Code:
Code: Select all
<?php
$user['id'] = $_COOKIE['uid'];
$query = "SELECT name, password FROM members where uid='" . $user['id'] . "'";
$query = mysql_query($query);
$name = mysql_result($query, 0);
echo 'Hello ' . $name . '!';
?>
You can now use a thing such the extention for firefox called Cookie Editor, and modify the cookie, you can also do this with javascript.
You then edit the cookie's value, it would have been something like "12", but after editing and adding sql code to it, it would be something like "-1 UNION ALL SELECT USER(), NULL FROM mysql.user--".
That will change the query, and display the user connected to the database, instead of the name of the user stored in the database.
That will result in the following being echo'd; "Hello root@localhost".
http://secunia.com/advisories/29200/