Got an exam soon, need help with sql injection

hi guys,

I'm taking a course on web security and i've got an exam in a couple of weeks on it.

So now i'm trying some other (test)exams, but with one of them i've got a real problem.

i can't get the sql injection to work, so i hope anyone can tell me how to solve this assignment.

I don't want just the answer, since i wouldn't learn from it for my real exam, but i really would like to know how you got to this answer...

this is the source:

Quote:

---

<?

function validate($login,$password) {

$good_referer="........";
$key=".....";

$cookie_id=base64_decode($_COOKIE["user"]);

if (strstr($HTTP_SERVER_VARS['HTTP_REFERER'],$good_referer)!=FALSE) $auth="ok";

if ($auth="ok") {

// MYSQL CONNECTION STUFF

$result=mysql_db_query($db,"SELECT pass FROM $table WHERE user='$login' OR user='$cookie_id'");
$num_rows=mysql_num_rows($result);
$row=mysql_fetch_row($result);
mysql_close($link);

if (($num_rows!=0) && (!strcasecmp(md5($password),$row[0]))) {

echo "<b>Auth OK! Your challenge Key is $key</b>";

} else {

echo "<b>Auth ERROR!</b>";

}


} else {

echo "<b>Sorry: Bad Referer!</b>";

}



}


?>

---

the things i've tried so far are:

created a cookie with the content "password", encrypted in base64, and tried to login as the user password.

also tried the content "user:password" in base64 in the cookie, but that wouldn't work either.


and this is another thing i've tried:

Quote:

---

login: ' union select '5F4DCC3B5AA765D61D8327DEB882CF99
password: password

---

that also did not work :(


So if anyone please can help me out with this, i would be very gratefull!



thanks in advance :)

what exactly is the question (problem) being asked. there is more than just sql injection required here. like the referer tag needs to be spoofed or made ok to be false.

i believe the sql statement allows you to make your own OR. removing a couple of NOTs may help

you might want to try using achellies.

Allright I didn't take alot of time to really look at the code, quick thingy I can think of is the fact that it isn't the full script, some variables don't have content ($sql $table). That means there can be some filtering or whatever with the $login or $cookie or whatever, if you can get one of the two to be something like this despite of whatever happens with them in another script: 5\'; -- add fancy sql thingy here -- ;\' You might be able to put in yer own sql thing for example to put in your own md5 hashed password, so far the sql injection... Is that what you want to do or something ?

Also the referer check thingy can be bypassed with bla.php?auth=ok methinks. Wrong thinking or weird errors are eh.. the beer can be blamed for that, just browsing arround until I'm sober enough to sleep.

Quote:

---

what exactly is the question (problem) being asked. there is more than just sql injection required here. like the referer tag needs to be spoofed or made ok to be false.

i believe the sql statement allows you to make your own OR. removing a couple of NOTs may help

you might want to try using achellies.

---

the referer tag is easy, so that's not my problem.

as for the code, this is the pseudo source code, i don't have the final one ( my teacher told me that this would be enough to solve this assignment).

Quote:

---

You might be able to put in yer own sql thing for example to put in your own md5 hashed password

---

as you can see, i've tried that here:

Quote:

---

and this is another thing i've tried:

Quote:

---

login: ' union select '5F4DCC3B5AA765D61D8327DEB882CF99
password: password

---

that also did not work :(

---

but perhaps there is another way, a way i might have missed....


neel:
wat is een kwiep?

These may help:

Advanced SQL injection in SQL server Applications
(more) Advanced SQL Injection

thanks SirDice, although i've read dozens of tutorials on SQL injection, it can never hurt to read more :)

let's hope these will help me find the solution for the above problem, thanks!