OWASP Security Shepherd Project - SQL Injection 4 (Injection Challenge)

Challenge

Solution

    The challenge ask us to login us administrator.
As a first step, let's try admin / 'or'a'>'a';-- - in UserName / Password field ->

No luck at this time.

     After trying qoute (") and other payload I know, it seems that the application is not vulnerable.

     Let's step back to think of the query itself, let's guess the query is [SELECT * FROM users WHERE username='UserName(our_input)' AND password='Password(our_input)'].

     What if we use backslash (\) to escape the ending apostrophe (') for username to make the query become =>  [WHERE username=' \' (the ending apos become normal char) AND password=' or 1=1;-- -']

     Cool! We have some progress now!

     What we need to do next is to find a way to select administrator.
Before extracting administrator, let's see why our ' or 1=1;-- - payload not works.
Input admin' or 1=1\ to the UserName field.

     Based on the error message, we could notice that the apostrophe (') is removed by the application.
Now, we know the reason why the classic payload not working.

     Let's assume the Administrator user has username = admin.
Input \ for UserName and  or username="admin";-- - for Password to see if our guess is correct.

     Great! This concludes our SQL Injection 4 Challenge.

     p.s. we could also use SQLmap to extract all the columns of this application : )

Reference 

What does \ (backslash) mean in an SQL query?  : https://stackoverflow.com/questions/15214509/what-does-backslash-mean-in-an-sql-query