标题: Web-Apps-SQL-Injection-techniques [打印本页] 作者: 小B 时间: 2014-6-5 12:58 标题: Web-Apps-SQL-Injection-techniques 发现神书。已Mark下一部分。
---[ 0x03: Exploiting a Login Form ]
Sometimes happends that coders doesn't properly sanitize 2 important variables
such as user-name and password in the login form and this involve a critical
vulnerability that will allow to the attacker the access to a reserved area.
Let's make an example query here below:
SELECT * FROM users WHERE username = 'admin' and password = 'secret'
With this query the admin supply the username 'admin' and the password 'secret'
if those are true, the admin will login into the application.
Let us suppose that the script is vulnerabile to sql injection; what happends
if we know the admin username (in this case 'admin')? We don't know the password, but
can we make an SQL Injection attack? Yes, easily and then we can gain the access to the application.
In this way:
SELECT * FROM users WHERE username = 'admin' /*' and password = 'foobar'
So, we supplied this information:
- As username = admin' /*
- As password = foobar (what we want..)
Yes, the query will be true because admin is the right username but then with the
' /* ' symbol we commented the left SQL Statement.
Here below a funny (but true) example:
$sql = "SELECT permissions, username FROM $prefix"."auth WHERE
username = '" . $_POST['username'] . "' AND password = MD5('".$_POST['wordpass']."');";
$query = mysql_query($sql, $conn);
The variables passed with the POST method are not properly sanitized before being used
and an attacker can inject sql code to gain access to the application.
This is a simple attack but it has a very critical impact.
-------------------------------------------------------------------------------[/] 作者: 伴与久ㄣ 时间: 2014-6-5 13:12 看不懂 不晓得你发这些要做什 作者: 小B 时间: 2014-6-5 14:17
看不懂 不晓得你发这些要做什
我只是真的看不懂吗