Follow us on Twitter!
Capitalism is an Island of wealth in a sea of poverty
Wednesday, April 16, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 22
Guests Online: 21
Members Online: 1

Registered Members: 82807
Newest Member: Black Hawk
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

SQL Injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-05-08 15:50
Hi,

I created a simple site in my own web server to test for SQL injection tactic. The site contains only two pages, written in PHP. They are the following:

index.php:
<html>
<body>
<p><b>Please login.</b></p>
<form action='login.php' method='POST'>
Username: <input type='text' name='username'/><br/>
Password: <input type='password' name='password'/><br/>
<input type='submit' value='Login'/>
</form>
</body>
</html>

login.php:
<html>
<body>
<?php
$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT id FROM users WHERE username='$username' AND password='$password'";
echo "$query<br/>";

if (!mysql_connect("localhost", "test", "")) die(mysql_error());

if (!mysql_select_db("test")) die(mysql_error());

$res = mysql_query($query);
if (!$res) die(mysql_error());

$row = mysql_fetch_assoc($res);
if (!$row) die("Invalid login.");

$userid = $row['id'];

mysql_free_result($res);
mysql_close();
?>
Login succesful. User id is <?=$userid?>.
</body>
</html>

Lets consider if the hacker enters "admin' #" as the user name. Then the resulting SQL query would look like this:

SELECT id FROM users WHERE username='admin' #'AND password=''

This would bypass the password altogether.

But, however, it does not work. I am getting the following as the resulting SQL query:

SELECT id FROM users WHERE username='admin\' #' AND password=''

So it seems that my server automatically escapes the text when ' is entered. Does this mean that in the latest Linux/Apache2/PHP/MySQL setup SQL injection is rendered impossible or do I misunderstand something? I have PHP version 5.2.4 with Apache 2.2.8.

Thank you.

- Henux


Edited by on 14-05-08 22:52
Author

RE: SQL Injection

clone4
Member



Posts: 586
Location: He is back and he's bad!
Joined: 25.11.07
Rank:
Mad User
Posted on 13-05-08 16:01
nope it's just like that, now apache has default option of escaping ' or " whenever you post something on the server

btw had same problem, when I was testing XSS on my server

ok look below this post, more usefull Grin but what is the point of testing exploit, which is excluded in default installation of the server, challenge would be to bypass it Grin


[img][/img]img164.imageshack.us/img164/5713/perlvl0.jpg

clone4.freehostia.com/ubuntu_3.png
spyware - "They see me trollin'..."
<yaragn> ever seen that movie? The Matrix?
<yaragn> with those green lines of flying text?
<yaragn> *THAT'S* Perl



Edited by clone4 on 13-05-08 16:04
clone_4@hotmail.com
Author

RE: SQL Injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-05-08 16:03
You have magic_quotes_gpc set to 1. Try setting this to 0 and try again.


Author

RE: SQL Injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 13-05-08 16:39
Thank you for your kind replies.

- Henux