sql injection page

1. <?php
2.     try {          
3.         switch ($_SESSION["security-level"]){
4.             case "0": // This code is insecure
5.             case "1": // This code is insecure
6.                 $lFormMethod = "GET";
7.                 $lUserInfoSubmitButton = $_REQUEST["user-info-php-submit-button"];
8.             break;
9.                
10.             case "2":
11.             case "3":
12.             case "4":
13.             case "5": // This code is fairly secure
14.                 $lFormMethod = "POST";
15.                 $lUserInfoSubmitButton = $_POST["user-info-php-submit-button"];
16.             break;
17.         }//end switch
18.     } catch (Exception $e) {
19.         echo $CustomErrorHandler->FormatError($e, $lQuery);
20.     }// end try;
21. ?>
22.  
23. <div class="page-title">View your details</div>
24.  
25. <?php include_once './includes/back-button.inc';?>
26.  
27. <form   action="./index.php?page=user-info.php"
28.         method="<?php echo $lFormMethod; ?>"
29.         enctype="application/x-www-form-urlencoded" >
30.     <input type="hidden" name="page" value="user-info.php" />  
31.     <table style="margin-left:auto; margin-right:auto;">
32.         <tr id="id-bad-cred-tr" style="display: none;">
33.             <td colspan="2" class="error-message">
34.                 Authentication Error: Bad user name or password
35.             </td>
36.         </tr>
37.         <tr><td></td></tr>
38.         <tr>
39.             <td colspan="2" class="form-header">Please enter username and password<br/> to view account details</td>
40.         </tr>
41.         <tr><td></td></tr>
42.         <tr>
43.             <td class="label">Name</td>
44.             <td><input type="text" name="username" size="20"></td>
45.         </tr>
46.         <tr>
47.             <td class="label">Password</td>
48.             <td><input type="password" name="password" size="20"></td>
49.         </tr>
50.         <tr><td></td></tr>
51.         <tr>
52.             <td colspan="2" style="text-align:center;">
53.                 <input name="user-info-php-submit-button" class="button" type="submit" value="View Account Details" />
54.             </td>
55.         </tr>
56.         <tr><td></td></tr>
57.         <tr>
58.             <td colspan="2" style="text-align:center; font-style: italic;">
59.                 Dont have an account? <a href="?page=register.php">Please register here</a>
60.             </td>
61.         </tr>
62.     </table>   
63. </form>
64.  
65. <?php
66.     if (isset($lUserInfoSubmitButton) && !empty($lUserInfoSubmitButton)){
67.  
68.         try {          
69.        
70.             switch ($_SESSION["security-level"]){
71.                 case "0": // This code is insecure
72.                 case "1": // This code is insecure
73.                     //Accept data from either GET or POST to make this target soft for SQLMAP
74.                     $lUsername = $_REQUEST["username"];
75.                     $lPassword = $_REQUEST["password"];
76.            
77.                     $LogHandler->writeToLog($conn, "Recieved request to display user information for: " . $lUsername);
78.                    
79.                     $lQuery  = "SELECT * FROM accounts WHERE username='".
80.                     $lUsername .
81.                     "' AND password='" .
82.                     $lPassword .
83.                     "'";
84.                     $lEncodeOutput = FALSE;
85.                 break;
86.                
87.                 case "2":
88.                 case "3":
89.                 case "4":
90.                 case "5": // This code is fairly secure
91.                     /*
92.                      * Note: While escaping works ok in some case, it is not the best defense.
93.                      * Using stored procedures is a much stronger defense.
94.                      */
95.                     $lUsername = $_POST["username"];
96.                     $lPassword = $_POST["password"];
97.            
98.                     $LogHandler->writeToLog($conn, "Recieved request to display user information for: " . $lUsername);
99.                    
100.                     $lQuery  = "SELECT * FROM accounts WHERE username='".
101.                     $conn->real_escape_string($lUsername).
102.                     "' AND password='".
