0

I'm creating a test project for my classmates to show how php code with unchecked variables is dangerous. I'm using the deprecated mysql_* function and a simple database with 2 tables:

users  
data

and in the users I have just the admin user.

I have created a simple html form:

    <form action="login" method="POST">
    username: <input type="text" name="username">
    password: <input type="text" name="password">
<input type="submit" value="login">
    </form>

and the login.php page simply get the post data and build the query like this:

$uname = strtolower(trim($_POST['username']));
    $passw = strtolower(trim($_POST['password']));

$result = mysql_query("
    SELECT *
    FROM users
    WHERE username='".$uname."' and password=MD5('".$passw."')"
    );
if(mysql_num_rows($result) != 1){
        echo "Non valid";
    }else{
        echo "Logged in";
    }

and this is my input on username field:

&#39; or 1=1 --&#32;

that should produced a query like:

SELECT * FROM users WHERE username='' or 1=1 -- ' and password=MD5('')

if I run this query on SequelPro or PhpMyAdmin the query give me the first row of the table so it works. But if I submit the form the result is Not valid.

I tried also to use the password field with this input:

&#39;) or 1=1 --&#32;

and this is the query generated:

SELECT * FROM users WHERE username='' and password=MD5('') or 1=1 -- ')

but the result is the same, it works on SequelPro but not in the form.

I think that the mysql_query function will not recognize the -- comment. Am I right?
What I'm doing wrong?

Christian Giupponi
  • 7,408
  • 11
  • 68
  • 113
  • Please post the exact error you are receiving from executing the query via `mysql_query()`. – geomagas Oct 12 '13 at 10:31
  • @Christian: can you check the number of rows in table `users`. If there is more than one, see my answer below - otherwise I've to resign ;) – Trinimon Oct 12 '13 at 10:36
  • Ciao Christian, did you tried to limit 1 your query? Are you sure that your code will return only a row? – DonCallisto Oct 12 '13 at 11:06
  • @Your Common Sense, your comment is unuseful, I'm studing this stuff, it's my first approach and my teacher asked me to prepare a demo to understand if I'm able to study something that he doesn teach already, so please any help is appreciate, no sarcasm – Christian Giupponi Oct 12 '13 at 12:43
  • I wouldn call it sarcasm but rather bitterness. If he didn't teach you debugging, he isn't a teacher at all, but rather commonplace cargo cult preacher. If he did - you have to study what you have taught first. – Your Common Sense Oct 12 '13 at 12:48
  • By the way, your concept is wrong. It is not "unchecked data" but *improperly formatted query* being *the only* cause. – Your Common Sense Oct 12 '13 at 13:02
  • Can you give me any resources about debugging? – Christian Giupponi Oct 30 '13 at 13:06

1 Answers1

1

try this in username field :

' or 1=1 or '

and enter password whatever you want. don't forget about space after ' s. it turns your code like that:

mysql_query("select * from users where username='' or 1=1 or '' and 
password=".md5('$pass'))

and it always returns true.

it MUST work, if it doesnt, do this :

echo "
    SELECT *
    FROM users
    WHERE username='".$uname."' and password=MD5('".$passw."')";

and post the result as comment for me , maybe I could help you

Alireza Fallah
  • 4,609
  • 3
  • 31
  • 57
  • Same result as my tests, the query works in SequelPro but not in mysql_query. I have used `' or 1=1 or ' ` as username and `hello` as password and the echo returns: `SELECT * FROM users WHERE username='' or 1=1 or ' ' and password=MD5('hello')` – Christian Giupponi Oct 12 '13 at 12:35
  • oh, you should put MD5() in the `''` , try this and let me know what happened – Alireza Fallah Oct 12 '13 at 12:43