Using SQL
Form provides two fields: username and password.
Both are controlled by external entities (users).
Objective:
Check if the username and password provided exist in the database.
Obtain the user data if it exists, and move to authorization phase.
Otherwise, do not authenticate and provide an error.
Vulnerable validation code (PHP):
$result = mysql_query(“SELECT * FROM Users WHERE(username=‘$username’ AND password=‘$password’);”);
Exploiting SQLi
$result = mysql_query(“ SELECT * FROM Users WHERE(username=‘john’ AND password=‘abc’);”);
It will fail because the <username,password> don’t match and no result is provided.
$result = mysql_query(“ SELECT * FROM Users WHERE(username=‘john’ or 1=1); -- ’ AND password=‘abc’);”);
It will be successful because 1=1 is always true.
The username is ignored because the second part is always true.
The remaining of the query is ignored due to the comment.
$result = mysql_query(“ SELECT * FROM Users WHERE(username=‘’ or 1=1);DROP TABLE Users; --’ AND password=‘a’);”);
Two queries may be executed:
SELECT which returns all users.
DROP TABLE Users, which effectively deletes the Table.
Last updated