dethcom4 Posted September 17, 2007 Share Posted September 17, 2007 Hey all. I just setup a LAMP server with Ubuntu 7.04. I got everything working correctly, making a simple login php script that connects to the MySQL database instance. The scripts run fine, but the purpose of this project was to use it at a presentation to demonstrate MySQL injection. I was under the assumption that if you made a form that didn't use the anti-injection php function or use the query as a stored procedure that it was vulnerable to this kind of attack. Yet I have not been able to harm this database. login.html <form name="login" method="post" action="login.php"> <table border="0" width="225" align="center"> <tr> <td width="219" bgcolor="#999999"> <p align="center"><font color="white"><span style="font-size:12pt;"><b>Login</b></span></font></p> </td> </tr> <tr> <td width="219"> <table border="0" width="220" align="center"> <tr> <td width="71"><span style="font-size:10pt;">Username:</span></td> <td width="139"><input type="text" name="username"></td> </tr> <tr> <td width="71"><span style="font-size:10pt;">Password:</span></td> <td width="139"><input type="password" name="password"></td> </tr> <tr> <td width="71"> </td> <td width="139"> <p align="right"><input type="submit" name="submit" value="Submit"></p> </td> </tr> </table> </td> </tr> <tr> <td width="219" bgcolor="#999999"><font color="white">Not Registered? </font><a href="register.html" target="_self"><font color="white">Register</font></a><font color="white"> </font><b><i><font color="white">Now!</font></i></b></td> </tr> </table> </form> login.php <?php //Database Information $dbhost = "127.0.0.1"; $dbname = "test1"; $dbuser = "odbcuser"; $dbpass = "odbcpass"; //Connect to database mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error()); mysql_select_db($dbname) or die(mysql_error()); session_start(); $username = $_POST['username']; $password = md5($_POST['password']); $query = "select * from user where username='$username' and password='$password'"; $result = mysql_query($query); if (mysql_num_rows($result) != 1) { echo "bad login"; $error = "Bad Login"; include "login.html"; } else { $_SESSION['username'] = "$username"; include "memberspage.php"; } ?> login.html <form name="login" method="post" action="register.php"> <table border="0" width="225" align="center"> <tr> <td width="219" bgcolor="#999999"> <p align="center"><font color="white"><span style="font-size:12pt;"><b>Registration</b></span></font></p> </td> </tr> <tr> <td width="219"> <table border="0" width="282" align="center"> <tr> <td width="116"><span style="font-size:10pt;">Name:</span></td> <td width="156"><input type="text" name="name" maxlength="100"></td> </tr> <tr> <td width="116"><span style="font-size:10pt;">Email:</span></td> <td width="156"><input type="text" name="email" maxlength="100"></td> </tr> <tr> <td width="116"><span style="font-size:10pt;">Username:</span></td> <td width="156"><input type="text" name="username"></td> </tr> <tr> <td width="116"><span style="font-size:10pt;">Password:</span></td> <td width="156"><input type="password" name="password"></td> </tr> <tr> <td width="116"> </td> <td width="156"> <p align="right"><input type="submit" name="submit" value="Submit"></p> </td> </tr> </table> </td> </tr> <tr> <td width="219" bgcolor="#999999"> </td> </tr> </table> </form> register.php <?PHP //Database Information $dbhost = "127.0.0.1"; $dbname = "test1"; $dbuser = "odbcuser"; $dbpass = "odbcpass"; //Connect to database mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error()); mysql_select_db($dbname) or die(mysql_error()); $name = $_POST['name']; $email = $_POST['email']; $username = $_POST['username']; $password = md5($_POST['password']); // lets check to see if the username already exists $checkuser = mysql_query("SELECT username FROM user WHERE username='$username'"); $username_exist = mysql_num_rows($checkuser); if($username_exist > 0){ echo "I'm sorry but the username you specified has already been taken. Please pick another one."; unset($username); include 'register.html'; exit(); } // lf no errors present with the username // use a query to insert the data into the database. $query = "INSERT INTO user (name, email, username, password) VALUES('$name', '$email', '$username', '$password')"; mysql_query($query) or die(mysql_error()); mysql_close(); echo "You have successfully Registered"; ?> memberspage.php <? $dbhost = "127.0.0.1"; $dbname = "test1"; $dbuser = "odbcuser"; $dbpass = "odbcpass"; // members page session_start(); if ( empty( $username ) ) { print "Please login below!"; include 'login.html'; } else { //Connect to database mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error()); mysql_select_db($dbname) or die(mysql_error()); $query="SELECT * FROM user"; $result=mysql_query($query); $num=mysql_numrows($result); echo "<b><center>Database Output</center></b><br><br>"; $i=0; while ($i < $num) { $userid=mysql_result($result,$i,"userid"); $name=mysql_result($result,$i,"name"); $email=mysql_result($result,$i,"email"); $username=mysql_result($result,$i,"username"); echo "<b>$name</b><br>UserID: $userid<br>E-mail: $email<br>Username: $username<br><hr><br>"; $i++; } } mysql_close(); ?> <html> <head> <title>MEMBERS ONLY</title> </head> <body> </body> </html> <? ?> I've been trying to exploit it using the following guides: http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php http://www.netlobo.com/preventing_mysql_injection.html anyone have any ideas what I'm doing wrong? Quote Link to comment https://forums.phpfreaks.com/topic/69698-raising-mysql-injection-awareness/ Share on other sites More sharing options...
dethcom4 Posted September 18, 2007 Author Share Posted September 18, 2007 a Quote Link to comment https://forums.phpfreaks.com/topic/69698-raising-mysql-injection-awareness/#findComment-350397 Share on other sites More sharing options...
fenway Posted September 18, 2007 Share Posted September 18, 2007 Sometimes magic_quotes can be enaged. Quote Link to comment https://forums.phpfreaks.com/topic/69698-raising-mysql-injection-awareness/#findComment-350529 Share on other sites More sharing options...
jaymc Posted September 19, 2007 Share Posted September 19, 2007 Put all your parsed queries into variables like so $checkuser = "SELECT username FROM user WHERE username='$username"; Then echo them out, that way you can see if they have been manipulated via the likes of magic_quotes which may be enabled in php.ini Give you an idea of what mysql is seeing when its executing the final query Quote Link to comment https://forums.phpfreaks.com/topic/69698-raising-mysql-injection-awareness/#findComment-351227 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.