EvilZone
Hacking and Security => Hacking and Security => : Chef June 30, 2013, 09:47:39 AM
-
I hear about SQL Injection alot. Could someone explain it in a more detailed way to me?
-
https://www.owasp.org/index.php/SQL_Injection
http://security.stackexchange.com/questions/25684/how-can-i-explain-sql-injection-without-technical-jargon
Think of it like this:
We have a variable called $q (bad name but nevermind) that will eventually be used to query the database.
This is the variable:
$q = "SELECT * FROM `users` WHERE `username` = '{$_GET['username']}' AND `password` = '{$_GET['password']}'";
Now, aside from GET variables being a bad place to store sensitive data (as they will appear in the browser history and shit), we aren't escaping the input properly.
What happens if $_GET['username'] == "Fur' --"?
That's right! The query will essentially look like this:
SELECT * FROM `users` WHERE `username` = 'Fur'
But what about that bit checking the password? Well, "--" is the comment operator (thing), so it'll completely disregard that.
So, we've essentially logged into Fur's account without a password.
Here's what the login script could look like:
// This was all written in the browser.
require 'database.php';
if (empty($_GET['username']) || empty($_GET['password'])) {
die('Argument missing');
}
$q = "
SELECT `is_banned`
FROM `users`
WHERE `username` = '{$_GET['username']}'
AND `password` = '{$_GET['password']}'
";
$queryResult = $database->query($q);
$userInfo = $queryResult->fetch_assoc();
if ($queryResult->num_rows == 0) {
die('Credentials incorrect.');
}
if ($userInfo['is_banned']) {
die('You have been banned.');
}
die('Credentials correct.');
There is a few improvements that can be made to this script (like hashing the password and using POST instead of GET), but those are just a waste of my time (for this little script anyway).
I do believe that the MySQL API disallows multiple queries to be executed in one statement (unless one uses the $db->multi_query in MySQLi), so we can't just enter "Fur'; DELETE * FROM `users` --" as the username, but this shouldn't be a problem once we've circumvented the authorisation system (which may have a big, juicy admin panel).
Stopping this from happening is easy: Prepare your queries or escape user input.
Anyway, you get the point.
I'm providing this information so you can learn, not so you can screw around with shittily-designed systems.
-
I really don't understand this well. What language is this? I'm only familiar w/ how C++ works... I need to fucking learn this language because this is some useful shit!
-
If you read the code tags, you'd realize it's PHP.
-
If you read the code tags, you'd realize it's PHP.
My bad I'm stoned...
-
I need to fucking learn this language because this is some useful shit!
Here, you can thank me later:
[Free] E-Learning Platforms (https://evilzone.org/found-it-on-the-webs/%28free%29-e-learning-platforms/msg34625/#msg34625)
Take a look into codecademy, I think they have some webdev courses.