0

I have a project for a course where I connect to a local server localhost:8080/website.php and execute SQL Injection. The server has an Account ID Number and Password field. When submitted the ID and Password values are input into the SQL statement: SELECT * FROM accounts WHERE id = (ID value) AND password = '(password value)' How would I exploit this and perform SQL Injection?

I have tried a few thing listed below.

' or 1=1 -- became SELECT * FROM accounts WHERE id = 12345 AND password = '' or 1=1 --' opens an account, its always the same account. How do I access a different account?

'; INSERT INTO accounts(id,password) values('12345','abc');-- became SELECT * FROM accounts WHERE id = 12345 AND password = ''; INSERT INTO accounts(id,password) values('12345','abc');--' This gives a sql error

How do I log into any account without knowing an id, the ' or 1=1 -- logs into the same account no matter what I put for the ID. Also how do I create my own account in the database?

Mike Weber
  • 179
  • 1
  • 1
  • 10
  • 1
    possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Pragnesh Chauhan Nov 14 '13 at 04:12
  • 1) Is `magic_quotes` enabled on your server? It shouldn't be, and it would thwart your attempts. 2) I don't think any MySQL drivers for PHP (`mysql_*`, `mysqli_*`, PDO) support multiple queries in a single statement, so things like `command1; command2 ...` won't work. 3) Try adding a trailing space after `--`, so that you have `-- `. Alternatively, try `#` as your comment delimiter. – Waleed Khan Nov 14 '13 at 04:59

1 Answers1

1

You can send a value to invalidate the where and make always true the result. This will give you access to the system without knowing the password.

'or 1=1 --

Mike after I run your statement in sql I got this.

enter image description here

Juan
  • 1,352
  • 13
  • 20
  • the key here is that you are making sql think that you have closed the single quote, the 1=1 ensures that the query will always return data. it also varies depending on what kind of SQL backend it is. [sql injection cheat sheet](http://ckers.org/sqlinjection/) – Greg Nov 14 '13 at 04:18
  • Ok this works but it always accesses the same account no matter what I put in the account ID field. How do I access other accounts? And how do I add my own account to the database? – Mike Weber Nov 14 '13 at 07:16
  • The user is the one used in the form. Try the insert with ' or 1=1; insert statement; -- – Juan Nov 14 '13 at 12:47