I want to use PHP/Mysql injection with a login example, my code is below.
I have tried with a username of anything' --
and an empty password but it doesn't work and I couldn't log in.
Could anyone help me?
<?php
mysql_connect('localhost','root','root');
mysql_select_db('hp');
?>
<form action="" method="post">
<table width="50%">
<tr>
<td>User</td>
<td><input type="text" name="user"></td>
</tr>
<tr>
<td></td>
<td><input type="text" name="password"></td>
</tr>
</table>
<input type="submit" value="OK" name="s">
</form>
<?php
if($_POST['s']){
$user = $_POST['user'];
$pass = $_POST['password'];
$re = mysql_query("select * from zend_adminlist where user_name = '$user' and password = '$pass'");
if(mysql_num_rows($re) == 0){
echo '0';
}else{
echo '1';
}
}
?>
One of the most common examples is this query:
' or '1'='1
If you enter this as the username and password into some unsanitized login input the query changes like so:
Original: SELECT * FROM USERS WHERE USER='' AND PASS='';
Modified: SELECT * FROM USERS WHERE USER='' or '1'='1' AND PASS='' or '1'='1';
This causes each thing its looking for to be true, as 1 will always equal 1. Problem with this method is it does not allow the selection of a particular user. Doing so you need to make it ignore the AND statement by commenting it out as seen in other examples.