I am not understanding the sql syntax problems I'm getting while launching an injection attack, so any help explaining them is much appreciated. I have a target php login script that takes a username/password combo and then very simply runs.
Select * FROM users WHERE username='$username' AND password='$password'
When i supply the basic
$username = ' OR '1=1
$password = ' OR '1=1
the system logs me in as admin because it evaluates to
Select * FROM users WHERE username='' OR '1=1' AND password='' OR '1=1'
and gets a match for the first user entry in the database (admin). Now I'm trying to get the script to log me in as an arbitrary user named adrian. My thought was to supply
$username = adrian
$password = ' OR (1=1 AND username='adrian') --
which I thought would evaluate to
Select * FROM users WHERE username='adrian' AND password='' OR (1=1 AND username='adrian') -- '
I thought the boolean order of operations was left to right when no parentheses are included:
Select * FROM users WHERE [[[username='adrian'] AND password=''] OR (1=1 AND username='adrian')] -- '
but this is not logging me in as anyone (and giving me no errors). Even if AND's are evaluated last, this statement would evaluate to
Select * FROM users WHERE [username='adrian'] AND [password='' OR (1=1 AND username='adrian')]
Which would still be true for the user adrian. Meanwhile
$username = adrian
$password = 'or(1=1 and username='adrian') --
is logging me in as adrian properly, which evaluates to
Select * FROM users WHERE username='adrian' AND password=''or(1=1 AND username='adrian') -- '
So why does my approach with "OR" not work while my approach with 'or' does work?
SOLVED: Thank you for the guidance. I understand sql better now, but my real problem was that autofill was removing spaces after the "--" I must've messed up the first time and then foolishly relied on autofill from then on out
