PHP with SQL Injection

Ok, starting fresh >

For our first assignment in a System Security class, we have to hack into the professors "cheaply organized" sql database. I know the only user is "admin" and picking a random password, the select statement generated in the php is:

select user_id from user where user_username = 'admin' AND user_password = md5('noob')

Now, I go for the basic starting point of trying to hack the crappy login with "admin'--"

select user_id from user where user_username = 'admin'--' AND user_password = md5('noob')

but the actual value being pushed to the database is

select user_id from user where user_username = 'admin\'--' AND user_password = md5('noob')

which doesn't help. The server uses POST to get the values from the form. I've already by开发者_运维技巧passed any value processing on my side of the send by disabling javascript.

There does not appear to be anything in the php that modifies the input in any way.

Assuming the select statement is part of a login form, then most likely it's generated something like this:

$user = $_POST['username'];
$pwd = $_POST['password'];

$query = "SELECT .... WHERE user_username='$user' AND user_password=md5('$pwd')";

which means, you could hack in by entering:

noob') or ('a'='a

for the password, giving you

SELECT .... AND user_password=md5('noob') or ('a'='a')
                                   ^^^^^^^^^^^^^^^^^-- your contribution

The actual password might not match, but 'a' will always equal itself, so the where clause will succeed and match a record based purely on the username and return the admin user's user_id.

As others had mentioned the escaping that you see is not the OS, but some form of encoding done in PHP (likely magic quotes, but could be a straight call to addslashes()).

Basically what you need to do is send in a form of quote that will not be escaped. You should research why one would use mysql_escape_string() rather than addslashes() and/or check this out: http://forums.hackthissite.org/viewtopic.php?f=37&t=4295&p=30747

Try ' OR 1; -- as user name. Imagine what the SQL query from such a user name looks like.

This has nothing to do with the operating system. The operating system simply runs the PHP package. PHP is what does sanitization, etc.

Have you tried submitting the following string for user_username?:

admin' OR 1=1-- #assuming mysql

Would yield a query:

select user_id from user where user_username = 'admin' OR 1=1 --' AND user_password = md5('noob')

In mysql (assuming the database type), -- is a comment, so everything after 1=1 is ignored. As a result, you've successfully gained access.

If php magic quotes are on, however, this will be slightly more difficult. You will need to submit characters outside of utf-8 or attempt overflows or submitting null bytes.

You could also try a bit of googling after entering a string that will error out the admin and use part of message that comes back as the key words.

You could also use the http://gray.cs.uni.edu/moodle/mod/forum/discuss.php?d=106 fourm to ask questions so the whole class can benifit!

if you can figure out how to upload files that would be great! I want to get c99.php up to really do some damage!

you could also try some "hash" verse "dash dash"