Jump to content

Recommended Posts

Hey all.  I just setup a LAMP server with Ubuntu 7.04.  I got everything working correctly, making a simple login php script that connects to the MySQL database instance.  The scripts run fine, but the purpose of this project was to use it at a presentation to demonstrate MySQL injection.  I was under the assumption that if you made a form that didn't use the anti-injection php function or use the query as a stored procedure that it was vulnerable to this kind of attack.  Yet I have not been able to harm this database.

 

login.html

 

<form name="login" method="post" action="login.php">
<table border="0" width="225" align="center">
    <tr>
        <td width="219" bgcolor="#999999">
            <p align="center"><font color="white"><span style="font-size:12pt;"><b>Login</b></span></font></p>
        </td>
    </tr>
    <tr>
        <td width="219">
            <table border="0" width="220" align="center">
                <tr>
                    <td width="71"><span style="font-size:10pt;">Username:</span></td>
                    <td width="139"><input type="text" name="username"></td>
                </tr>
                <tr>
                    <td width="71"><span style="font-size:10pt;">Password:</span></td>
                    <td width="139"><input type="password" name="password"></td>
                </tr>
                <tr>
                    <td width="71"> </td>
                        <td width="139">
                            <p align="right"><input type="submit" name="submit" value="Submit"></p>
                        </td>
                </tr>
            </table>
        </td>
    </tr>
    <tr>
        <td width="219" bgcolor="#999999"><font color="white">Not Registered? </font><a href="register.html" target="_self"><font color="white">Register</font></a><font color="white"> </font><b><i><font color="white">Now!</font></i></b></td>
    </tr>
</table>
</form>

 

login.php

<?php

//Database Information

$dbhost = "127.0.0.1";
$dbname = "test1";
$dbuser = "odbcuser";
$dbpass = "odbcpass";

//Connect to database

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

session_start();
$username = $_POST['username'];
$password = md5($_POST['password']);

$query = "select * from user where username='$username' and password='$password'";

$result = mysql_query($query);

if (mysql_num_rows($result) != 1) {
echo "bad login";
$error = "Bad Login";
    include "login.html";

} else {
    $_SESSION['username'] = "$username";
    include "memberspage.php";
}

?>

 

login.html

<form name="login" method="post" action="register.php">
<table border="0" width="225" align="center">
    <tr>
        <td width="219" bgcolor="#999999">
            <p align="center"><font color="white"><span style="font-size:12pt;"><b>Registration</b></span></font></p>
        </td>
    </tr>
    <tr>
        <td width="219">
            <table border="0" width="282" align="center">
                    <tr>
                        <td width="116"><span style="font-size:10pt;">Name:</span></td>
                        <td width="156"><input type="text" name="name" maxlength="100"></td>
                    </tr>
                    <tr>
                        <td width="116"><span style="font-size:10pt;">Email:</span></td>
                        <td width="156"><input type="text" name="email" maxlength="100"></td>
                    </tr>
                <tr>
                    <td width="116"><span style="font-size:10pt;">Username:</span></td>
                    <td width="156"><input type="text" name="username"></td>
                </tr>
                <tr>
                    <td width="116"><span style="font-size:10pt;">Password:</span></td>
                    <td width="156"><input type="password" name="password"></td>
                </tr>
                <tr>
                    <td width="116"> </td>
                        <td width="156">
                            <p align="right"><input type="submit" name="submit" value="Submit"></p>
                        </td>
                </tr>
            </table>
        </td>
    </tr>
    <tr>
        <td width="219" bgcolor="#999999"> </td>
    </tr>
</table>
</form>

 

register.php

<?PHP

//Database Information

$dbhost = "127.0.0.1";
$dbname = "test1";
$dbuser = "odbcuser";
$dbpass = "odbcpass";

//Connect to database

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

    
$name = $_POST['name'];
$email = $_POST['email'];    
$username = $_POST['username'];
$password = md5($_POST['password']);

// lets check to see if the username already exists

$checkuser = mysql_query("SELECT username FROM user WHERE username='$username'");

$username_exist = mysql_num_rows($checkuser);

if($username_exist > 0){
    echo "I'm sorry but the username you specified has already been taken.  Please pick another one.";
    unset($username);
    include 'register.html';
    exit();
}

// lf no errors present with the username
// use a query to insert the data into the database.

$query = "INSERT INTO user (name, email, username, password)
VALUES('$name', '$email', '$username', '$password')";
mysql_query($query) or die(mysql_error());
mysql_close();

echo "You have successfully Registered";
   
?>

 

memberspage.php

 

<?
$dbhost = "127.0.0.1";
$dbname = "test1";
$dbuser = "odbcuser";
$dbpass = "odbcpass";

// members page

session_start();

if ( empty( $username ) ) {

    print "Please login below!";

    include 'login.html';

} else 
{


//Connect to database

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

$query="SELECT * FROM user";
$result=mysql_query($query);
$num=mysql_numrows($result);

echo "<b><center>Database Output</center></b><br><br>";

$i=0;

while ($i < $num)
{

$userid=mysql_result($result,$i,"userid");
$name=mysql_result($result,$i,"name");
$email=mysql_result($result,$i,"email");
$username=mysql_result($result,$i,"username");


echo "<b>$name</b><br>UserID: $userid<br>E-mail: $email<br>Username: $username<br><hr><br>";

$i++;
}


}
mysql_close();
?>

<html>
<head>
<title>MEMBERS ONLY</title>
</head>
<body>
</body>
</html>

<?

?>

 

I've been trying to exploit it using the following guides:

 

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

http://www.netlobo.com/preventing_mysql_injection.html

 

anyone have any ideas what I'm doing wrong?

Link to comment
https://forums.phpfreaks.com/topic/69698-raising-mysql-injection-awareness/
Share on other sites

Put all your parsed queries into variables like so

 

$checkuser = "SELECT username FROM user WHERE username='$username";

 

Then echo them out, that way you can see if they have been manipulated via the likes of magic_quotes which may be enabled in php.ini

 

Give you an idea of what mysql is seeing when its executing the final query

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.