But the comment seems wrong, it's not parse json(it should be bodyParser.json), it's to let urlencoded can be parse by qs library which support passing array or even object.
Like this:
username[] = ' or '1' = '1
password[] = ' or '1' = '1
So both username and password is an array: ["' or '1' = '1'"]. And it will be string ' or 1' = '1' when concat with other string.
It'a simple login page:
source code:
We need to bypass the authentication by sql injection. But it filters single quote, how to bypass this?
Actually they already gave us a hint:
But the comment seems wrong, it's not parse json(it should be
bodyParser.json
), it's to let urlencoded can be parse byqs
library which support passing array or even object.Like this:
So both username and password is an array:
["' or '1' = '1'"]
. And it will be string' or 1' = '1'
when concat with other string.