Skip to content

Instantly share code, notes, and snippets.

@AndyNovo

AndyNovo/auth.sql

Created March 8, 2016 15:24
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save AndyNovo/2504bc73923ea46c2021 to your computer and use it in GitHub Desktop.
Save AndyNovo/2504bc73923ea46c2021 to your computer and use it in GitHub Desktop.
Download ZIP
SQL Injection attack vulnerable login
Raw
auth.sql
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE users (username text, pwd text);
INSERT INTO "users" VALUES('admin','5743abddddfa08c1e3a99fdebc2e8f3f1108fa12dcd2a8f58a42f141418c22ec');
INSERT INTO "users" VALUES('student','5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8');
COMMIT;
Raw
index.html
<!doctype html>
<html>
<head>
<title>Insecure Login</title>
</head>
<body>
<form action="login.php" method="post">
<input type="text" name="username" placeholder="username, e.g. admin"></input>
<input type="password" name="password" placeholder="password"></input>
<button type="submit">Send form</button>
</form>
</body>
</html>
Raw
login.php
<?php
$username = $_REQUEST["username"];
$pwd = hash('sha256',$_REQUEST["password"]);
$dbhandle = new PDO("sqlite:auth.db") or die("Failed to open DB");
if (!$dbhandle) die ($error);
$statement = $dbhandle->prepare("Select * from users where username='".$username."' and pwd='".$pwd."'");
$statement->execute();
$results = $statement->fetch(PDO::FETCH_ASSOC);
if (isset($results["pwd"])){
$_SESSION['logged_in'] = true;
echo "Success! You are logged in.";
} else {
$_SESSION["logged_in"] = false;
header("Location: index.html"); /* Redirect browser */
exit();
}
?>
@VainXploits
Copy link

what sqli is this vulnerable to? I mean what exact command?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment