Find a password using SQL Injection

Work space:

Guess jake's password

From the previous page you should have gained access as jake however you still do not know jake's password. You can now find this out using a little trial and error. Before you continue try taking a guess at jake's password by entering jake as user name and your best guess at his password.

Work out jake's password

You can now get the system to answer questions about the password table. It will only ever answer yes (and let you in) or no (by refusing entry). Your questions must take the form of a valid SQL query. In each case use a xx for the user name and the text shown as password. You can ask questions such as:

Does jake's password have a w in it?
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%') AND ''='
Does jake's password start with w?
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE 'w%') AND ''='
Does jake's password have an w followed by d?
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%d%') AND ''='
Is the fourth letter of jake's password w?
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '___w%') AND ''='

This works because the LIKE command uses % and _ as wildcards. The % wildcard matches any string, the _ wildcard matches a single character.