Follow us on Twitter!
Understanding is the answer, hatred is the problem, and hackers are the slaves abused and destroyed in the process of peace online - Deshouleres
Friday, April 25, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 19
Guests Online: 19
Members Online: 0

Registered Members: 82909
Newest Member: awais
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

Sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-05-06 22:18
After being tested by several people (including Jake) it is apparantly not possable to sql inject my login script. So I have decided to make it public:

Code

$auth = false;
$name = $_REQUEST[Name];
$password = $_REQUEST[Pass];
$dbcnx = @mysql_connect("localhost", "$secret", "$secret2");
mysql_select_db ("$database");
if (! mysql_select_db("$table") ) {
}

$sql =  "SELECT * FROM $table
      WHERE Name = '$name' AND
      Password = '$password'";
      
$result = mysql_query( $sql, $dbcnx );
$num = mysql_num_rows( $result );

 if ( $num != 0 ) {
  $auth = true;
  }
 
if ( !$auth  ) {
setcookie('user', '');
setcookie('pass', '');
setcookie('auth', '');
header('Location: index.php');
}
if ( $auth  ) {

$dbcnx = @mysql_connect("localhost", "$secret", "$secret2");
mysql_select_db ("$database");
if (! mysql_select_db("$table") ) {
}

$sql =  "SELECT * FROM $table
      WHERE Name = '$name' AND
      Password = '$password'";
      
$result = mysql_query( $sql, $dbcnx );
$row = mysql_fetch_array($result);
$points= $row["Points"];
$name2= $row["Name"];
$pass2= $row["Password"];

if (strcmp($name,$name2)==0){
if (strcmp($pass2,$password)==0){

setcookie("user", $name2);
setcookie("pass", $pass2);
setcookie('auth', 'true');
header('Location: index.php');
}
}}
header('Location: index.php');





I know this code is sloppy, infact it is terrible.(sorry bout that) well whats everyones verdict? I think it is possable, but I suck at sql injection.

any ideas would help. I know how to patch it, just would like to do it in a real-world situation, nothing better than my own site!

extra info: the index page displays different content depending on your priveledges.


Author

RE: Sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-05-06 22:34
Lol, always need to distinguish me from the group ;)

It is somewhat vulnerable (Not to SQL injection though).

If it is invalid, you need to redirect the user AND kill the script.

Here is the same thing but cleaned up. . .

Code
<?php

 @mysql_connect('localhost', $secret, $secret2) or
     die('Could not connect to database.');

 @mysql_select_db($table) or
     die('Could not select a database');

 $name = $_REQUEST['Name'];
 $pass = $_REQUEST['Pass'];

 $query = mysql_query("SELECT Points, Name, Password FROM $table
                       WHERE Name=\"$name\" AND Password=\"$password\"");


 $authed = mysql_num_rows($query) ? TRUE : FALSE;

 if( !$authed ) {
     foreach( $_COOKIE as $k => $v )
         setcookie($k, '');

     Header('Location: index.php');

   exit;
 }

 list($points, $name2, $pass2) = mysql_fetch_assoc($query);

 // No need for more checks. . . it's already valid!

?>







Edited by on 10-05-06 22:34
Author

RE: Sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-05-06 22:39
Thank you. You are a legend.

could you please tell me how I could exploit it so I can try it before patching, just to see what it would be like. That is if you can be bothered.

thanks as previously stated you are a legend!

p.s. sorry from setting you apart, but you are no.1 the best hacker here!




Edited by on 10-05-06 22:40
Author

RE: Sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-05-06 22:39
*shuts eyes to avoid watching the ass kissing*
Author

RE: Sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-05-06 22:51
Lol.

Anyway, the page may continue to be parsed if you do not terminate the script (By either the exit or die command).

Example:
This is how I hacked HBH before. Their admin panel tried to redirect my browser, but I sent a script with the specified POST data. It parsed the POST data and created a backup of the database and THEN tried to send me to the login page.


Author

RE: Sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-05-06 23:14
WOW thats awsome!


Author

RE: Sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-05-06 23:26
*puts head in jumper and hands over ears* Damn you and your ass kissing!
Author

RE: Sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-05-06 23:29
That wasn't ass kissing! it really is awsome, I an stil a newb an to be able to do that is pretty kewl if you ask me.


Author

RE: Sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 10-05-06 23:30
dude, you aren't a noob if you can do that. A noob would be someone who would ask what php stands for. It's a good script. butttt ass kissing.
Author

RE: Sql injection


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-05-06 17:05
^