Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

MySQL Injection With Apostrophe Question
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dman777
Veteran
Veteran


Joined: 10 Jan 2007
Posts: 1004
PostPosted: Sat Jun 23, 2012 10:48 pm    Post subject: MySQL Injection With Apostrophe Question Reply with quote
I was reading the tutorial on hardening a php web server. In it they show an exploit with an SQL enjection:

Code:
$check = mysql_query("SELECT Username, Password, UserLevel FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'");


If they user types:
Code:
' OR 1=1 #
in the username field box the code would look like:

Code:
SELECT Username, Password FROM Users WHERE Username = '' OR 1=1 #' and Password = ''


What I don't understand is how does just one apostrophe make Username = '".$_POST['username']."' into Username = ''? To me,with variable expansion in a even set of single quotes would make a total of 3 quotes with: Username = '''.
Back to top
View user's profile Send private message
sebaro
Veteran
Veteran


Joined: 03 Jul 2006
Posts: 1141
Location: Romania
PostPosted: Sun Jun 24, 2012 9:54 am    Post subject: Reply with quote
str1 = SELECT Username, Password FROM Users WHERE Username = '
str2 = ' OR 1=1 #
str3 = ' and Password = '
str4 =
str5 = '

str = SELECT Username, Password FROM Users WHERE Username = ' . ' OR 1=1 #' . and Password = ' . '
str = SELECT Username, Password FROM Users WHERE Username = ' ' OR 1=1 #' and Password = ''

Try it in a shell:
# user="' OR 1=1 #";pass="";echo "SELECT Username, Password, UserLevel FROM Users WHERE Username = '$user' and Password = '$pass'"
Back to top
View user's profile Send private message
athena810
Apprentice
Apprentice


Joined: 23 Jun 2012
Posts: 176
PostPosted: Wed Jun 27, 2012 6:49 pm    Post subject: Reply with quote
normally, for sql injection, it works with a form. like a username password form.
Code:

Username: ' or 1=1--
Password: ' or 1=1--


And there's a lot of variations. Like, 'admin or 1=1-- works for the username sometimes if you know that the username is admin.
It's basically saying that whatever it is (admin, root) equals 1=1 which is true so user gets access.

Actually, this trick rarely works anymore.

Most people look for databases. You can test if a site is vuln to an sqlinjection because it will look something like this:

http://www.blah.com/index.php?id=2

Anything with php?id=[a number] normally is vuln to an sqli.

People like to go on google and search

Code:
inurl:php?id=
which normally will give you a nice list of sqli vuln sites.

You test it by adding a ' after the URL, then refresh it. If anything looks different than what was original then it is sqli vuln.
However, it cannot come up as a 404 not found...that won't work.

Like everyone likes to sqli this site: http://www.cooksnotebook.com/recipe.php?id=75

But no one ever actually has the time to go through the hashes.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy