fourth fourth - 4 years ago 145
Linux Question

About set id=1 and password = ' ' in the SQL injection

Here is certain expert's code:

https://github.com/DalerAsrorov/Security-Flaws-And-Their-Prevention/blob/master/SQL%20Injection%20Prevention/FCCU.php#L34

In this example, at first line 34 and 35 doesn't exist. So, it have one bug as described here:

https://github.com/DalerAsrorov/Security-Flaws-And-Their-Prevention/blob/master/SQL%20Injection%20Prevention/exploit3.txt#L21-L24

Set id and password as:


i)' OR '1'='1

ii)' OR ''='

iii) hi' OR 'x'='x


Which also mentioned here:

https://github.com/nathanctung/UCLA-CS-136/blob/1a883e2a6d1014fb5b162b332c867f6b4ef1e461/Assignment%203/submit3-1415097322/exploit3.txt#L21-L25

I am a noob in SQL and php. Really don't know why is this. I'd appreciate if you can tell me.

Update:

In this case, I should have input username and password to log in. But this bug enable one to input something else to log in and see some private content which only accessible to certain group. And the 34 and 35 line fix this bug. I don't know really understand this bug, why some other input enable you to log in?

Answer Source

In php, if you want to verify if user_id and password is correct (notice that this program use user id, instead of username), usually you write query like this

SELECT * FROM user WHERE id = <input_id> AND password = <input_password>

Then, you check if the query returns empty row, then it is invalid user. If the query returns 1 row, then the username and password is correct.

Now, if I want to login as other user (the other user's id is 1 in this case), I will insert 1 in the id column. However, I dont know the password. So, I must find a way to make these part in the query always return true password = <input_password>

One way to do that is by using password = 'random_string' OR password != ''. As the password always more than 0 character, the latter logical expression will always return true. So, I want the query to be something like this

SELECT * FROM user WHERE id = 1 AND password = '<random_string>' OR password != ''

Therefore, I will insert 1 in the id, and test' OR password != ' to make the query like above This query will never return empty row as long as user_id 1 exists, and you can login as user 1 in the application

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download