103.                     $conn->real_escape_string($lPassword).
104.                      "'";
105.  
106.                     /*
107.                      * NOTE: Input validation is excellent but not enough. The output must be
108.                      * encoded per context. For example, if output is placed in HTML,
109.                      * then HTML encode it. Blacklisting is a losing proposition. You
110.                      * cannot blacklist everything. The business requirements will usually
111.                      * require allowing dangerous charaters. In the example here, we can
112.                      * validate username but we have to allow special characters in passwords
113.                      * least we force weak passwords. We cannot validate the signature hardly
114.                      * at all. The business requirements for text fields will demand most
115.                      * characters. Output encoding is the answer. Validate what you can, encode it
116.                      * all.
117.                      */
118.                     // encode the output following OWASP standards
119.                     // this will be HTML encoding because we are outputting data into HTML
120.                     $lEncodeOutput = TRUE;
121.                 break;
122.             }// end switch
123.  
124.             $result = $conn->query($lQuery);
125.             if (!$result) {
126.                 throw (new Exception('Error executing query: '.$conn->error, $conn->errorno));
127.             }// end if
128.            
129.             if ($result->num_rows > 0) {
130.                 echo '<p class="report-header">Results for '.$row->username.'. '.$result->num_rows.' records found.<p>';
131.                 while($row = $result->fetch_object()){
132.                
133.                     $LogHandler->writeToLog($conn, "Displayed user-information for: " . $row->username);               
134.                    
135.                     if(!$lEncodeOutput){
136.                         $lUsername = $row->username;
137.                         $lPassword = $row->password;
138.                         $lSignature = $row->mysignature;
139.                     }else{
140.                         $lUsername = $Encoder->encodeForHTML($row->username);
141.                         $lPassword = $Encoder->encodeForHTML($row->password);
142.                         $lSignature = $Encoder->encodeForHTML($row->mysignature);          
143.                     }// end if
144.                    
145.                     echo "<b>Username=</b>{$lUsername}<br>";
146.                     echo "<b>Password=</b>{$lPassword}<br>";
147.                     echo "<b>Signature=</b>{$lSignature}<br><p>";
148.                 }// end while
149.                 echo "<p>";
150.             } else {
151.                 echo '<script>document.getElementById("id-bad-cred-tr").style.display=""</script>';
152.             }// end if ($result->num_rows > 0)
153.                
154.         } catch (Exception $e) {
155.             echo $CustomErrorHandler->FormatError($e, $lQuery);
156.         }// end try;
157.        
158.     }// end if (isset($_POST))
159. ?>
160.  
161. <?php
162.     // Begin hints section
163.     if ($_SESSION["showhints"]) {
164.         echo '
165.             <table>
166.                 <tr><td class="hint-header">Hints</td></tr>
167.                 <tr>
168.                     <td class="hint-body">
169.                         <ul class="hints">
170.                             <li><b>For SSL Injection:</b>The old "\' or 1=1 -- " is a classic, but there are others. Check out who
171.                                 you are logged in as after you do the injection.
172.                             </li>
173.                             <li><b>For Session and Authentication:</b>As for playing with sessions, try a
174.                                 <a href="https://addons.mozilla.org/en-US/firefox/addon/4510">cookie editor</a>
175.                                 to change your UID.
176.                             </li>
177.                             <li><b>For Insecure Authentication:</b>Try sniffing the traffic with Wireshark, Cain, Dsniff or Ettercap.</li>
178.                             <li>Some code contains naive protections such as limiting the width of HTML fields.
179.                                 If your If you find that you need more room, try using a tool like Firebug to
180.                                 change the size of the field to be as long as you like. As you advance,
181.                                 try using tools like netcat to make your own POST requests without having
182.                                 to use the login web page at all.
183.                             </li>
184.                             <li>You can use the login page normally but then simply change the parameters with Tamper Data.
