mercredi 25 mars 2015

After trying successful SQL injection why the result isn't getting displayed on the webpage?





  1. Below is the PHP code I wrote that allows SQL injection with one parameter ie 'id' in this case.




  2. On trying SQL injection via putting this 2' ORDER BY 1;--' in the parameter (id field ), I get only SQL errors on the page.




  3. On executing the query directly on mysql server ie SELECT * FROM users WHERE id = '2' ORDER BY 1;--''; I get the below result that is 1 row set along with the error.


    mysql> SELECT * FROM users WHERE id = '2' ORDER BY 1;--''; +----+----------+-----------+------------------+ | id | username | password | creditcard | +----+----------+-----------+------------------+ | 2 | John | password! | 3123456769384659 | +----+----------+-----------+------------------+ 1 row in set (0.00 sec)


    ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '--''' at line 1





PHP code



<?php

require_once 'login.php';
if (!isset($_GET['id']))
{
    echo <<<_END
    <pre>            <h1>WELCOME to the KINGDOM</h1>
    <form action = 'si2.php' method = 'GET'>
    id <input type = 'text' name = 'id'>

        <input type = 'submit' value = 'cl1ck M3'></pre></form>
 _END;

}

if(!get_magic_quotes_gpc())
{
    $id = stripslashes($_GET['id']);

}
$connection = mysql_connect($db_hostname,$db_username,$db_password);
if(!$connection) die ("Unable to connect with MySql " . mysql_error());

 mysql_select_db($db_database,$connection) or die('Could not connect with the database');

$query = "SELECT * FROM users WHERE id = '$id'";

$result = mysql_query($query);
if($result)
{
    $rows = mysql_num_rows($result);
}
else { echo "Could not execute the Query:  <br>" . mysql_error();}


if($rows >= 1)
    {

        for ($j=0 ; $j < $rows; ++$j)
            {
                $row = mysql_fetch_row($result);
                echo "Hello $row[1]"."<br>";
                echo "Your Credit Card Number is  $row[3]"."<br><br>";
                echo $query."<br>";
                //echo $row[3];

            }
    }           
else
{
    echo "<br><br><br>Sorry no rows/results could be fetched on query execution <br><br><br>";
    //echo $query;
}
?>


My question is why my code isn't able to fetch the row set and displaying the table entries ? And in case I want to then what changes should I try.





Publié par à
Libellés :

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)