I received an assigment to hack a given website using sql injection
$sel1 = mysql_query ("SELECT ID, name, locale, lastlogin, gender,
FROM USERS_TABLE
WHERE (name = ’$user’ OR email = ’$user’) AND pass = ’$pass’");
$chk = mysql_fetch_array($sel1);
if (found one record)
then {allow the user to login}
The question is which values of $user and $password should I enter to hack the website?
I've tried putting a true value in user (eg: admin) and for the $password I tried using (" or ""=")-no brackets which didn't work. I also tried (' or ''=')-no brackets
This looks quite simple, am I missing something?
I assume this is a school/university assignment, and not for purpose of hacking real sites.
Paste something which would be a part of the valid SQL, and which would make the condition evaluate to TRUE regardless of what's actually in the database.
That means, by entering the "correct" values, you can login to the web site without knowing the actual username/password in the database.
Consider the following condition:
WHERE (name = '' OR ''='' OR email = '' OR ''='') AND pass = '' OR TRUE LIMIT 1 -- '
It always evaluates to TRUE if there's at least one user in the database, and it returns one row at most (because of LIMIT 1).
Now you must just "extract the pieces from this condition" and enter them as user name and password:
' OR ''='' OR TRUE LIMIT 1 --Note that the last apostrophe character at the end of the query which is inserted by PHP becomes a comment and is not causing an SQL syntax error.