eko_wardoyo Posted June 19, 2008 Share Posted June 19, 2008 i use sql injection in PHP using 'OR 1=1-- and other sql injection but failed, do you know what make it failed?can you help me??? Link to comment Share on other sites More sharing options...
boen_robot Posted June 19, 2008 Share Posted June 19, 2008 Where did you try to use it? What is the supposably vulnerable PHP code?The way you're saying it makes it sound as if you've tried it on a famous CMS, Forum or blog system like IPB, phpBB, WordPress or Drupal. If so, then you shouldn't be surprised as the developers of those systems are aware of these things and have long before protected their products from it. Link to comment Share on other sites More sharing options...
eko_wardoyo Posted June 21, 2008 Author Share Posted June 21, 2008 i try it in my own web "localhost", here is the script for check username and password:<? require_once('koneksi.php');?><?$username=$_POST['user'];$password=$_POST['password']; $sql="select*from user where username='$username' and password='$password'"; $hasil=mysql_query($sql); $hit=mysql_num_rows($hasil); if($hit==1){ echo "<meta http-equiv='refresh' content='0;url=hal_utama.php'"; } else{//incorrect username and password echo "Username atau Password anda belum benar!<br>"; echo "Silahkan anda <a href='login.php'>Login</a> kembali"; }?>i try to injection in username using 'or 1=1--, server will filter that username incorrect , but i try it in ASP this injection sucess Link to comment Share on other sites More sharing options...
zppblood Posted June 21, 2008 Share Posted June 21, 2008 From the MySQL documentation"From a “-- ” sequence to the end of the line. In MySQL, the “-- ” (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)."You will also want to make sure that the name you used for the textbox for entering your username is the same as the value $_POST['right_here']. You seem to use user for your table, and username for the variable and field name. Link to comment Share on other sites More sharing options...
eko_wardoyo Posted June 22, 2008 Author Share Posted June 22, 2008 the “-- ” (double-dash) comment style requires the second dash to be followed by at least one whitespace or control character (such as a space, tab, newline, and so on)."mmm... i still don't understand what you mean. for example for script sql injection just like what you said:'or 1=1--/nis it correct? Link to comment Share on other sites More sharing options...
Synook Posted June 22, 2008 Share Posted June 22, 2008 Illegal (-- followed by /) 'or 1=1--/n Legal (-- followed by \n newline control char) 'or 1=1--\n Legal (-- followed by whitespace) 'or 1=1-- comment! Link to comment Share on other sites More sharing options...
eko_wardoyo Posted June 23, 2008 Author Share Posted June 23, 2008 Legal (-- followed by \n newline control char)'or 1=1--\n Legal (-- followed by whitespace) 'or 1=1-- comment! i have tried what you said, but server will filter that username incorrect and i've tried to turn off magic_quotes_gpc in php.ini, server still filter username incorrect do you know why? Link to comment Share on other sites More sharing options...
justsomeguy Posted June 23, 2008 Share Posted June 23, 2008 You can't write "\n" for a newline character, you need to put an actual newline there. You don't need a newline there though, you only need a space. Just put a space after the two dashes. If PHP has magic_quotes enabled then it will be escaping the slash automatically and the SQL injection won't work in this case. Link to comment Share on other sites More sharing options...
eko_wardoyo Posted June 23, 2008 Author Share Posted June 23, 2008 You can't write "\n" for a newline character, you need to put an actual newline there. You don't need a newline there though, you only need a space. Just put a space after the two dashes. If PHP has magic_quotes enabled then it will be escaping the slash automatically and the SQL injection won't work in this case.i've tried sql injection, add space after double dash but it didn't work at all and i've also tried many sql injection such as:hi'or 1=1--admin'--'or '1''='1why the script above only work in ASP??? do you know how to do the injection without turn off magic_quotes_gpc??? Link to comment Share on other sites More sharing options...
justsomeguy Posted June 23, 2008 Share Posted June 23, 2008 Print the $sql variable after the query gets created to see what it contains. Link to comment Share on other sites More sharing options...
eko_wardoyo Posted June 27, 2008 Author Share Posted June 27, 2008 Print the $sql variable after the query gets created to see what it contains.hmmm...i've tried to print the $sql and the result is magic_quotes add slashes when i tried to do the injection eventhough magic_quotes is turn off thanks for your advise Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.