 at 20:20
  • It works even if I completely remove [email protected] and LIMIT 1. But doesn't work without ]
    – Rumesh Madhusanka
    CommentedMar 12, 2020 at 1:18
  • 2
    ] is the delimiter for tokens-used-as-identifiers (that is, a table named [Table] or similar) and strict casing/whitespace in SQL Server. Perhaps the filter was intended to work for SQL Server? I can't check whether -- would be valid in a table name at the moment.
    – Clockwork-Muse
    CommentedMar 12, 2020 at 6:23

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.