MySQL INJECTION EXPLOIT
Brought to you by:
openface
Menu
▾
▴
#37 MySQL INJECTION EXPLOIT
open
nobody
None
5
2009-10-30
2009-10-30
No
THE BUG WAS FOUND IN: func.inc.php
function F_loginUser($Username,$Password) {
global $db;
$sql = "UPDATE T_Users SET ";
$sql .= "LastLogin = now() ";
$sql .= "WHERE Username = '$Username' ";
$sql .= "AND Password = '" . md5($Password) . "' ";
$sql .= "AND Verified = 'Y'";
mysql_query($sql,$db);
if (mysql_affected_rows()>0) {
return true;
The input is not sanitized.
THE PROBLEM WITH THE CODE ABOVE IS THAT I CAN INPUT AN SQL INJECTION FOR
THE USERNAME.
SINCE YOUR CODE DOES NOT CHECK IF THE USERNAME AND PASSWORD HAS BEEN
TAMPERED WITH, MY INJECTION WILL WORK.
If a user were to use this username and password:
Username: SOME_VALID_USERNAME' OR '1'='1' AND Verified = 'Y --
Password: anything
They have a good chance in getting access into the program.
I have written a patch. It is attached.
essentially add the line: $UserName = mysql_real_escape_string($UserName);
THIS PATCH WILL HELP BECAUSE IT WILL PARSE THE MySQL INJECTION YOU USE ON
THE USERNAME. THE USERNAME WOULD THEN BE SANITIZED.
func.inc.php patch