Home » Php » php – need assistance with sql injection

php – need assistance with sql injection

Posted by: admin July 12, 2020 Leave a comment

Questions:

First, I’m not trying to hack or do anything illegal. Thought I let you guys know. I have a client that want’s me to do some modifications on his system, when I was looking at it I notice that NOTHING was escaped. I’m not joking, nothing is being escaped. I explained to him that it’s insecure to have a system like that. He then proceeds to tell me that he’s had his system like this for few years and nothing has happened. I need to show him that his system is not safe, but I really don’t know to do perform an sql injection. Here’s a few queries that use $_GET and are not escaped.

SELECT *,DATE_FORMAT(joined,'%M %d, %Y') as \"Joined\" FROM `members` WHERE `name` LIKE '".$ltr."%' ORDER BY points DESC LIMIT $page,50

Here’s another one:

SELECT * FROM groups WHERE id=$thisladder[grid]

The only thing that I see that “might” clean the $_GET is this function:

if (!ini_get('register_globals')) {
   $superglobals = array($_SERVER, $_ENV,
       $_FILES, $_COOKIE, $_POST, $_GET);
   if (isset($_SESSION)) {
       array_unshift($superglobals, $_SESSION);
   }
   foreach ($superglobals as $superglobal) {
       extract($superglobal, EXTR_SKIP);
   }
}

It’s possible that the function above may be sanitizing the variables. And yes, the system also uses register globals, which is also bad.

I also made a backup, just in case.

How to&Answers:

Can’t say it better than http://xkcd.com/327/.

But then again, as Marc B says, forget SQL injection, register_globals is much, much worse. Never thought I’d actually see it emulated, just in case it’s off.

Answer:

Some fun things to show your ‘friend’ how stupid his code is:

http://example.com/badscript.php?_GET[]=ha+ha+I+pwned+your+GET+superglobal
http://example.com/badscript.php?_SESSION[issuperuser]=1

This sort of thing is EXACTLY why register_globals is such an outright F’ingly moronic idea, and (after FAR too long) has finally been made to default to OFF.

Forgot SQL injection – that idiotic piece of code is allowing remote PHP variable injection.

Answer:

if login code looked something like this:

$query = 'SELECT id FROM users WHERE username=\''.$_POST['username'].'\' AND password=\''.$_POST[password].'\'';
$result = mysql_query($query);
etc, etc...

try typing this into the login fields

username = "whatever"
password = "' OR 1"

make sense?