SQL-Injection not working

Question

could you please tell me why my SQL-Injection isn't working and how can I fix it. I tried to go after the example from Here, but value'); DROP TABLE table;-- or password 1=1 doesn' work. Im sorry to steal your time with these easy things, but I tried it many times and I didn't get it running and the other post didn't help me.

<!DOCTYPE html>
<html>
<head>
  <style>

body {background-color: #cc0000;}

  </style>
</head>
<body>

 <h2>Einlogen</h2>

<form action="EasyExploit.php" method="post">
  Vorname: <input type="text" name="vorname"><br>
<input type="submit">

 <h2>Registrieren</h2>

<form action="EasyExploit.php" method="post">
  Vorname: <input type="text" name="vorname"><br>
<input type="submit">

<?php

  $connection = mysqli_connect('localhost', 'root','' ,'DB') or die(mysqli_error());
                mysqli_select_db($connection ,'DB')or die(mysqli_error());
                @$unsafe_variable = $_POST['vorname'];
                mysqli_query($connection, "INSERT INTO `Persons` (`Vorname`) VALUES ('$unsafe_variable')");

?>

</body>
</html>

Thank's in Advance

Probably due to the same reasons as https://stackoverflow.com/questions/10924127/two-mysqli-queries — Nigel Ren, Dec 30 '17 at 12:35
@danihp now i get a parse error (Parse error: syntax error, unexpected ';', expecting ',' or ')') — brian michelson, Dec 30 '17 at 12:39
be sure sql injected is right. You must to post something like: `pepe'); DROP TABLE table;--` — dani herrera, Dec 30 '17 at 12:41
@NigelRen I tried i got no error but the Table is still there. — brian michelson, Dec 30 '17 at 12:42
@danihp i tried with exactly your command but the table is still there. — brian michelson, Dec 30 '17 at 12:43
This doesn't work because `mysqli_query()` will only perform ONE query. If it sees a `;` it will ignore everything after that. To perform TWO queries (`INSERT` and `DROP TABLE`) in one go, use [`mysqli_multi_query()`](http://php.net/mysqli_multi_query) — rickdenhaan, Dec 30 '17 at 12:46
$query = "INSERT INTO `Persons` (`Vorname`) VALUES ('$unsafe_variable')"; $result = mysqli_multi_query($connection, $query); like this? @rickdenhaan but the command still doesnt get executed. — brian michelson, Dec 30 '17 at 12:50

score 1 · Accepted Answer · answered Dec 30 '17 at 14:32

Making sql injection vulnerable code (for testing purposes):

In order to test SQL Injection with your code we need to make some few changes:

<?php

  $connection = mysqli_connect('localhost', 'root','' ,'DB') or 
                die(mysqli_error($connection));  //1
  mysqli_select_db($connection ,'DB') or die(mysqli_error($connection)); //2
  $unsafe_variable = $_POST['vorname'];
  mysqli_multi_query($connection,    //3
               "INSERT INTO `Persons` (`Vorname`) VALUES ('$unsafe_variable')");

?>

//1 and //2: mysqli_error needs $connection parameter.
//3: Only mysqli_multi_query is able to execute more than one sentence at a time. For security reasons. mysqli_query just executes one to prevent sql injection.

Testing:

It's the time to test sql injection. We create a simple table t to check if we can drop it through sql injection:

create table t ( i int );

Time to attack, the killer string to inject sql is:

pepe'); DROP TABLE t;--

SQL with injected code:

"INSERT INTO Persons (Vorname) VALUES ('pepe'); DROP TABLE t;--')"

Explained:

SQL pattern is: "INSERT INTO Persons (Vorname) VALUES ('$unsafe_variable')"
"pepe');" replaces $unsafe_variable : "INSERT INTO Persons (Vorname) VALUES ('pepe'); DROP TABLE t;--')"
Remember -- means "comments from here", then the last quote and parenthesis is a comment.

After post this value to form:

mysql> select * from t;
ERROR 1146 (42S02): Table 's.t' doesn't exist

How to avoid SQL Injection?

Man, this is Internet, they are a lot of papers about it. Start your searching with Parameterized Queries.

SQL-Injection not working

1 Answers1

Making sql injection vulnerable code (for testing purposes):

Testing:

Explained:

How to avoid SQL Injection?