Objective#

To demonstrate and test the effectiveness of Tautology-Based SQL Injection in extracting data from a vulnerable database by manipulating SQL queries to always evaluate as true.

Setup#

Tautology Based Injection#

Using logical operations that always return true to manipulate query logic.

1
SELECT * FROM users WHERE username='anything' OR '1'='1';

This injection uses a tautology ('1'='1' is always true) to bypass authentication logic and can potentially retrieve user records.

System query

1
SELECT * FROM students WHERE email = 'useremail' AND password = 'password';

Attacker’s input

Resulting query

1
SELECT * FROM students WHERE email = 'xxxxxx' AND password = '' OR '1'='1';

Task1: Connect to the Wireless Access Point/Router#

1. Connect to the Wireless Access Point/ Router as provided by the instructor (WiFi Name & Password will be provided)
2. Open your browser and enter the IP address (will be provided by the instructor) of the Webserver PC in your browser and hit “Enter”
3. Access the demo web application interface

Task2: Perform a Tautology Based SQL Injection to Extract Data (Retrieve all registered students – friends) from the university portal#

Avoiding Tautology Based SQL Injection#

Avoiding Tautology Based SQL Injection#

dash_b

1
$sql_searchlist = "SELECT * FROM students WHERE Student_Name LIKE '%$std_name%'";
2
// SQL injection prone
3
$result_searchlist = $conn->query($sql_searchlist);
4
if ($result_searchlist->num_rows > 0)
5
{

dash_n

1
$sql_searchlist = "SELECT * FROM students WHERE Student_Name LIKE CONCAT('%', ?, '%')";
2
// Prepare a parameterized SQL statement
3
$sql_searchlist = $conn->prepare($sql_searchlist);
4

5
// Bind the user input to the prepared statement
6
$sql_searchlist->bind_param("s", $std_name);
7

8
// Execute the prepared statement
9
$sql_searchlist->execute();
10

11
// Retrieve the results
12
$result_searchlist = $sql_searchlist->get_result();
13
if ($result_searchlist->num_rows > 0)
14
{