Why this code is not vulnerable to injection ORDER BY?

[callahan]

I'm trying to make some series of SQLi challenges(specially I want to allow launching shells from the injection by calling the DB with a full privilege user) first allowing the injection to be made easily(e.g.: Try if app is injectable with single-quote . Get the numbers of columns with ORDER BY, etc.) but it's not possible to get the number of columns with ORDER BY. Any advice?

Here's the script:

Code: [Select]

<?php 
$con = mysql_connect("localhost", "fp", "fp") or die("Couldn't connect"); 
 
 
mysql_select_db("practice", $con); 
 
$param = $_GET["id"]; 
$result = mysql_query("SELECT * FROM users WHERE id='$param' or die(mysql_error()); 
 
while($row = mysql_fetch_array($result)){ 
    echo $row['name']; 
    } 
 
?>


[jeremy78]

You need a ) after id='$param' so it would be $result = mysql_query("SELECT * FROM user WHERE id='$param'")or die(mysql_error());

[callahan]

You need a ) after id='$param' so it would be $result = mysql_query("SELECT * FROM user WHERE id='$param'")or die(mysql_error());

You are right, I forgot it when I copied my code here

[Stackprotector]

I suggest to use single quoting for the SQL query string so you can easily spot the quotes so for example:

Code: (php) [Select]

$query = 'SELECT id FROM table WHERE id="' . $id . '";
Now you can see it is quoted with "". You can leave the quotes for easier injection. Right now you would want to inject:

Code: (sql) [Select]

' order by 1 or '1'='1 (or order by 1--)
So the end query would be if $id == 1:

Code: (sql) [Select]

SELECT id FROM table WHERE id='1' order by 1 or '1'='1'


[callahan]

I suggest to use single quoting for the SQL query string so you can easily spot the quotes so for example:

Code: (php) [Select]

$query = 'SELECT id FROM table WHERE id="' . $id . '";
Now you can see it is quoted with "". You can leave the quotes for easier injection. Right now you would want to inject:

Code: (sql) [Select]

' order by 1 or '1'='1 (or order by 1--)
So the end query would be if $id == 1:

Code: (sql) [Select]

SELECT id FROM table WHERE id='1' order by 1 or '1'='1'


I appreciate your help but it's not working, I can't get columns number with ORDER BY.

[Stackprotector]

I appreciate your help but it's not working, I can't get columns number with ORDER BY.

Echo the generated query including your parameters and post it here.

[callahan]

Echo the generated query including your parameters and post it here.

With $query = 'SELECT nombre from users where id="'.$id.'"';:
    Query: SELECT nombre from users where id="2"      Output: mark
    Query: SELECT nombre from users where id="2 order by 5--"      Output: mark

    Query: SELECT nombre from users where id="2 order by 5--"      Output: mark
    Query: SELECT nombre from users where id="2"and "1"="0"        Output: <no output>
    Query: SELECT nombre from users where id="2" order by "6"="6"      Output: mark


With query = "SELECT * FROM users WHERE id='$id'"; exactly the same as with double quotes, of course, replacing the " in the query for '.

[Stackprotector]

I will ask: please. Don't reply anyone.   And to the topic poster. Please read the tutorial twice or more and learn something about PHP and SQL.

[callahan]

I will ask: please. Don't reply anyone.   And to the topic poster. Please read the tutorial twice or more and learn something about PHP and SQL.

I know that the used of "" is not correct to use, I wanted to try out what would happen.

[Stackprotector]

Yo showed nog a single correct usage and i think You should learn tot create before you break:)

[callahan]

Yo showed nog a single correct usage and i think You should learn tot create before you break:)

What do you mean with the "correct usage"?

[Stackprotector]

What do you mean with the "correct usage"?

Correct usage of SQL. You didn't even use my example. And you are wondering why "and 1=0" is not giving you any output. Do yourself a favor and learn SQL. It will be way more fun if you know what you are doing.

[callahan]

Well, I was making a silly mistake, one of those stupid ones. I was asking for and id that was an integer, and treating the GET value as string.

[Stackprotector]

Well, I was making a silly mistake, one of those stupid ones. I was asking for and id that was an integer, and treating the GET value as string.

That's not the problem

[callahan]

Correct usage of SQL. You didn't even use my example. And you are wondering why "and 1=0" is not giving you any output. Do yourself a favor and learn SQL. It will be way more fun if you know what you are doing.

When did I wondered why AND 1=0 was not giving me output, man!? No, first, I know SQL and don't be rude.

That's not the problem

Yes, that was the problem. My code is running now as expected.


Regards.