Got an exam soon, need help with sql injection
Results 1 to 6 of 6

Thread: Got an exam soon, need help with sql injection

  1. #1

    Got an exam soon, need help with sql injection

    hi guys,

    I'm taking a course on web security and i've got an exam in a couple of weeks on it.

    So now i'm trying some other (test)exams, but with one of them i've got a real problem.

    i can't get the sql injection to work, so i hope anyone can tell me how to solve this assignment.

    I don't want just the answer, since i wouldn't learn from it for my real exam, but i really would like to know how you got to this answer...

    this is the source:
    <?

    function validate($login,$password) {

    $good_referer="........";
    $key=".....";

    $cookie_id=base64_decode($_COOKIE["user"]);

    if (strstr($HTTP_SERVER_VARS['HTTP_REFERER'],$good_referer)!=FALSE) $auth="ok";

    if ($auth="ok") {

    // MYSQL CONNECTION STUFF

    $result=mysql_db_query($db,"SELECT pass FROM $table WHERE user='$login' OR user='$cookie_id'");
    $num_rows=mysql_num_rows($result);
    $row=mysql_fetch_row($result);
    mysql_close($link);

    if (($num_rows!=0) && (!strcasecmp(md5($password),$row[0]))) {

    echo "<b>Auth OK! Your challenge Key is $key</b>";

    } else {

    echo "<b>Auth ERROR!</b>";

    }


    } else {

    echo "<b>Sorry: Bad Referer!</b>";

    }



    }


    ?>
    the things i've tried so far are:

    created a cookie with the content "password", encrypted in base64, and tried to login as the user password.

    also tried the content "user:password" in base64 in the cookie, but that wouldn't work either.


    and this is another thing i've tried:
    login: ' union select '5F4DCC3B5AA765D61D8327DEB882CF99
    password: password
    that also did not work :(


    So if anyone please can help me out with this, i would be very gratefull!



    thanks in advance :)

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    what exactly is the question (problem) being asked. there is more than just sql injection required here. like the referer tag needs to be spoofed or made ok to be false.

    i believe the sql statement allows you to make your own OR. removing a couple of NOTs may help

    you might want to try using achellies.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  3. #3
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    Allright I didn't take alot of time to really look at the code, quick thingy I can think of is the fact that it isn't the full script, some variables don't have content ($sql $table). That means there can be some filtering or whatever with the $login or $cookie or whatever, if you can get one of the two to be something like this despite of whatever happens with them in another script: 5\'; -- add fancy sql thingy here -- ;\' You might be able to put in yer own sql thing for example to put in your own md5 hashed password, so far the sql injection... Is that what you want to do or something ?

    Also the referer check thingy can be bypassed with bla.php?auth=ok methinks. Wrong thinking or weird errors are eh.. the beer can be blamed for that, just browsing arround until I'm sober enough to sleep.
    Double Dutch

  4. #4
    what exactly is the question (problem) being asked. there is more than just sql injection required here. like the referer tag needs to be spoofed or made ok to be false.

    i believe the sql statement allows you to make your own OR. removing a couple of NOTs may help

    you might want to try using achellies.
    the referer tag is easy, so that's not my problem.

    as for the code, this is the pseudo source code, i don't have the final one ( my teacher told me that this would be enough to solve this assignment).

    You might be able to put in yer own sql thing for example to put in your own md5 hashed password
    as you can see, i've tried that here:
    and this is another thing i've tried:

    login: ' union select '5F4DCC3B5AA765D61D8327DEB882CF99
    password: password
    that also did not work
    but perhaps there is another way, a way i might have missed....


    neel:
    wat is een kwiep?

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    thanks SirDice, although i've read dozens of tutorials on SQL injection, it can never hurt to read more

    let's hope these will help me find the solution for the above problem, thanks!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •