-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsqlinjection.php
182 lines (146 loc) · 6.46 KB
/
sqlinjection.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
<?php
require('includes/functions.php');
echo getHeader('SQL Injection');
?>
<!-- Main jumbotron for a primary marketing message or call to action -->
<div class="jumbotron">
<div class="container">
<h1>SQL Injection</h1>
<a class="btn btn-primary btn-lg" href="/">
<span class="glyphicon glyphicon-chevron-left"></span>
Back To Home
</a>
</div>
</div>
<div class="container">
<!-- Example row of columns -->
<div class="row">
<div class="col-md-12">
<h2>Bypassing User Login</h2>
<span>This tutorial will show how to bypass the login screen for an insecure PHP application :)</span>
<br><br><br>
<span>See the example login screen: <a href="/sql-injection/example" target="_blank">Example Login Screen <span class="glyphicon glyphicon-new-window"></span></a></span>
<br><br>
<h4>PHP</h4>
<pre>
<code class="php">
<?php
// -------------------- database variables
$hostname = 'localhost'; // MySQL server location
$username = 'root'; // username for connecting to database
$password = ''; // password to connect to database
$database = 'selfdirected'; // the database name itself
$tablename = 'sqlinjection'; // the table in the database
// connect to the database
$con = mysqli_connect($hostname, $username, $password, $database);
// Check connection
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// declare that by default, the user is not logged in... this example will not use cookies
$isAdmin = false;
$_SESSION['isAdmin'] = false;
// if there is something posted.. that means a login attempt was made
if (!empty($_POST)) {
$username = $_POST['username'];
$password = $_POST['password'];
// username: ' or ''='
// password: ' or ''='
$sql = "SELECT userID FROM " . $tablename . " WHERE username ='" . $username . "' AND password ='" . $password . "'";
$res = mysqli_query($con, $sql);
$row_cnt = mysqli_num_rows($res);
if ($row_cnt > 0) {
$isAdmin = true;
$_SESSION['isAdmin'] = true;
}
}
?>
</code>
</pre>
<h4>HTML</h4>
<pre>
<code class="html">
<?php echo htmlentities('
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>SQL Injection</title>
<!-- Bootstrap -->
<link href="/assets/css/bootstrap.min.css" rel="stylesheet">
<link href="/assets/css/login.min.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn\'t work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="/assets/js/html5shiv.min.js"></script>
<script src="/assets/js/respond.min.js"></script>
<![endif]-->
</head>
<body>
<div class="container">
<div class="row">
<div class="col-sm-6 col-md-4 col-md-offset-4">
<div class="account-wall">
<div id="my-tab-content" class="tab-content">
<div class="tab-pane active" id="login">
<img class="profile-img" src="https://lh5.googleusercontent.com/-b0-k99FZlyE/AAAAAAAAAAI/AAAAAAAAAAA/eu7opA4byxI/photo.jpg?sz=120" alt="">
<form class="form-signin" action="/sql-injection/example" method="post">
<input type="text" name="username" class="form-control" placeholder="Username" required autofocus>
<input type="password" name="password" class="form-control" placeholder="Password" required>
<input type="submit" class="btn btn-lg btn-default btn-block" value="Sign In">
</form>
</div>
</div>
</div>
</div>
</div>
</div>
<!-- jQuery (necessary for Bootstrap\'s JavaScript plugins) -->
<script src="/assets/js/jquery.min.js"></script>
<!-- Include all compiled plugins (below), or include individual files as needed -->
<script src="/assets/js/bootstrap.min.js"></script>
<!-- IE10 viewport hack for Surface/desktop Windows 8 bug -->
<script>
/*!
* IE10 viewport hack for Surface/desktop Windows 8 bug
* Copyright 2014 Twitter, Inc.
* Licensed under the Creative Commons Attribution 3.0 Unported License. For
* details, see http://creativecommons.org/licenses/by/3.0/.
*/
!function(){"use strict";if(navigator.userAgent.match(/IEMobile\/10\.0/)){var e=document.createElement("style");e.appendChild(document.createTextNode("@-ms-viewport{width:auto!important}")),document.querySelector("head").appendChild(e)}}();
</script>
</body>
</html>
'); ?>
</code>
</pre>
This is a basic administration panel which will accept a username and password... pretty simple :) Using some specially crafted input, we can attempt to 'trick' the database into returning a result that the PHP script will interpret as a successful login
<br><br>
<div class="col-md-12">
<div class="col-md-6">
<img class="well" src="content/sql-injection/example.png">
</div>
<div class="col-md-6">
You input the following into the username and password fields: <code>' or ''='</code> and because the SQL statement is simply concatenated POST variables with no sanitization, MySQL will always return true on the <code>'='</code> statement.
</div>
</div>
<h3>Solution</h3>
To protect your web application's login page or any other user input, it is extremely recommended to use paramterized queries.
Here's an example:
<pre>
<code class="php">
...
$stmt = $dbh->prepare("SELECT * FROM " . TABLE_NAME . " WHERE username = :username AND password = :password");
$stmt->bindParam(':username', $username, PDO::PARAM_STR);
$stmt->bindParam(':password', $password, PDO::PARAM_STR);
$stmt->execute();
...
</code>
</pre>
</div>
</div>
<?php
echo getFooter();
?>