本地服务器上的SQL注入

Question

I have a project for a course where I connect to a local server localhost:8080/website.php and execute SQL Injection. The server has an Account ID Number and Password field. When submitted the ID and Password values are input into the SQL statement: SELECT * FROM accounts WHERE id = (ID value) AND password = '(password value)' How would I exploit this and perform SQL Injection?

I have tried a few thing listed below.

' or 1=1 -- became SELECT * FROM accounts WHERE id = 12345 AND password = '' or 1=1 --' opens an account, its always the same account. How do I access a different account?

'; INSERT INTO accounts(id,password) values('12345','abc');-- '; INSERT INTO accounts(id,password) values('12345','abc');-- became SELECT * FROM accounts WHERE id = 12345 AND password = ''; INSERT INTO accounts(id,password) values('12345','abc');--' SELECT * FROM accounts WHERE id = 12345 AND password = ''; INSERT INTO accounts(id,password) values('12345','abc');--' This gives a sql error

How do I log into any account without knowing an id, the ' or 1=1 -- logs into the same account no matter what I put for the ID. Also how do I create my own account in the database?

Answer 1

You can send a value to invalidate the where and make always true the result. This will give you access to the system without knowing the password.

'or 1=1 --

Mike after I run your statement in sql I got this.