Find the exploit

No explicit questions like "how do I hack xxx.com" please!
Post Reply
bubzuru
.net coder
.net coder
Posts: 700
Joined: 17 Apr 2007, 16:00
16
Contact:

Find the exploit

Post by bubzuru »

here is my php login script
http://rapidshare.com/files/56581239/Login.rar.html
i want you to see if you can find any sploits in there

to set it up just edit connection.php with your database info
then in your sql db create a table called users with 3 rows

user_id * integer not_null*
user_name *varchar *
user_password *varchar *

thanx :)

User avatar
Gogeta70
^_^
^_^
Posts: 3275
Joined: 25 Jun 2005, 16:00
18

Post by Gogeta70 »

8O This is vulnerable to SQL injection. Considering that this may be used on servers where PHP does not have magic quotes set up, all a person has to do is type in the user name field is:

Code: Select all

");$query = sprintf("UPDATE $database SET user_password='hacked' WHERE user_name='Administrator''");$result = mysql_query ($query);die();
Or something similar to that, since i don't do much with sql i can't be exactly sure, but something like that would cause a lot of trouble.
¯\_(ツ)_/¯ It works on my machine...

bubzuru
.net coder
.net coder
Posts: 700
Joined: 17 Apr 2007, 16:00
16
Contact:

Post by bubzuru »

gogeta70 wrote:8O This is vulnerable to SQL injection. Considering that this may be used on servers where PHP does not have magic quotes set up, all a person has to do is type in the user name field is:

Code: Select all

");$query = sprintf("UPDATE $database SET user_password='hacked' WHERE user_name='Administrator''");$result = mysql_query ($query);die();
Or something similar to that, since i don't do much with sql i can't be exactly sure, but something like that would cause a lot of trouble.
can you tell me the vulnerable code and maybe a POC

User avatar
Gogeta70
^_^
^_^
Posts: 3275
Joined: 25 Jun 2005, 16:00
18

Post by Gogeta70 »

Vulnerable code? Sure:

Code: Select all

$user = $_POST['user'];
$pass = $_POST['pass'];
$submited = $_POST['submited'];
Should be:

Code: Select all

$user = mysql_real_escape_string($_POST['user']);
$pass = mysql_real_escape_string($_POST['pass']);
$submited = $_POST['submited'];
As for a proof of concept, google for "sql injection" and that's all the proof you'll need...

Either way, it's up to you to patch your input, using raw input for sql queries is dangerous!!!
¯\_(ツ)_/¯ It works on my machine...

Post Reply