Jump to content

Raising mysql injection awareness

dethcom4

By dethcom4
in MySQL Help

 Share

Recommended Posts

dethcom4 Newbie

dethcom4

Posted
Posted

Hey all.  I just setup a LAMP server with Ubuntu 7.04.  I got everything working correctly, making a simple login php script that connects to the MySQL database instance.  The scripts run fine, but the purpose of this project was to use it at a presentation to demonstrate MySQL injection.  I was under the assumption that if you made a form that didn't use the anti-injection php function or use the query as a stored procedure that it was vulnerable to this kind of attack.  Yet I have not been able to harm this database.

 

login.html

 

<form name="login" method="post" action="login.php">
<table border="0" width="225" align="center">
    <tr>
        <td width="219" bgcolor="#999999">
            <p align="center"><font color="white"><span style="font-size:12pt;"><b>Login</b></span></font></p>
        </td>
    </tr>
    <tr>
        <td width="219">
            <table border="0" width="220" align="center">
                <tr>
                    <td width="71"><span style="font-size:10pt;">Username:</span></td>
                    <td width="139"><input type="text" name="username"></td>
                </tr>
                <tr>
                    <td width="71"><span style="font-size:10pt;">Password:</span></td>
                    <td width="139"><input type="password" name="password"></td>
                </tr>
                <tr>
                    <td width="71"> </td>
                        <td width="139">
                            <p align="right"><input type="submit" name="submit" value="Submit"></p>
                        </td>
                </tr>
            </table>
        </td>
    </tr>
    <tr>
        <td width="219" bgcolor="#999999"><font color="white">Not Registered? </font><a href="register.html" target="_self"><font color="white">Register</font></a><font color="white"> </font><b><i><font color="white">Now!</font></i></b></td>
    </tr>
</table>
</form>

 

login.php

<?php

//Database Information

$dbhost = "127.0.0.1";
$dbname = "test1";
$dbuser = "odbcuser";
$dbpass = "odbcpass";

//Connect to database

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

session_start();
$username = $_POST['username'];
$password = md5($_POST['password']);

$query = "select * from user where username='$username' and password='$password'";

$result = mysql_query($query);

if (mysql_num_rows($result) != 1) {
echo "bad login";
$error = "Bad Login";
    include "login.html";

} else {
    $_SESSION['username'] = "$username";
    include "memberspage.php";
}

?>

 

login.html

<form name="login" method="post" action="register.php">
<table border="0" width="225" align="center">
    <tr>
        <td width="219" bgcolor="#999999">
            <p align="center"><font color="white"><span style="font-size:12pt;"><b>Registration</b></span></font></p>
        </td>
    </tr>
    <tr>
        <td width="219">
            <table border="0" width="282" align="center">
                    <tr>
                        <td width="116"><span style="font-size:10pt;">Name:</span></td>
                        <td width="156"><input type="text" name="name" maxlength="100"></td>
                    </tr>
                    <tr>
                        <td width="116"><span style="font-size:10pt;">Email:</span></td>
                        <td width="156"><input type="text" name="email" maxlength="100"></td>
                    </tr>
                <tr>
                    <td width="116"><span style="font-size:10pt;">Username:</span></td>
                    <td width="156"><input type="text" name="username"></td>
                </tr>
                <tr>
                    <td width="116"><span style="font-size:10pt;">Password:</span></td>
                    <td width="156"><input type="password" name="password"></td>
                </tr>
                <tr>
                    <td width="116"> </td>
                        <td width="156">
                            <p align="right"><input type="submit" name="submit" value="Submit"></p>
                        </td>
                </tr>
            </table>
        </td>
    </tr>
    <tr>
        <td width="219" bgcolor="#999999"> </td>
    </tr>
</table>
</form>

 

register.php

<?PHP

//Database Information

$dbhost = "127.0.0.1";
$dbname = "test1";
$dbuser = "odbcuser";
$dbpass = "odbcpass";

//Connect to database

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

    
$name = $_POST['name'];
$email = $_POST['email'];    
$username = $_POST['username'];
$password = md5($_POST['password']);

// lets check to see if the username already exists

$checkuser = mysql_query("SELECT username FROM user WHERE username='$username'");

$username_exist = mysql_num_rows($checkuser);

if($username_exist > 0){
    echo "I'm sorry but the username you specified has already been taken.  Please pick another one.";
    unset($username);
    include 'register.html';
    exit();
}

// lf no errors present with the username
// use a query to insert the data into the database.

$query = "INSERT INTO user (name, email, username, password)
VALUES('$name', '$email', '$username', '$password')";
mysql_query($query) or die(mysql_error());
mysql_close();

echo "You have successfully Registered";
   
?>

 

memberspage.php

 

<?
$dbhost = "127.0.0.1";
$dbname = "test1";
$dbuser = "odbcuser";
$dbpass = "odbcpass";

// members page

session_start();

if ( empty( $username ) ) {

    print "Please login below!";

    include 'login.html';

} else 
{


//Connect to database

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

$query="SELECT * FROM user";
$result=mysql_query($query);
$num=mysql_numrows($result);

echo "<b><center>Database Output</center></b><br><br>";

$i=0;

while ($i < $num)
{

$userid=mysql_result($result,$i,"userid");
$name=mysql_result($result,$i,"name");
$email=mysql_result($result,$i,"email");
$username=mysql_result($result,$i,"username");


echo "<b>$name</b><br>UserID: $userid<br>E-mail: $email<br>Username: $username<br><hr><br>";

$i++;
}


}
mysql_close();
?>

<html>
<head>
<title>MEMBERS ONLY</title>
</head>
<body>
</body>
</html>

<?

?>

 

I've been trying to exploit it using the following guides:

 

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

http://www.netlobo.com/preventing_mysql_injection.html

 

anyone have any ideas what I'm doing wrong?

Link to comment
Share on other sites
jaymc Advanced Member

jaymc

Posted
Posted

Put all your parsed queries into variables like so

 

$checkuser = "SELECT username FROM user WHERE username='$username";

 

Then echo them out, that way you can see if they have been manipulated via the likes of magic_quotes which may be enabled in php.ini

 

Give you an idea of what mysql is seeing when its executing the final query

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.