how do I allow sql injections?
Hi all
Making a quick simple login script to demo SQL injections, but seem to have make it too well! I can run valid queries and get a result, but when I try injections I get syntax errors. Here is the code I'm using:
(WTF with the scrolling?? nvm…)
<?php
include("connection.php");
if(isset($_GET['username']) && isset($_GET['password'])); {
$username = $_GET['username'];
$password = $_GET['password'];
$query = "SELECT * FROM users WHERE username = '".$username."' AND password = '".$password."'";
$query = stripSlashes($query);
$result = mysql_query($query) or die('Query failed: ' . mysql_error());
}
mysql_close($conn);
?>
<HTML>
<head><title>Welcome to a vulnerable site!</title></head>
<body>
<p>Welcome to an SQL injection challenge</p>
<ul>
<li>Get the admin password (10 points)</li>
<li>Add a new user to the database (10 points)</li>
</ul>
<p>Here's the login:</p>
<form action=index.php method=GET>
Username:
<input type=text name=username><br><br>
Password:
<input type=text name=password><br><br>
<input type=submit value="Submit">
<br><h4>Request:</h4>
<?php echo "Query: ".$query."\n";?>
<br><h4>Result:</h4>
<?php
if(mysql_num_rows($result) > 0) {
$row = mysql_fetch_row($result);
//echo "Login found!";
echo "ID: ".$row[0]."<br>";
echo "Username: ".$row[1]."<br>";
echo "Password: ".$row[2]."<br>";
}
else {
echo "No match from DB";
}
mysql_free_result($result);
?>
</body>
</HTML>```
Sorry for the long post! (BTW im using GET instead of POST cos its a tutorial :p)
Cheers
Look whether magic quotes are switched on. Just use
<?php
phpinfo()
?>
for that and search for something like "magic_quotes_gpc" and other options which start with "magic_quotes" in the output of the script.
edit:
This code markup <?php if (get_magic_quotes_gpc()==1) { echo ( "Magic quotes gpc is on" ); } else { echo ( "Magic quotes gpc is off" ); } ?>
should also do it.
Cheers all, read and learnt about magic quotes, now theyre off and its still not working! however, I can input
markuppassword=OR 1=1-- and its fine, doesnt inject obviously but works. As soon as I put the single quote in front, mysql has a period and errors. :whoa:
It says the SQL syntax is wrong, and as its not in the query, im going to take a close look at what index.php adds after the query, i think thats the problem.
Thanks!
Look what you exactly have on your server: MySQL, SQL Server, Sybase, Oracle, PostgreSQL, …, or something else. Do this with phpinfo() or look it up on your hosting site. If you've found it out, read the help file, it should say, whether some special protections are on, what commands can be used and many other things. Then take some pencil and paper and look at the piece of PHP and SQL-Code which is used for the login. Test how different attacks would change the query and find that way out, which one is right.
jjbutler88 wrote: spot on advice webspider, it might interest people to know that in MYSQL v5.0 you need at least one space, newline or tab after the – to make it a comment. Lol, never thought of something like that in a not simulated SQL Injection Challenge. OK, sounds like you have managed to get it all right with comments and other stuff. But when there are too much problems or you don't have the version of SQL on the box you need, then the last way is to simulate a database. For example I would set up a parsing script, which turns everything from the user and pass fields into uppercase and then examines the output for common attack vectors. This is a little bit harder, but that way you can exactly control what the users are doing and noone hacks your real database ;)
edit: I think that's the way HTS, HBH and every other hacking related site do it. And they have good causes to do it that way. It's maybe not as realistic as another system, but it's more secure for your webserver.