185.                             Because Tamper Data is allowing the user to manipulate the request after the request has
186.                             left the browser, any HTML or JavaScript has already run and is completely useless as a
187.                             security measure. Any use of HTML or JavaScript for security purposes is useless anyway.
188.                             Some developers still fail to recognize this fact to this day.
189.                             </li>
190.                             <li>
191.                             Try SQL injection probing by entering single-quotes, double-quotes,
192.                             paranthesis, double-dash (--), hyphen-asterik (/*), and
193.                             closing-parenthesis-hyphen-hyphen ()--)
194.                             </li>
195.                             <li>The first step is not gaining access but recon. Gaining access is actually fairly late
196.                             in the process. To do recon with respect to SQL injection, try to cause errors to see how the
197.                             application reacts. Some applications (many actually) fail to install custom error pages
198.                             as required. Try to find out what database is running then inject special characters for that database.
199.                             After special characters, try fuzzing major characters sets. Finally, if the application
200.                             still has not produced useful error messages, then try timing attacks. Your goal is to get a
201.                             reaction. Well built sites wont act differently even when a database error occurs.
202.                             </li>
203.                             <li>After performing error recon and blind timing attacks, an entry point may be found to begin
204.                             data extraction. Initially the best data to extract is data about the database itself. Try to
205.                             answer the questions of what tables, views, columns, functions, procedures, system procedures,
206.                             and other objects exist.
207.                            
208.                             From the MySQL reference documentation: Metadata is data about the data, such as the name of a database or table, the data type of a column, or access privileges. Other terms that sometimes are used for this information are data dictionary and system catalog.
209.                             INFORMATION_SCHEMA is the information database, the place that stores information about all the other databases that the MySQL server maintains. Inside INFORMATION_SCHEMA there are several read-only tables. They are actually views, not base tables, so there are no files associated with them.
210.                             In effect, we have a database named INFORMATION_SCHEMA, although the server does not create a database directory with that name. It is possible to select INFORMATION_SCHEMA as the default database with a USE statement, but it is possible only to read the contents of tables. You cannot insert into them, update them, or delete from them.
211.                            
212.                             Defense: Web apps should not actual have access to any tables or other objects. Web apps should only have one privilege; EXECUTE.
213.                             Even then, the web app should only be able to execute on one schema and that schema should only contain the procedures
214.                             needed explicitly by the application. The procs will still have access to the tables in the table schema because
215.                             databases run procs with the authroity of the owner; not the caller. It works as if the database sets the "suid" bit on procs.
216.                             Oracle and SQL Server do allow settings which alter this default behavior; for example causing the procs to run as the
217.                             caller.
218.                             </li>
219.                             <li>MySQL information schema tables that would likely be useful to recon:
220.                                 <ul>
221.                                 <li>TABLES Table</li>
222.                                 <li>COLUMNS Table</li>
223.                                 <li>USER_PRIVILEGES Table</li>
224.                                 <li>ROUTINES Table</li>
225.                                 <li>VIEWS Table</li>
226.                                 <li>TRIGGERS Table</li>
227.                                 </ul>
228.                             </li>
229.                             <li>Attempt to recon what type of database is running then study the system functions, tables,
230.                             and procedures that come with that platform. The built-in functions can come in handy.
231.                             <li>
232.                             <li>SQL Servers accept batch queries but MySQL and Oracle do not. However, Oracle is susceptable
233.                             to all forms of SQL Injection all the same and provides the greatest number of system
234.                             functions to exploit. MySQL has fewer functions but the ones provided are very useful.
235.                             </li>
236.                         </ul>
237.                     </td>
238.                 </tr>
239.             </table>';
240.     }//end if ($_SESSION["showhints"])
241.    
242.     if ($_SESSION["showhints"] == 2) {
243.         include_once './includes/sql-injection-tutorial.inc';
244.     }// end if 
245.  
246.     if ($_SESSION["showhints"] == 2) {
247.         include_once './includes/cross-site-scripting-tutorial.inc';
248.     }// end if
249. ?>