SQL Injection

Printable View

July 21st, 2006, 08:23 PM
Golgi Apparatus

SQL Injection

So I am teaching myself some new security penetration testing stuff and 1 think that I am not good at is SQL injection. So I create a lab environment with a window computer running LAMP. (I know that I should use Linux but our lab didn’t have any test Linux boxes. They are in production)

So I create a MYSql database and web page to try and learn MYSql injections. I am writing the page in PHP because I know it and that looks to be a problem. Every time I send in a character in the login form (something that I made), the entry gets slashes.

‘ = \’
“ = \”
\n = \\n

So on and so forth.

How can I fool PHP with SQL injections. This is for learning only.

Thanks
July 21st, 2006, 08:51 PM
S3cur|ty4ng31

what php functions are you using for the queries to mysql?

fyi: you cant run LAMP on a windows computer :) it WAMP for j00
July 21st, 2006, 09:00 PM
Golgi Apparatus

Here is my code

Code:

<html> <head> <title>Auth</title> </head> <body> <? // $user = $_REQUEST['user']; // $user = $_GET['user']; $pass = $_REQUEST['pass']; $user = $HTTP_GET_VARS['user']; echo "$user $pass \n"; $host = 'localhost'; $username = ''; $password = ''; $database = 'dbLogin'; $connection = mysql_connect($host,$username,$password) or die ("Could not connect to mysql"); $db = mysql_select_db($database,$connection) or die ("Could not connect to the database"); $result=mysql_query("SELECT * FROM tbl_auth WHERE col_UserName = '{$HTTP_GET_VARS['user']}'"); // $result=mysql_query('SELECT * FROM tbl_auth WHERE col_UserName="'.$_GET['user'].'"'); while($row = mysql_fetch_array($result)) { echo "$row[ID] $row[col_UserName] $row[col_Password]"; } ?> </body> </html>
July 22nd, 2006, 12:21 AM
S3cur|ty4ng31

is magic_quotes_gpc on?

The PHP directive magic_quotes_gpc is on by default, and it essentially runs addslashes() on all GET, POST, and COOKIE data. Do not use addslashes() on strings that have already been escaped with magic_quotes_gpc as you'll then do double escaping. The function get_magic_quotes_gpc() may come in handy for checking this.

http://us2.php.net/manual/en/ref.inf...gic-quotes-gpc
July 22nd, 2006, 02:28 AM
nebulus200

Well, if that really is the code, this isn't the case, but there are functions in PHP to help prevent these kind of attacks, IIRC, mysql_real_escape_string(). You might could try altering it a bit instead of using ' use maybe %27 or double unicode enocde? Probably won't work, but regardless, the point of SQL Injection is to add/modify the SQL query, so start thinking about what query you have out there and how you could alter it and you will find that it isn't always necessary to have ' to do a SQL Injection...