0

I have my site and everyday i look at the log files , yesterday i saw that someone try to inject this code into the admin panel, here is the code for my panel :

<html>

<body>
<center>
<form action="login.php" method="POST">
username <input type="text" name="name">
password <input type="text" name="pass">
<input value="submit" type="submit" name="go">

</form>
</center>
<?php
define('DB_SERVER', 'localhost');
   define('DB_USERNAME', 'root');
   define('DB_PASSWORD', '*****');
   define('DB_DATABASE', '******');
   $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);


$user = $_POST['name'];
$pass = $_POST['pass'];

if(isset($_POST['go']))
{
    $sql = "select * from users where username = '$user' AND password = '$pass' ";
    $result = mysqli_query($db,$sql);
      $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
      //$active = $row['active'];
      $count = mysqli_num_rows($result);

      // If result matched $myusername and $mypassword, table row must be 1 row

      if($count == 1) {


         header("location: a22.php");

      }else {
        echo $error = "<center>"."Your Login Name or Password is invalid"."</center>";
      }
   }




?>

</body>


</html>

and the code that someone tried to inject it is :

admin ' OR '1'='1

AND he left the password blank

so can this code make him bypass the authentication process ? even if he/she left the password blank ??

Note: the admin user is valid and have id =1 in my db ;

Bobby Axe
  • 1,491
  • 13
  • 29
justlearn2
  • 31
  • 1
  • 4
  • 2
    Look at the actually generated query in that case (echo $sql;), and analyze it. What do _you_ think? – misorude Oct 08 '18 at 10:15
  • i dont use any api , just mysql database . – justlearn2 Oct 08 '18 at 10:18
  • @misorude i dont understand u ? he can bypass the auth ? if he put this code ? – justlearn2 Oct 08 '18 at 10:18
  • 3
    There is absolutely no escaping or other measures of protection going on in your code! This will allow alot of malicous queries. It's best practice to use a query builder or at least use mysqli_real_escape_string($user) ... – Benjamin Oct 08 '18 at 10:18
  • @Benjamin i did that later , but i wanna know if he could bypass the auth when he put that code admin ' OR '1'='1 , – justlearn2 Oct 08 '18 at 10:20
  • depends on those means you applied later – Benjamin Oct 08 '18 at 10:20
  • _“but i wanna know if he could bypass the auth when he put that code admin ' OR '1'='1”_ - and that’s why I said you should make a debug output of your query with that input data first - and then _think_ about what you see! You should be able to answer that question yourself, if you know the basics of SQL syntax. – misorude Oct 08 '18 at 10:21
  • tl;dr... yes, this query is vulnerable and it is likely that i can be bypassed by crafting a suitable querystring or injecting the payload by other means ( POST ) – Professor Abronsius Oct 08 '18 at 10:22
  • If your worried about a security risk then yes he/she could have also tried a lot of other attacks and i can bet that she was eventually successful – Bobby Axe Oct 08 '18 at 10:23
  • 3
    You should also hash your passwords!! Storing them in pain text is not secure at all. Really, it's a very bad idea to have plaintext passwords - you should hash the password. – Qirel Oct 08 '18 at 10:24

3 Answers3

1

To original question. Depends if there is that space after 'admin'. If there isnt, answer is yes, it can bypass password. You can run that script by yourself. SQL execute AND as first, then continue with OR. Query looks like

select * from users where (username = 'admin') OR ('1'='1' AND password = '$pass')

This is called SQL injection. Correct way to deal with it is to escape all user inputs. In this case

$user = mysqli_real_escape_string($db, $_POST['name']);
$pass = mysqli_real_escape_string($db, $_POST['pass']);

This will change query to this

select * from users where username = 'admin\' OR \'1\'=\'1' AND password = '$pass')

You have to perform escaping for every single user input. Never trust user.

Tomáš Neumaier
  • 93
  • 1
  • 10
  • 3
    'mysqli_real_escape_string' is not safe for sql Injection attacks. You should use prepared statements. – Dimitris Filippou Oct 08 '18 at 10:27
  • 1
    Further is your example query fully incorrect. No ( is in his code. So your example cant work. You have to prevent the check of the password. This can only be done by adding -- after the username. See my answer for correct output of the query – eL-Prova Oct 08 '18 at 10:29
  • You dont have to since AND is executed as first, so its where (true) OR (false). You can try to run similar query on your local machine. SELECT * FROM any_table WHERE id_column = 'some_key' OR 1=1 AND some_column = 'nonsence_value' – Tomáš Neumaier Oct 08 '18 at 10:30
  • @DimitrisFilippou I havent seen any example of SQL injection bypassing mysqli_real_escape_string. Fast google didnt help out. Can you share any resource with us? – Tomáš Neumaier Oct 08 '18 at 10:36
  • you can check the examples here: https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string – Dimitris Filippou Oct 08 '18 at 10:39
  • 1
    It is possible to circumvent the escape, if the charset of the application isn't properly defined. The best solution will always be to prepare and bind the data rather than injecting it, even if it's escaped. It's not only easier, but you don't mangle the data. If you escape the password before hashing it, the hash will change, for example. – Qirel Oct 08 '18 at 10:42
1

Use prepared statements and parameterized queries.

The query is not escaping the input, so everything is exact what you insert.

The result of your query is select * from users where username = 'admin ' OR '1'='1' AND password = '$pass'

If adding -- the result after the '--' will not be executed anymore. You can be 100% sure that someone bypassed your authentication.

eL-Prova
  • 1,084
  • 11
  • 27
0

You should use Prepared Statements to prevent SQL Injection. Also sanitize your inputs to prevent XSS attacks and more.

shadow
  • 13
  • 2