0

I have the following code on my website and want to login by using SQL Injection. I tried some codes for it but couldnt have a result.

$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username='$username' AND password='$password' LIMIT 1";
$sql = mysql_query($query);

if( mysql_num_rows($sql) == 1 )
{
    $row = mysql_fetch_array($sql);
    $_SESSION['id'] = $row['id'];
}
else
{
    echo $query;
}

Here are the codes I tried. In the first one I tried from username:

I mark my injected part as comment to make it easier to understand.

Username entered: admin' or id=1 ; --

SELECT * FROM users WHERE username='admin' or id=1 ; -- ' AND password='0' LIMIT 1"

And also I tried to enter by pass. With this code: 0' or '1'='1

 SELECT * FROM users WHERE username='admin' AND password='0' or '1'='1' LIMIT 1"

What do I do wrong?

Levi Botelho
  • 24,626
  • 5
  • 61
  • 96
  • I'm no pen testing nor PHP expert, but would `' or 1=1;--` work? – Tom Apr 16 '14 at 15:09
  • It didnt :D I dont know just saw that a guy thid that. –  Apr 16 '14 at 15:12
  • @RaphaëlAlthaus I dont get any result for mysql_num_rows with it –  Apr 16 '14 at 15:14
  • There are automated testing tools like [SQLMap](http://sqlmap.org/) that know **all** the tricks and will give you a report on vulnerabilities. – tadman Apr 16 '14 at 15:34
  • What you are doing probably won't work as your hacked query will get any row where the username is 'admin' OR the id is 1. If admin has a different id than 1 then your query will bring back 2 rows, which would fail the check for the number of rows. – Kickstart Apr 16 '14 at 15:37

2 Answers2

1

You can just use this is in the Username parameter.

admin%27%20--%20

OR

admin%27%20OR%20%271

This will definitely break the above authentication.

if this authentication page is called as like this.

http://www.example.com/login.php

Using POST parameters username and password.(That is entered by a textfiled from an HTTP form or anything).

You can just fill the Username field with above two parameters.

The above mentioned parameters are just URL encoded.If it is decoded,it will resemble like this.

admin' --

OR

admin' OR '1

ShihabSoft
  • 835
  • 6
  • 15
  • Im not sure what you wanted to tell can you explain a bit? –  Apr 16 '14 at 15:15
  • Sorry for the missing explaination it will be explained in the Answer EDit – ShihabSoft Apr 16 '14 at 15:17
  • Are you assuming OP is typing everything in the URL ? – Denys Séguret Apr 16 '14 at 15:18
  • Then simpy mark it as an answer and **VOTEUP**.It will be great for me – ShihabSoft Apr 16 '14 at 15:25
  • Hey dystroy.The above php page is using POST parameters.That cannot be passed like the URL parameters as using like GET. – ShihabSoft Apr 16 '14 at 15:27
  • Its K.Please fill your details and achieve the AutoBiographer Badge. – ShihabSoft Apr 16 '14 at 15:34
  • @ShihabSoft I've tried your tips but it does not work for me.. Please have a try in [these](http://www.devlabs.altervista.org/login/) [free test pages](http://www.devlabs.it/dev.login/admin/adm_login.php) and explain me what have I exactly to do. Thanks in advance. –  Jul 08 '14 at 02:33
1

Let's say the table users contains 3 rows (BTW: a plaintext password?!? I sure hope not!!! See this for best practice):

 id | username    | password
  1   admin         letmein
  2   user3537391   Passw0rd
  3   Piskvor       123456

Each of the queries that you have managed to inject will now match every one of the rows, due to operator precedence:

SELECT * FROM users WHERE username='admin' AND password='0' or '1'='1' LIMIT 1

evaluates as

SELECT * FROM users WHERE (username='admin' AND password='0') or '1'='1' LIMIT 1

Note that the rightmost term will match any row. So, if( mysql_num_rows($sql) == 1 ) evaluates to if ( 3 == 1 ), which is if (false). Therefore, the application works, but only by accident.

(Why "by accident"? Let us try to craft a different injection: Entering 0' or username='admin would give us

SELECT * FROM users WHERE username='admin' AND password='0' or username='admin' LIMIT 1

The first term (username='admin' AND password='0') won't match, but the second one will match 1 row exactly, thereby granting passwordless access.)

How to fix this:

  • Ideally, use parametrized queries - see this question. mysql_query is deprecated and will be removed.

  • If you REALLY, REALLY don't want to fix your code, at the very least escape the inputs. THIS IS ONLY AN EMERGENCY STOPGAP MEASURE, NOT A REAL SOLUTION - YOU SHOULD NOT BE WRITING NEW CODE LIKE THIS:

    $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']);

Community
  • 1
  • 1
Piskvor left the building
  • 91,498
  • 46
  • 177
  • 222
  • Awesome thanks Its really funny to hack my website :D –  Apr 16 '14 at 15:28
  • Better you than someone else :) This is a vulnerability so basic, it will be tried against you many times per hour by automated scripts. – Piskvor left the building Apr 16 '14 at 15:30
  • thanks for the info about the escaping thing. i already know that. Just tring to test my skills in sqj injection. –  Apr 16 '14 at 15:34
  • 1
    Please do not advise people to "escape inputs". It's essentially misleading and injection prone. @user3537391 you should rather mention that you "already know parametrized thing", not escaping – Your Common Sense Apr 16 '14 at 15:37
  • @Your Common Sense: What? I have linked to a canonical source, suggested to use parametrized queries, and only then have I suggested a stopgap measure. Should I be denying its existence? – Piskvor left the building Apr 16 '14 at 15:43
  • The problem is, it is not a measure at all. whatever "escaping" has nothing to do with injections. Seriously, escaping should be never mentioned as a protection measure. – Your Common Sense Apr 16 '14 at 16:02
  • Okay, whatever. Use CS's library, it is the best, escaping doesn't exist. Happy now? – Piskvor left the building Apr 16 '14 at 20:54
  • @Piskvor I've tried your tips but it does not work for me.. Please have a try in [these](http://www.devlabs.altervista.org/login/) [free test pages](http://www.devlabs.it/dev.login/admin/adm_login.php) and explain me what have I exactly to do. Thanks in advance. –  Jul 08 '14 at 02:33
  • @Edward: No idea. What exactly do you mean by "does not work", how am I supposed to know without seeing your code? – Piskvor left the building Jul 08 '14 at 10:38