Sql injections

freebong

Hello everybody.
I have a little question about the sql injection.
I have this login script, in which I hadn't used the escape char function, so i was trying to hack it but i wasn't able.
I tried different way, but i have always the same sql syntax error.
Here's script, someone can explain me how to do it?
I want specify that i'm doing that only for educational and understanding the mechanism, not hacking a website or other.
regards and sorry for my bad english 🙂

<?php

session_start();

$_SESSION['user'] = $_POST['user'];
$_SESSION['pass'] = $_POST['pass'];
$_SESSION['authuser'] = false;

$user = $_POST['user'];
$pass = $_POST['pass'];
include("connection.inc.php");

mysql_select_db($dbname,$conn);
$query = "SELECT user, password FROM utenti WHERE user ='".$user."';"; 

$result = mysql_query($query,$conn) or die("Errore".mysql_error());

$row = mysql_fetch_array($result);

//echo $row['user']." ".$row['password'];
mysql_close($conn);
if ($row['user'] == $user and $row['password'] == $pass)
{
	echo "match found";
	$_SESSION['authuser']= true;
	header("location: home_frame.php"); 
}
else 
{
	echo "Login NON effettuato con successo.";
	echo '<html><body><a href= "index.html">Clicca sul link per essere reindirizzato alla pagina di login</a></body><html>';
	exit ();
}
?>

freebong

Even if it is trivial i add the user's table structure.[ATTACH]4623[/ATTACH]

tabella.png

jeepin81

You do have a syntax error. Look at your SQL statement.

freebong

jeepin81;11010315 wrote:
You do have a syntax error. Look at your SQL statement.

Ok, infact that's the problem.
I'm searching for the right injection but all i tried doesn't hack the script but only returns a syntax error.
My question is: which is the correct injection for not having errors??
I hope I explained the problem in an understable way!

freebong

jeepin81;11010315 wrote:
You do have a syntax error. Look at your SQL statement.

laserlight

Can't do much here, methinks. You can only execute one SQL statement with a single mysql_query call (enforced by the rule that the statement provided cannot end with a semi-colon), and since it is a SELECT, you cannot modify and hence corrupt any data. Since the password is compared separately, you cannot bypass the authentication either.

freebong

laserlight;11010323 wrote:
Can't do much here, methinks. You can only execute one SQL statement with a single mysql_query call (enforced by the rule that the statement provided cannot end with a semi-colon), and since it is a SELECT, you cannot modify and hence corrupt any data. Since the password is compared separately, you cannot bypass the authentication either.

Are you telling me that's a secure login script??
Any possibility of injection?? 🙂

jeepin81

I don't think it's my place to advise you on how to do a proper SQL injection(s). On top of that, I don't think anyone on this forum will either.

laserlight

freebong wrote:
Are you telling me that's a secure login script?

No. You should properly sanitise your data.

freebong wrote:
Any possibility of injection?

Yes. It is simply my opinion that the injections that can be done will not be harmful, but why take the risk? After all, if your script changes, my assumptions may no longer hold, and if you leave this potential security bug alive, you may thus get bitten.

I suggest that you ditch the MySQL extension and use the PDO extension or MySQLi extension instead. This way, you have access to prepared statements, which allow you to separate the data used in the SQL statements from the SQL statements themselves, adding a layer of security against SQL injection.

freebong

jeepin81;11010327 wrote:
I don't think it's my place to advise you on how to do a proper SQL injection(s). On top of that, I don't think anyone on this forum will either.

I specified in the first post that this is my script.
The question is aimed at understanding how to protect themselves and how this type of attacks are performed.
However, if it's not allowed to continue the discussion will not post anything else about that.

freebong

laserlight;11010329 wrote:
Yes. It is simply my opinion that the injections that can be done will not be harmful, but why take the risk? After all, if your script changes, my assumptions may no longer hold, and if you leave this potential security bug alive, you may thus get bitten.

Ok but i got a question.
If the user posted in the form is: ';" echo "hacked"; //
where..
';"; --> close the query (no result) and the statement
echo "hacked"; --> is a new injected statement (potentialy a bad statement)
// --> comment that hides the rest of the script

if i entry this string in user's form i got a syntax error.. but i don't understand why..
i think the code that i should obtain is :
$query ="SELECT user, password FROM utenti WHERE user =' ';"; echo "hacked"; //';"; after // isn't everything commented?? or is still visible?? is this that generate the error??
i
someone can explain me??

laserlight

freebong wrote:
The question is aimed at understanding how to protect themselves and how this type of attacks are performed.

I have already told you how to protect yourself, if you really want to take the next step beyond the "escape char function". As for how SQL injection is performed: you already seem to have the general idea, and I am reluctant to go into detail here. A book like Essential PHP Security may help you.

freebong wrote:
if i entry this string in user's form i got a syntax error.. but i don't understand why..

You are confusing SQL syntax and PHP syntax.

freebong

laserlight;11010335 wrote:
You are confusing SQL syntax and PHP syntax.

My mind is a little confusing, you can enlighten me? 🙂

laserlight

This is PHP code:

echo "hacked";

You can try and execute it as SQL, but it will result in a syntax error since it is not SQL.

freebong

laserlight;11010343 wrote:
This is PHP code:
echo "hacked";
You can try and execute it as SQL, but it will result in a syntax error since it is not SQL.

But isn't the query closed before the echo statement?

bradgrafelman

freebong;11010345 wrote:
But isn't the query closed before the echo statement?

No; if you post this:

freebong;11010333 wrote:
';" echo "hacked"; //

in the 'user' field, then the SQL query that you will be telling MySQL to attempt to execute will be:

SELECT user, password FROM utenti WHERE user ='';" echo "hacked"; //';

freebong

bradgrafelman;11010355 wrote:
No; if you post this:
in the 'user' field, then the SQL query that you will be telling MySQL to attempt to execute will be:
SELECT user, password FROM utenti WHERE user ='';" echo "hacked"; //';

you're right.
so if I correct the user in this way:

$user = ' ;"; echo "hacked"; //

the php code should become:

$query = "SELECT user, password FROM utenti WHERE user = ' ' ;";   echo "hacked"; // ';";

but also in this way i got an error.. why??

Weedpacket

The MySQL extension (which, as has already been pointed out, is outdated) doesn't support multiple statements - which means it doesn't support the semicolon at the end of a statement either.

Also, as laserlight has already pointed out,

laserlight wrote:
You are confusing SQL syntax and PHP syntax.

If that's not it then you might want to consider saying what exactly the error is instead of just leaving us to guess.

freebong

Weedpacket;11010363 wrote:
The MySQL extension (which, as has already been pointed out, is outdated) doesn't support multiple statements - which means it doesn't support the semicolon at the end of a statement either.

Also, as laserlight has already pointed out,

If that's not it then you might want to consider saying what exactly the error is instead of just leaving us to guess.

so you suggest to use mysqli extension or what??
to which semicolon you mean exactly? 🙂
as soon as possible i ll post the exact error.. thanks

Weedpacket

laserlight;11010323 wrote:
Can't do much here, methinks. You can only execute one SQL statement with a single mysql_query call (enforced by the rule that the statement provided cannot end with a semi-colon), and since it is a SELECT, you cannot modify and hence corrupt any data. Since the password is compared separately, you cannot bypass the authentication either.

Hint: UNION