PHP with SQL Injection

Question

Ok, starting fresh >

For our first assignment in a System Security class, we have to hack into the professors "cheaply organized" sql database. I know the only user is "admin" and picking a random password, the select statement generated in the php is:

select user_id from user where user_username = 'admin' AND user_password = md5('noob')

Now, I go for the basic starting point of trying to hack the crappy login with "admin'--"

select user_id from user where user_username = 'admin'--' AND user_password = md5('noob')

but the actual value being pushed to the database is

select user_id from user where user_username = 'admin\'--' AND user_password = md5('noob')

which doesn't help. The server uses POST to get the values from the form. I've already bypassed any value processing on my side of the send by disabling javascript.

There does not appear to be anything in the php that modifies the input in any way.

I don't have time to research a full answer, but they might have magic quotes turned on (http://stackoverflow.com/questions/2735749/successful-sql-injection-despite-php-magic-quotes) — Brendan Long, Jan 16 '11 at 02:50
have you tried using a double quote, and if the only use is admin you need to be focusing on exploiting the password — RobertPitt, Jan 16 '11 at 03:24

score 2 · Answer 1 · answered Jan 16 '11 at 02:56

2

Assuming the select statement is part of a login form, then most likely it's generated something like this:

$user = $_POST['username'];
$pwd = $_POST['password'];

$query = "SELECT .... WHERE user_username='$user' AND user_password=md5('$pwd')";

which means, you could hack in by entering:

noob') or ('a'='a

for the password, giving you

SELECT .... AND user_password=md5('noob') or ('a'='a')
                                   ^^^^^^^^^^^^^^^^^-- your contribution

The actual password might not match, but 'a' will always equal itself, so the where clause will succeed and match a record based purely on the username and return the admin user's user_id.

answered Jan 16 '11 at 02:56

Marc B

356,200
43
426
500

As I mentioned above, the system is still creating escape sequences on the server side, and to the best of my knowledge, it appears to be the OS doing it. That evaluated to > select user_id from user where user_username = 'admin' AND user_password = md5('nooboraa') – Scott S Jan 16 '11 at 02:59
1

Debian won't be doing it. Apache might be. – Marc B Jan 16 '11 at 03:01
Whatever is changing the value, how would I bypass that? – Scott S Jan 16 '11 at 03:13
Perhaps this'd help: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string – Marc B Jan 16 '11 at 04:23

score 1 · Answer 2 · answered Jan 16 '11 at 03:20

As others had mentioned the escaping that you see is not the OS, but some form of encoding done in PHP (likely magic quotes, but could be a straight call to addslashes()).

Basically what you need to do is send in a form of quote that will not be escaped. You should research why one would use mysql_escape_string() rather than addslashes() and/or check this out: http://forums.hackthissite.org/viewtopic.php?f=37&t=4295&p=30747

score 0 · Answer 3 · answered Jan 16 '11 at 02:56

0

Try ' OR 1; -- as user name. Imagine what the SQL query from such a user name looks like.

answered Jan 16 '11 at 02:56

Oswald

31,254
3
43
68

score 0 · Answer 4 · answered Jan 16 '11 at 02:57

This has nothing to do with the operating system. The operating system simply runs the PHP package. PHP is what does sanitization, etc.

Have you tried submitting the following string for user_username?:

admin' OR 1=1-- #assuming mysql

Would yield a query:

select user_id from user where user_username = 'admin' OR 1=1 --' AND user_password = md5('noob')

In mysql (assuming the database type), -- is a comment, so everything after 1=1 is ignored. As a result, you've successfully gained access.

If php magic quotes are on, however, this will be slightly more difficult. You will need to submit characters outside of utf-8 or attempt overflows or submitting null bytes.

yeilds the query > select user_id from user where user_username = 'admin\'' OR 1=1 --' AND user_password = md5('noob') — Scott S, Jan 16 '11 at 03:04

zAndrew · Answer 5 · 2011-01-17T08:57:56.603

You could also try a bit of googling after entering a string that will error out the admin and use part of message that comes back as the key words.

You could also use the http://gray.cs.uni.edu/moodle/mod/forum/discuss.php?d=106 fourm to ask questions so the whole class can benifit!

if you can figure out how to upload files that would be great! I want to get c99.php up to really do some damage!

you could also try some "hash" verse "dash dash"

PHP with SQL Injection

5 Answers5