Follow us on Twitter!
One mans freedom fighter, another's terrorist.
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 14
Guests Online: 14
Members Online: 0

Registered Members: 82889
Newest Member: Geriztul
Latest Articles
View Thread

HellBound Hackers | Computer General | Webmasters Lounge

Author

how do I allow sql injections?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-03-08 18:31
Hi all

Making a quick simple login script to demo SQL injections, but seem to have make it too well! I can run valid queries and get a result, but when I try injections I get syntax errors. Here is the code I'm using:

(WTF with the scrolling?? nvm...)
Code

<?php

include("connection.php");



if(isset($_GET['username']) && isset($_GET['password'])); {

$username = $_GET['username'];

$password = $_GET['password'];

$query = "SELECT * FROM users WHERE username = '".$username."' AND password = '".$password."'";

$query = stripSlashes($query);

$result = mysql_query($query) or die('Query failed: ' . mysql_error());

}



mysql_close($conn);

?>





<HTML>

<head><title>Welcome to a vulnerable site!</title></head>

<body>

<p>Welcome to an SQL injection challenge</p>

<ul>

<li>Get the admin password (10 points)</li>

<li>Add a new user to the database (10 points)</li>

</ul>

<p>Here's the login:</p>

<form action=index.php method=GET>

Username:

<input type=text name=username><br><br>

Password:

<input type=text name=password><br><br>

<input type=submit value="Submit">



<br><h4>Request:</h4>

<?php echo "Query: ".$query."\n";?>



<br><h4>Result:</h4>

<?php

if(mysql_num_rows($result) > 0) {

$row = mysql_fetch_row($result);

//echo "Login found!";

echo "ID: ".$row[0]."<br>";

echo "Username: ".$row[1]."<br>";

echo "Password: ".$row[2]."<br>";

}

else {

echo "No match from DB";

}

mysql_free_result($result);

?>

</body>

</HTML>




Sorry for the long post! (BTW im using GET instead of POST cos its a tutorial :p)

Cheers




Edited by on 23-03-08 18:33
Author

RE: how do I allow sql injections?

webspider
Member

Your avatar

Posts: 51
Location: Germany
Joined: 21.12.06
Rank:
Newbie
Posted on 23-03-08 18:57
Look whether magic quotes are switched on. Just use
Code

<?php
   phpinfo()
?>




for that and search for something like "magic_quotes_gpc" and other options which start with "magic_quotes" in the output of the script.

edit:
This code
Code

<?php
if (get_magic_quotes_gpc()==1) {
echo ( "Magic quotes gpc is on" );
} else {
echo ( "Magic quotes gpc is off" );
}
?>



should also do it.

Edited by webspider on 23-03-08 18:59
As my Email Address http://www.python.com
Author

RE: how do I allow sql injections?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 23-03-08 23:13
Ok it is on, should it be on or off?



Author

RE: how do I allow sql injections?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-03-08 00:08
Cheers all, read and learnt about magic quotes, now theyre off and its still not working! however, I can input
Code
password=OR 1=1--


and its fine, doesnt inject obviously but works. As soon as I put the single quote in front, mysql has a period and errors. :whoa:

It says the SQL syntax is wrong, and as its not in the query, im going to take a close look at what index.php adds after the query, i think thats the problem.

Thanks!


Author

RE: how do I allow sql injections?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-03-08 00:24
OK so I got my admin password, but in a wierd way. I had to leave off the end ', it seems the -- at the end does not end the sql query, config error again?

appreciate the help guys


Author

RE: how do I allow sql injections?

webspider
Member

Your avatar

Posts: 51
Location: Germany
Joined: 21.12.06
Rank:
Newbie
Posted on 24-03-08 19:30
Look what you exactly have on your server: MySQL, SQL Server, Sybase, Oracle, PostgreSQL, ..., or something else. Do this with phpinfo() or look it up on your hosting site.
If you've found it out, read the help file, it should say, whether some special protections are on, what commands can be used and many other things.
Then take some pencil and paper and look at the piece of PHP and SQL-Code which is used for the login. Test how different attacks would change the query and find that way out, which one is right.
As my Email Address http://www.python.com
Author

RE: how do I allow sql injections?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-03-08 21:18
spot on advice webspider, it might interest people to know that in MYSQL v5.0 you need at least one space, newline or tab after the -- to make it a comment.


Author

RE: how do I allow sql injections?

webspider
Member

Your avatar

Posts: 51
Location: Germany
Joined: 21.12.06
Rank:
Newbie
Posted on 25-03-08 18:47
jjbutler88 wrote:
spot on advice webspider, it might interest people to know that in MYSQL v5.0 you need at least one space, newline or tab after the -- to make it a comment.

Lol, never thought of something like that in a not simulated SQL Injection Challenge.
OK, sounds like you have managed to get it all right with comments and other stuff. But when there are too much problems or you don't have the version of SQL on the box you need, then the last way is to simulate a database.
For example I would set up a parsing script, which turns everything from the user and pass fields into uppercase and then examines the output for common attack vectors. This is a little bit harder, but that way you can exactly control what the users are doing and noone hacks your real database Wink

edit:
I think that's the way HTS, HBH and every other hacking related site do it. And they have good causes to do it that way. It's maybe not as realistic as another system, but it's more secure for your webserver.

Edited by webspider on 25-03-08 18:49
As my Email Address http://www.python.com
Author

RE: how do I allow sql injections?


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-03-08 18:54
yeah luckily for me im running it on an xampp install so its off a usb, everyone gets their own copy of the database so you can simulate adding a user, deleting tables etc. Although I am aware that for sites like HBH and HTS, you need to simulate it.