Prerequsite Knowledge

Before you dive into this section, it is recommended you read the explanation of SQL Injection first if this is your first time learning SQL injection.

How to do SQL injection without returning true?

The fourth challenge server is even more secure than before. The website admin has finally decided to ban all SQL commenting characters and OR in the input fields. Because of that, we are no longer allowed to use OR to attach on more arguments that return true to override the other arguments. Instead of adding on true arguments, we are going to use UNION to combine queries. Remember how I previously mentioned that the username password input created a query? We can use UNION to combine the results from that query with another query that we created to match a user we want to impersonate.

With an empty username and the password ' UNION SELECT * FROM logins WHERE username = 'u5ername, the query turns into:

SELECT * FROM logins WHERE username = '' AND password = '' UNION SELECT * FROM logins WHERE username = 'u5ername'

There are two combined queries in the above query. The first query searches for a username with the username '' and password '', which should return absolutely no users. The second query finds the user 'u5ername'. Because the word UNION combines the two results into one, the combine queries will return the user 'u5ername' without us knowing the password.