pwneglyph logo

Note

web javascript sql like-injection password-reset account-takeover

Abuse a WHERE username LIKE ? reset query with wildcards to match and reset the admin account.

Overly Permissive LIKE on Username during Password Reset

LIKE is pattern matching, not identity. Using it on a security principal field turns wildcards into account-selection ambiguity.

Why It Works

  • A reset query written as WHERE username LIKE ? lets a wildcard input match the victim row.

Vulnerable Pattern

  • Reset or lookup queries written as WHERE username LIKE ? instead of exact equality.

Exploit Flow

  1. Create or choose a username pattern that matches the victim but is still accepted as your input.
  2. Trigger the reset and observe which account receives the token or state change.

Variations

  • %, _, escaped wildcards, or usernames crafted during registration to collide later with admin patterns.

Common Blockers

  • The app escapes wildcards before binding, or performs an extra exact-match check in code.

PoC Sketch

# try reset inputs and watch whether the token is issued for the admin row:
adm%
_dmin
a%

Good Situations To Use It

  • Password reset uses LIKE on username.
  • Wildcards aren't escaped.
  • You can supply a pattern that selects admin.

Sources

  • plfanzen2026/web/thank_you_javascript