Home > Back-end >  Pretty much same SQL commands, but different injection Payloads! WHY?
Pretty much same SQL commands, but different injection Payloads! WHY?

Time:07-24

OWASP Juice Shop:

SELECT * FROM Users WHERE email = '' AND password = '' AND deletedAt IS NULL

Payload:

' OR 1=1;--

OWASP Mutillidae II:

SELECT * FROM accounts WHERE username='' AND password=''

Payload:

' OR 1=1 --

I really don't understand. There is not much of a difference in commands, but Juice Shop payload won't work in Mutillidae. It works Vice Versa.

Furthermore in Mutillidae, we have to enter payload in both username and password fields (same payload), however in JuiceShop entering random thing in Password would work.

Someone please explain WHY?

Please I really need to understand this concept before moving on.

CodePudding user response:

I posted this as a comment but was the answer - so posting below

It is possible that you need a space at the end. I've read that some database comments require a whitespace after the comment indicators, whereas some others don't e.g., OR 1=1;-- may not work on all, but OR 1=1;-- should work. I'd usually put a whitespace before the -- as well, but probably isn't necessary.

  • Related