7

Suppose a web server uses the following PHP code to process login requests:

$username = $_POST[user];
$password = $_POST[pass];
$sql = "SELECT * FROM users WHERE name = '$username' AND password = '$password'";
if(mysql_num_rows($rs) > 0){ //do something
}
  1. What value for username will always result in a successful login?

I think the value ' OR 1=1 will always result in a successful login, because the query will then be:

"SELECT * FROM users WHERE name = '' OR 1=1 AND password = '$password'"

Is this correct?

  1. Suppose the data is set to use the GBK Chinese unicode character set. In GBK, the byte 0x5c encodes \ and 0x27 encodes '. The bytes 0xbf27 represent the two characters ¿' and the bytes 0xbf5c are a single Chinese character. If the username and passwords fields add slashes to ',",\, and null, what username will always result in a successful login, assuming the database interprets the string as GBK but adding slashes processes the string as ASCII?

I'm not sure what the last part of the sentence means (by interpreting as GBK but processing as ASCII). Can someone shed light on how to solve this problem?

Gaurav Dave
  • 6,838
  • 9
  • 25
  • 39
Jason
  • 1,223
  • 2
  • 9
  • 6
  • 4
    Actually `' or 1=1` would result in `SELECT * FROM users WHERE name = '' or 1=1 ' AND password = '$password'` which would thrown an error, you would have to account for it by entering `' or '1'='1` or comment out the rest by entering in `' or 1=1 -- -`. – Prime Apr 29 '15 at 04:35
  • 4
    No. AND has precedence over OR. Use -- to comment the rest out. – Millie Smith Apr 29 '15 at 04:35
  • @AlphaDelta where does the additional single quote come from after the 1=1? – Jason Apr 29 '15 at 04:39
  • @Jason If you mean additional single-quote, from `'$username'` <- here – Phil Apr 29 '15 at 04:39
  • I think the last part means that if the *"add slashes"* transformation processes the string as ASCII, looking for the single-byte characters `'`, `"` and \ (not sure about `null`), it may miss something encoded as GBK. I'm not really sure though. – Phil Apr 29 '15 at 04:44
  • 2
    @Phil: [here's an explanation](http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string). – DCoder Apr 29 '15 at 04:53
  • Sounds like you are asking for help to break into something, in which case help should not be provided in my opinion. If you are asking for help to solve the problem and the poor security coding that would be different. – Jon Holland Apr 30 '15 at 09:36
  • I just can't understand why people trust in `if(mysql_num_rows($rs) > 0){ //do something }`? Why not extracting password from db and match with provided one e.g. `if( $dbPassword==$postedPassword)` ? Yes, you can also match encryption of provided password with encrypted password stored on db if you saved encrypted password like joomla does. – RN Kushwaha Apr 30 '15 at 10:15
  • Assuming the query that you mentioned is created with improper sql injection prevention measures for some character code, have you tested this query and gotten success? Sounds like it returns success if at least password existed in the DB. – Navid Mar 23 '16 at 00:50

0 Answers0