dethcom4 Posted September 17, 2007 Share Posted September 17, 2007 Hey all. I just setup a LAMP server with Ubuntu 7.04. I got everything working correctly, making a simple login php script that connects to the MySQL database instance. The scripts run fine, but the purpose of this project was to use it at a presentation to demonstrate MySQL injection. I was under the assumption that if you made a form that didn't use the anti-injection php function or use the query as a stored procedure that it was vulnerable to this kind of attack. Yet I have not been able to harm this database. login.html <form name="login" method="post" action="login.php"> <table border="0" width="225" align="center"> <tr> <td width="219" bgcolor="#999999"> <p align="center"><font color="white"><span style="font-size:12pt;"><b>Login</b></span></font></p> </td> </tr> <tr> <td width="219"> <table border="0" width="220" align="center"> <tr> <td width="71"><span style="font-size:10pt;">Username:</span></td> <td width="139"><input type="text" name="username"></td> </tr> <tr> <td width="71"><span style="font-size:10pt;">Password:</span></td> <td width="139"><input type="password" name="password"></td> </tr> <tr> <td width="71"> </td> <td width="139"> <p align="right"><input type="submit" name="submit" value="Submit"></p> </td> </tr> </table> </td> </tr> <tr> <td width="219" bgcolor="#999999"><font color="white">Not Registered? </font><a href="register.html" target="_self"><font color="white">Register</font></a><font color="white"> </font><b><i><font color="white">Now!</font></i></b></td> </tr> </table> </form> login.php <?php //Database Information $dbhost = "127.0.0.1"; $dbname = "test1"; $dbuser = "odbcuser"; $dbpass = "odbcpass"; //Connect to database mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error()); mysql_select_db($dbname) or die(mysql_error()); session_start(); $username = $_POST['username']; $password = md5($_POST['password']); $query = "select * from user where username='$username' and password='$password'"; $result = mysql_query($query); if (mysql_num_rows($result) != 1) { echo "bad login"; $error = "Bad Login"; include "login.html"; } else { $_SESSION['username'] = "$username"; include "memberspage.php"; } ?> login.html <form name="login" method="post" action="register.php"> <table border="0" width="225" align="center"> <tr> <td width="219" bgcolor="#999999"> <p align="center"><font color="white"><span style="font-size:12pt;"><b>Registration</b></span></font></p> </td> </tr> <tr> <td width="219"> <table border="0" width="282" align="center"> <tr> <td width="116"><span style="font-size:10pt;">Name:</span></td> <td width="156"><input type="text" name="name" maxlength="100"></td> </tr> <tr> <td width="116"><span style="font-size:10pt;">Email:</span></td> <td width="156"><input type="text" name="email" maxlength="100"></td> </tr> <tr> <td width="116"><span style="font-size:10pt;">Username:</span></td> <td width="156"><input type="text" name="username"></td> </tr> <tr> <td width="116"><span style="font-size:10pt;">Password:</span></td> <td width="156"><input type="password" name="password"></td> </tr> <tr> <td width="116"> </td> <td width="156"> <p align="right"><input type="submit" name="submit" value="Submit"></p> </td> </tr> </table> </td> </tr> <tr> <td width="219" bgcolor="#999999"> </td> </tr> </table> </form> register.php <?PHP //Database Information $dbhost = "127.0.0.1"; $dbname = "test1"; $dbuser = "odbcuser"; $dbpass = "odbcpass"; //Connect to database mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error()); mysql_select_db($dbname) or die(mysql_error()); $name = $_POST['name']; $email = $_POST['email']; $username = $_POST['username']; $password = md5($_POST['password']); // lets check to see if the username already exists $checkuser = mysql_query("SELECT username FROM user WHERE username='$username'"); $username_exist = mysql_num_rows($checkuser); if($username_exist > 0){ echo "I'm sorry but the username you specified has already been taken. Please pick another one."; unset($username); include 'register.html'; exit(); } // lf no errors present with the username // use a query to insert the data into the database. $query = "INSERT INTO user (name, email, username, password) VALUES('$name', '$email', '$username', '$password')"; mysql_query($query) or die(mysql_error()); mysql_close(); echo "You have successfully Registered"; ?> memberspage.php <? $dbhost = "127.0.0.1"; $dbname = "test1"; $dbuser = "odbcuser"; $dbpass = "odbcpass"; // members page session_start(); if ( empty( $username ) ) { print "Please login below!"; include 'login.html'; } else { //Connect to database mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error()); mysql_select_db($dbname) or die(mysql_error()); $query="SELECT * FROM user"; $result=mysql_query($query); $num=mysql_numrows($result); echo "<b><center>Database Output</center></b><br><br>"; $i=0; while ($i < $num) { $userid=mysql_result($result,$i,"userid"); $name=mysql_result($result,$i,"name"); $email=mysql_result($result,$i,"email"); $username=mysql_result($result,$i,"username"); echo "<b>$name</b><br>UserID: $userid<br>E-mail: $email<br>Username: $username<br><hr><br>"; $i++; } } mysql_close(); ?> <html> <head> <title>MEMBERS ONLY</title> </head> <body> </body> </html> <? ?> I've been trying to exploit it using the following guides: http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php http://www.netlobo.com/preventing_mysql_injection.html anyone have any ideas what I'm doing wrong? Link to comment https://forums.phpfreaks.com/topic/69698-raising-mysql-injection-awareness/ Share on other sites More sharing options...
dethcom4 Posted September 18, 2007 Author Share Posted September 18, 2007 a Link to comment https://forums.phpfreaks.com/topic/69698-raising-mysql-injection-awareness/#findComment-350397 Share on other sites More sharing options...
fenway Posted September 18, 2007 Share Posted September 18, 2007 Sometimes magic_quotes can be enaged. Link to comment https://forums.phpfreaks.com/topic/69698-raising-mysql-injection-awareness/#findComment-350529 Share on other sites More sharing options...
jaymc Posted September 19, 2007 Share Posted September 19, 2007 Put all your parsed queries into variables like so $checkuser = "SELECT username FROM user WHERE username='$username"; Then echo them out, that way you can see if they have been manipulated via the likes of magic_quotes which may be enabled in php.ini Give you an idea of what mysql is seeing when its executing the final query Link to comment https://forums.phpfreaks.com/topic/69698-raising-mysql-injection-awareness/#findComment-351227 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.