VPS Hosting by InMotion

The Basic MySQL Injection

January 17, 2007 - 10:44 pm | Nessa

Ahhhh the classic hack that doesn’t work anymore… which is why I’m posting it here. I always thought it was kind of an interesting concept but no one ever made it simple for me, so I shall do this for you.

How to do a simple MySQL Injection

Ok, so this is your basic PHP login script that asks for your username and password, which would then query the database to authenticate you:

$user = $_POST["username"];
$pass = $_POST["password"];
$query = mysql_query(”SELECT * FROM users WHERE user=’$user’ AND password=’$password’”);
$rows = mysql_fetch_row($query);
if ($rows == 0) {
die (’Login Incorrect!’); }

Assuming that register_globals are enabled on the server, this script will work and in return use the POST variable to query the database for an already-defined row to see if both conditions are being met, which are obviously the username/password fields. If the input does not meet this requirement, then the connection dies and returns the “Login Incorrect” error. So assume I log in with the username “nessa” and the password “sexy.” The $query string will pass this command to MySQL:

$query = mysql_query("SELECT * FROM users WHERE user='nessa' AND password=" OR"=' OR '1'='1'");

Since I used the OR clause in the password field, that can leave a few possibilities up to the database to determine whether a statement is true or false. As you can see, will always be equal to , and 1 is always equal to 1, so MySQL is happy as long as these requirements are met.

So what does that tell you? You can easily replace either the username or password fields withe a or a ” OR 1 and you will have a successful login each time. Of course there are a lot more combinations that will work — you might want to check out this site:

http://www.justinshattuck.com/?p=156&akst_action=share-this

Now seeing that this site is powered by PHP and MySQL, you probably think I’m stupid by posting this. Well quite frankly, MySQL injections are old and nearly impossible with well-scripted PHP software and good PHP environment. If you’re running a custom script or old software, here’s how you can protect your crappy software from being exploited:
Check your magic quotes setting in php.ini or .htaccess:

magic_quotes_gpc should be turned on, as this automatically slash-escapes your codes so MySQL is less likely to make a false positive. As of PHP4, this setting is enabled by default.

If you don’t want to use magic quotes, use mysql_real_escape_string():

Here’s a simple script you can use as an include to automatically escape null characters:

// Quote variable to make safe
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not integer
if (!is_numeric($value)) {
$value = “‘” . mysql_real_escape_string($value) . “‘”;
}
return $value;
}
?>

And the obvious, if you’re using bundled software make sure you keep it up to date. New exploits are being found all the time, so don’t put yourself out there by not updating your shit.


Share and Enjoy:
  • Digg
  • del.icio.us
  • Technorati
  • Facebook
  • Google Bookmarks
  • StumbleUpon
  • Sphinn
  • Mixx
  • blogmarks
  • Furl
  • Reddit
  • Slashdot
Tagged in , , ,
Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

5 Comments | Add your own

  • . Ronald van den Heetk | May 29, 2007 at 8:04 pm | Permalink

    First of all the link to Justin’s blog: Justin stole that cheat sheet of mine, I asked for credit but no reply, so you know.

    next, I see you use backticks which are only used for collumns in MySQL and are also not recommended.

    Futher, mysql_real_escape_string() doesn’t protect against such SQL injections:

    where id = 1 AND(DELETE FROM TABLE) —

    which get’s executed nicely despite mysql_real_escape_string() :) yeah it’s tough to protect against it. And Shhh! not many people know about this ;)

  • . Nessa | May 31, 2007 at 5:27 pm | Permalink

    1) i’m sorry to hear that

    2) backticks are very common in MySQL syntax up to mysql 4.1, which is a vey vulnerable version of this attack =)

    3) mysql_real_escape_string() does indeed help protect again mysql injections as I’ve used it in my own programs. However, I’m sure you can understand why I did not post the full technical aspects of mysql injections

    4}) nice site

  • . James | November 28, 2007 at 1:20 pm | Permalink

    Hi Nessa,
    I came across your site and was wondering how I could use the Myqsl escape
    as an include file? Do you mean to create a php file with that code and
    place in my include folder. If so, how do I reference it in each php script
    to pull it out. If not, please let me know if I need to copy and paste that
    code manually in each php script. Thanks for your help!

  • . Nessa | November 28, 2007 at 9:11 pm | Permalink

    Depending on your setup, you would give your filename a variable and add it to the value parameter. To include the file in all of your scripts, you can just use a simple include function. For instance if you name the script ‘file.php’, just add this line to all your scripts:

    include(’/path/to/file.php’);

  • . stefan | December 5, 2007 at 3:56 pm | Permalink

    While I am no PHP guru I wonder if there isn’t a wat to do parameterized queries? Cause in the Windows/ODBC/C#/VB-NET world parameterized querys solves the problem without needing to change the input strings. Example http://www.programmingado.net/c-27/a-132/Esecute-parameterized-query.aspx

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*