hi guys,
I'm taking a course on web security and i've got an exam in a couple of weeks on it.
So now i'm trying some other (test)exams, but with one of them i've got a real problem.
i can't get the sql injection to work, so i hope anyone can tell me how to solve this assignment.
I don't want just the answer, since i wouldn't learn from it for my real exam, but i really would like to know how you got to this answer...
this is the source:
the things i've tried so far are:<?
function validate($login,$password) {
$good_referer="........";
$key=".....";
$cookie_id=base64_decode($_COOKIE["user"]);
if (strstr($HTTP_SERVER_VARS['HTTP_REFERER'],$good_referer)!=FALSE) $auth="ok";
if ($auth="ok") {
// MYSQL CONNECTION STUFF
$result=mysql_db_query($db,"SELECT pass FROM $table WHERE user='$login' OR user='$cookie_id'");
$num_rows=mysql_num_rows($result);
$row=mysql_fetch_row($result);
mysql_close($link);
if (($num_rows!=0) && (!strcasecmp(md5($password),$row[0]))) {
echo "<b>Auth OK! Your challenge Key is $key</b>";
} else {
echo "<b>Auth ERROR!</b>";
}
} else {
echo "<b>Sorry: Bad Referer!</b>";
}
}
?>
created a cookie with the content "password", encrypted in base64, and tried to login as the user password.
also tried the content "user:password" in base64 in the cookie, but that wouldn't work either.
and this is another thing i've tried:
that also did not work :(login: ' union select '5F4DCC3B5AA765D61D8327DEB882CF99
password: password
So if anyone please can help me out with this, i would be very gratefull!
thanks in advance :)
Reply With Quote