| Author |
how do I allow sql injections? |
jjbutler88
Colemak User
Posts: 590
Location:
Joined: 22.04.07
Rank: Guru |
|
Hi all
Making a quick simple login scblockedript to demo SQL injections, but seem to have make it too well! I can run valid queries and get a result, but when I try injections I get syntax errors. Here is the code I'm using:
(WTF with the scrolling?? nvm...)
<?php
include("connection.php");
if(isset($_GET['username']) && isset($_GET['password'])); {
$username = $_GET['username'];
$password = $_GET['password'];
$query = "SELECT * FROM users WHERE username = '".$username."' AND password = '".$password."'";
$query = stripSlashes($query);
$result = mysql_query($query) or die('Query failed: ' . mysql_error());
}
mysql_close($conn);
?>
<HTML>
<head><title>Welcome to a vulnerable site!</title></head>
<body>
<p>Welcome to an SQL injection challenge</p>
<ul>
<li>Get the admin password (10 points)</li>
<li>Add a new user to the database (10 points)</li>
</ul>
<p>Here's the login:</p>
<form action=index.php method=GET>
Username:
<input type=text name=username><br><br>
Password:
<input type=text name=password><br><br>
<input type=submit value="Submit">
<br><h4>Request:</h4>
<?php echo "Query: ".$query."\n";?>
<br><h4>Result:</h4>
<?php
if(mysql_num_rows($result) > 0) {
$row = mysql_fetch_row($result);
//echo "Login found!";
echo "ID: ".$row[0]."<br>";
echo "Username: ".$row[1]."<br>";
echo "Password: ".$row[2]."<br>";
}
else {
echo "No match from DB";
}
mysql_free_result($result);
?>
</body>
</HTML>
Sorry for the long post! (BTW im using GET instead of POST cos its a tutorial :p)
Cheers
Edited by jjbutler88 on 23-03-08 18:33 |
 
|
| Author |
RE: how do I allow sql injections? |
webspider
Member
Posts: 51
Location: Germany
Joined: 21.12.06
Rank: God |
|
Look whether magic quotes are switched on. Just use
<?php
phpinfo()
?>
for that and search for something like "magic_quotes_gpc" and other options which start with "magic_quotes" in the output of the scblockedript.
edit:
This code
<?php
if (get_magic_quotes_gpc()==1) {
echo ( "Magic quotes gpc is on" );
} else {
echo ( "Magic quotes gpc is off" );
}
?>
should also do it.
Edited by webspider on 23-03-08 18:59 |
 
|
| Author |
RE: how do I allow sql injections? |
jjbutler88
Colemak User
Posts: 590
Location:
Joined: 22.04.07
Rank: Guru |
|
Ok it is on, should it be on or off?
|
|
|
| Author |
RE: how do I allow sql injections? |
jjbutler88
Colemak User
Posts: 590
Location:
Joined: 22.04.07
Rank: Guru |
|
Cheers all, read and learnt about magic quotes, now theyre off and its still not working! however, I can input
password=OR 1=1--
and its fine, doesnt inject obviously but works. As soon as I put the single quote in front, mysql has a period and errors. :whoa:
It says the SQL syntax is wrong, and as its not in the query, im going to take a close look at what index.php adds after the query, i think thats the problem.
Thanks!
|
|
|
| Author |
RE: how do I allow sql injections? |
jjbutler88
Colemak User
Posts: 590
Location:
Joined: 22.04.07
Rank: Guru |
|
OK so I got my admin password, but in a wierd way. I had to leave off the end ', it seems the -- at the end does not end the sql query, config error again?
appreciate the help guys
|
|
|
| Author |
RE: how do I allow sql injections? |
webspider
Member
Posts: 51
Location: Germany
Joined: 21.12.06
Rank: God |
|
Look what you exactly have on your server: MySQL, SQL Server, Sybase, Oracle, PostgreSQL, ..., or something else. Do this with phpinfo() or look it up on your hosting site.
If you've found it out, read the help file, it should say, whether some special protections are on, what commands can be used and many other things.
Then take some pencil and paper and look at the piece of PHP and SQL-Code which is used for the login. Test how different attacks would change the query and find that way out, which one is right.
|
|
|
| Author |
RE: how do I allow sql injections? |
jjbutler88
Colemak User
Posts: 590
Location:
Joined: 22.04.07
Rank: Guru |
|
spot on advice webspider, it might interest people to know that in MYSQL v5.0 you need at least one space, newline or tab after the -- to make it a comment.
|
|
|
| Author |
RE: how do I allow sql injections? |
webspider
Member
Posts: 51
Location: Germany
Joined: 21.12.06
Rank: God |
|
|
jjbutler88 wrote:
spot on advice webspider, it might interest people to know that in MYSQL v5.0 you need at least one space, newline or tab after the -- to make it a comment.
Lol, never thought of something like that in a not simulated SQL Injection Challenge.
OK, sounds like you have managed to get it all right with comments and other stuff. But when there are too much problems or you don't have the version of SQL on the box you need, then the last way is to simulate a database.
For example I would set up a parsing scblockedript, which turns everything from the user and pass fields into uppercase and then examines the output for common attack vectors. This is a little bit harder, but that way you can exactly control what the users are doing and noone hacks your real database 
edit:
I think that's the way HTS, HBH and every other hacking related site do it. And they have good causes to do it that way. It's maybe not as realistic as another system, but it's more secure for your webserver.
Edited by webspider on 25-03-08 18:49 |
|
|
| Author |
RE: how do I allow sql injections? |
jjbutler88
Colemak User
Posts: 590
Location:
Joined: 22.04.07
Rank: Guru |
|
yeah luckily for me im running it on an xampp install so its off a usb, everyone gets their own copy of the database so you can simulate adding a user, deleting tables etc. Although I am aware that for sites like HBH and HTS, you need to simulate it.
|
|
|
Main:
