Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

sql Injection + php page inclusion

  1. Home
  2. Forum
  3. Web hacking
  4. sql Injection + php page inclusion

ghost's Avatar

ghost

0 0

Hi

mysql Puzzle

Im so close but Im missing something here. If mysql is vulnerable from a login point of view the username and password fields below are vulnerable to injection and there values are changeable from the login.php page

How do you by pass the status='1'..

Im asking how do you terminate the query after the "password="secret" "

None of these are my answer I dont think

' or '1'='1' – ' ' or '1'='1' ({ ' ' or '1'='1' /* '

select * from user WHERE ( username = 'bob'' and password = 'secret' and status='1' )

php Help

Also if a url can include a file as follows

http:/www.******/index.php?page=/etc/passwd%00 (the above prints out the file contents)

But how do i execute a command or arbitary php code via the url

Is it possible to close the php syntax in the base code like so

include('/etc/passwd')

im not 100% sure Iv asked the questions correctly but any guidance would be appreciated…..

im a white hat :-)


ghost's Avatar

ghost

0 0

Try this ' OR 1=1)/* Are you getting any errors?

But how do i execute a command or arbitary php code via the url

Inject some log with with your code and then include the page you injected. For example, if you can find (I'm assuming this server is running apache) the error_log file, then telnet to the site and do something like:

GET /<?php code here ?> HTTP/1.1

P.S., I don't care if you're white hat or not.