here is my php login script
http://rapidshare.com/files/56581239/Login.rar.html
i want you to see if you can find any sploits in there
to set it up just edit connection.php with your database info
then in your sql db create a table called users with 3 rows
user_id * integer not_null*
user_name *varchar *
user_password *varchar *
thanx
Find the exploit
This is vulnerable to SQL injection. Considering that this may be used on servers where PHP does not have magic quotes set up, all a person has to do is type in the user name field is:
Or something similar to that, since i don't do much with sql i can't be exactly sure, but something like that would cause a lot of trouble.
Code: Select all
");$query = sprintf("UPDATE $database SET user_password='hacked' WHERE user_name='Administrator''");$result = mysql_query ($query);die();
¯\_(ツ)_/¯ It works on my machine...
can you tell me the vulnerable code and maybe a POCgogeta70 wrote: This is vulnerable to SQL injection. Considering that this may be used on servers where PHP does not have magic quotes set up, all a person has to do is type in the user name field is:
Or something similar to that, since i don't do much with sql i can't be exactly sure, but something like that would cause a lot of trouble.Code: Select all
");$query = sprintf("UPDATE $database SET user_password='hacked' WHERE user_name='Administrator''");$result = mysql_query ($query);die();
Vulnerable code? Sure:
Should be:
As for a proof of concept, google for "sql injection" and that's all the proof you'll need...
Either way, it's up to you to patch your input, using raw input for sql queries is dangerous!!!
Code: Select all
$user = $_POST['user'];
$pass = $_POST['pass'];
$submited = $_POST['submited'];
Code: Select all
$user = mysql_real_escape_string($_POST['user']);
$pass = mysql_real_escape_string($_POST['pass']);
$submited = $_POST['submited'];
Either way, it's up to you to patch your input, using raw input for sql queries is dangerous!!!
¯\_(ツ)_/¯ It works on my machine...