Jump to content

SQL Injection


eko_wardoyo

Recommended Posts

Where did you try to use it? What is the supposably vulnerable PHP code?The way you're saying it makes it sound as if you've tried it on a famous CMS, Forum or blog system like IPB, phpBB, WordPress or Drupal. If so, then you shouldn't be surprised as the developers of those systems are aware of these things and have long before protected their products from it.

Link to comment
Share on other sites

i try it in my own web "localhost", here is the script for check username and password:<? require_once('koneksi.php');?><?$username=$_POST['user'];$password=$_POST['password']; $sql="select*from user where username='$username' and password='$password'"; $hasil=mysql_query($sql); $hit=mysql_num_rows($hasil); if($hit==1){ echo "<meta http-equiv='refresh' content='0;url=hal_utama.php'"; } else{//incorrect username and password echo "Username atau Password anda belum benar!<br>"; echo "Silahkan anda <a href='login.php'>Login</a> kembali"; }?>i try to injection in username using 'or 1=1--, server will filter that username incorrect :) , but i try it in ASP this injection sucess :)

Link to comment
Share on other sites

From the MySQL documentation"From a “-- ” sequence to the end of the line. In MySQL, the “-- ” (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)."You will also want to make sure that the name you used for the textbox for entering your username is the same as the value $_POST['right_here']. You seem to use user for your table, and username for the variable and field name.

Link to comment
Share on other sites

the “-- ” (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)."
mmm... i still don't understand what you mean. :) for example for script sql injection just like what you said:'or 1=1--/nis it correct? :)
Link to comment
Share on other sites

Illegal (-- followed by /)

'or 1=1--/n

Legal (-- followed by \n newline control char)

'or 1=1--\n

Legal (-- followed by whitespace)

'or 1=1-- comment!

Link to comment
Share on other sites

Legal (-- followed by \n newline control char)
'or 1=1--\n

Legal (-- followed by whitespace)

'or 1=1-- comment!

i have tried what you said, but server will filter that username incorrect :) and i've tried to turn off magic_quotes_gpc in php.ini, server still filter username incorrect :mellow: do you know why? :)
Link to comment
Share on other sites

You can't write "\n" for a newline character, you need to put an actual newline there. You don't need a newline there though, you only need a space. Just put a space after the two dashes. If PHP has magic_quotes enabled then it will be escaping the slash automatically and the SQL injection won't work in this case.

Link to comment
Share on other sites

You can't write "\n" for a newline character, you need to put an actual newline there. You don't need a newline there though, you only need a space. Just put a space after the two dashes. If PHP has magic_quotes enabled then it will be escaping the slash automatically and the SQL injection won't work in this case.
i've tried sql injection, add space after double dash but it didn't work at all and i've also tried many sql injection such as:hi'or 1=1--admin'--'or '1''='1why the script above only work in ASP??? :) do you know how to do the injection without turn off magic_quotes_gpc???
Link to comment
Share on other sites

Print the $sql variable after the query gets created to see what it contains.
hmmm...i've tried to print the $sql and the result is magic_quotes add slashes when i tried to do the injection eventhough magic_quotes is turn off :) thanks for your advise
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...