Search code examples
phpsql-injection

How to exploit my PHP code with SQL Injection

I am working on a project where we have to write a login page with PHP and then exploit it using SQL injection, before fixing the vulnerability. So far I've written the login page, which connects to a database and does a lookup to see if a user exists, if they do then they can log in.

However no matter what I've tried I can't seem to be able to exploit to print out other users, bypass passwords, etc. and I'm not sure why (new to PHP). I haven't done any input sanitizing.

HTML input form: 

<form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p><font face = "Arial" size="4" color="#6b8e23">Login Menu</font></p>
<input type="text" name="username" placeholder="Username" />
<div><input type="password" name="password" placeholder="password" /></div>
<input type="submit" name="Login" value="Login"></input>


<?php
// connect to database
$host = "localhost";
$username = 'root';
$password = '';
$dbname = "accounts";
$con = mysqli_connect($host, $username, $password, $dbname);

//check to ensure connection exists !DEBUG!
if (!$con) {
    die("Connection Failed: " . mysqli_connect_error());
    ?>
    <p><font face = "Arial" size="4" color="#ff4500">No Connection</font></p>
    <?php
} else {
    ?>
    <p><font face = "Arial" size="4" color="#ff4500">Connection established with sql server </font></p>
<?php
}

//if the form has been submitted
if (isset($_POST['Login']))
{
    //user login details
    $user = $_POST['username'];
    $pass = $_POST['password'];

    if($user != "" && $pass != "")
    {
        $sql_query = "SELECT count(*) as cntUser FROM users where usernames='".$user."' AND passwords='".$pass."'";

        $result = mysqli_query($con, $sql_query);
        $row = mysqli_fetch_array($result);
        $count = $row['cntUser'];

        if($count > 0)
        {
            $_SESSION['username'] = $user;
            ?>
            <p><font face = "Arial" size="4" color="#ff4500">User Found</font></p>
            <?php
        } else {
            ?>
            <p><font face = "Arial" size="4" color="#ff4500">No User by that name</font></p>
            <?php
        }
    }
}
?>

Thanks for reading over this, been stuck at it for a while now and I just can't figure it out!

Solution

  • It's all about handling the values of login and password. As long as they are not escaped malicious user can send values with single quote sign. In result the following characters will be interpreted as part of SQL query. I suggest printing the complete SQL query that is built in your script.

    For example entering

    ' OR TRUE OR passwords='

    as password will make it log in without knowing what the password is as the query will become:

    SELECT count(*) as cntUser FROM users where usernames='root' AND passwords='' OR TRUE OR passwords=''