sql injection boolean syntax

Question

I am not understanding the sql syntax problems I'm getting while launching an injection attack, so any help explaining them is much appreciated. I have a target php login script that takes a username/password combo and then very simply runs.

 Select * FROM users WHERE username='$username' AND password='$password'

When i supply the basic

 $username = ' OR '1=1
 $password = ' OR '1=1

the system logs me in as admin because it evaluates to

 Select * FROM users WHERE username='' OR '1=1' AND password='' OR '1=1'

and gets a match for the first user entry in the database (admin). Now I'm trying to get the script to log me in as an arbitrary user named adrian. My thought was to supply

 $username = adrian
 $password = ' OR (1=1 AND username='adrian') -- 

which I thought would evaluate to

 Select * FROM users WHERE username='adrian' AND password='' OR (1=1 AND username='adrian') -- '

I thought the boolean order of operations was left to right when no parentheses are included:

 Select * FROM users WHERE [[[username='adrian'] AND password=''] OR (1=1 AND username='adrian')] -- '

but this is not logging me in as anyone (and giving me no errors). Even if AND's are evaluated last, this statement would evaluate to

 Select * FROM users WHERE [username='adrian'] AND [password='' OR (1=1 AND username='adrian')]

Which would still be true for the user adrian. Meanwhile

 $username = adrian
 $password = 'or(1=1 and username='adrian') --

is logging me in as adrian properly, which evaluates to

 Select * FROM users WHERE username='adrian' AND password=''or(1=1 AND username='adrian') -- '

So why does my approach with "OR" not work while my approach with 'or' does work?

SOLVED: Thank you for the guidance. I understand sql better now, but my real problem was that autofill was removing spaces after the "--" I must've messed up the first time and then foolishly relied on autofill from then on out

Answer 1

The order of operations is not only left to right. In fact left to right (or positional precedence) is the very last thing considered when evaluating an expression like this. You have to understand operator precedence as well, as this is most important aspect in determining behavior of such a statement. In this case AND has higher precedence than OR.

That means your statement would behave as follows:

Select * FROM users WHERE (username='adrian' AND password='') OR (1=1 AND username='adrian')

So, you would get a row returned as long as there was a user named adrian.

Check out the MySQL documentation on operator precendence - https://dev.mysql.com/doc/refman/5.6/en/operator-precedence.html