SQL Injection
Hi,
I created a simple site in my own web server to test for SQL injection tactic. The site contains only two pages, written in PHP. They are the following:
index.php: <html> <body> <p><b>Please login.</b></p> <form action='login.php' method='POST'> Username: <input type='text' name='username'/><br/> Password: <input type='password' name='password'/><br/> <input type='submit' value='Login'/> </form> </body> </html>
login.php: <html> <body> <?php $username = $_POST['username']; $password = $_POST['password'];
$query = "SELECT id FROM users WHERE username='$username' AND password='$password'"; echo "$query<br/>";
if (!mysql_connect("localhost", "test", "")) die(mysql_error());
if (!mysql_select_db("test")) die(mysql_error());
$res = mysql_query($query); if (!$res) die(mysql_error());
$row = mysql_fetch_assoc($res); if (!$row) die("Invalid login.");
$userid = $row['id'];
mysql_free_result($res); mysql_close(); ?> Login succesful. User id is <?=$userid?>. </body> </html>
Lets consider if the hacker enters "admin' #" as the user name. Then the resulting SQL query would look like this:
SELECT id FROM users WHERE username='admin' #'AND password=''
This would bypass the password altogether.
But, however, it does not work. I am getting the following as the resulting SQL query:
SELECT id FROM users WHERE username='admin\' #' AND password=''
So it seems that my server automatically escapes the text when ' is entered. Does this mean that in the latest Linux/Apache2/PHP/MySQL setup SQL injection is rendered impossible or do I misunderstand something? I have PHP version 5.2.4 with Apache 2.2.8.
Thank you.
- Henux
nope it's just like that, now apache has default option of escaping ' or " whenever you post something on the server
btw had same problem, when I was testing XSS on my server
ok look below this post, more usefull :D but what is the point of testing exploit, which is excluded in default installation of the server, challenge would be to bypass it :D