Created
September 2, 2012 09:35
-
-
Save bobtfish/3596237 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
session_start(); | |
$m = mysql_connect(); | |
mysql_select_db("test", $m); | |
if (isset($_POST['logout'])) { | |
unset($_SESSION['user_id']); | |
unset($_SESSION['fullname']); | |
} | |
if (!isset($_SESSION['user_id'])) { | |
if (!isset($_POST['username'])) { | |
login_form(0); | |
} | |
else { | |
$qs = sprintf("SELECT id, fullname FROM users where name = '%s' | |
AND password = '%s'", mysql_real_escape_string($_POST['username']), mysql_real_escape_string($_POST['password'])); | |
$q = mysql_query($qs, $m); | |
$data = mysql_fetch_array($q); | |
if (false != $data) { | |
$_SESSION['user_id'] = $data['id']; | |
$_SESSION['fullname'] = $data['fullname']; | |
bbs_page($m); | |
} | |
else { | |
login_form(1); | |
} | |
} | |
} | |
else { | |
bbs_page($m); | |
} | |
function bbs_page ($db) { ?> | |
<html> | |
<head> | |
<title> | |
My cool BBS | |
</title> | |
<body> | |
Logged in as <?php echo $_SESSION['fullname']; ?> <form method="post"><input type="hidden" name="logout" value="1"><input type="submit" value="logout"></form> | |
<br /> | |
Post something: | |
<form method="POST"> | |
<textarea name="post"> | |
</textarea> | |
<input type="submit"> | |
</form> | |
<?php | |
if (isset($_POST['post'])) { | |
mysql_query(sprintf("INSERT INTO posts (post, user_id) VALUES ('%s', '%s');", mysql_real_escape_string($_POST['post']), $_SESSION['user_id'])); | |
} | |
$q = mysql_query("SELECT post, fullname FROM posts JOIN users ON (posts.user_id = users.id) ORDER BY posts.id DESC", $db); | |
while ($row = mysql_fetch_array($q, MYSQL_NUM)) { | |
echo "<hr>"; | |
echo "<h3>"; | |
echo $row[1]; | |
echo " said:</h3>"; | |
echo $row[0]; | |
} | |
challenge(); | |
?> | |
</body> | |
</html> | |
<?php } | |
function login_form ($bad) { | |
?> | |
<html> | |
<body> | |
<?php if (1 == $bad) { echo "Bad username or password"; } ?> | |
Please login: <form method="POST"> | |
Username: <input name="username" value="<?php echo $_POST['username'] ?>" /><br /> | |
Password: <input name="password" type="password"><br /> | |
<input type="submit" /> | |
</form> | |
<?php challenge() ?> | |
</body> | |
</html> | |
<?php | |
} | |
function challenge () { ?> | |
<hr /> | |
<h1>Challenge</h1> | |
<p>Inject something which captures other users sessions, grab a session from | |
someone else, post as them.</p> | |
<p>This uses the same users table as the last example, so any users made ther | |
e should work for logging in here.</p> | |
<p><b>Note</b> this page should <b>not</b> be vulnerable to SQL injection. | |
Feel free to try, but it's hopefully protected..</p> | |
<?php | |
} | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
create table users (id INT PRIMARY KEY, name TEXT NOT NULL, password TEXT NOT NULL, fullname TEXT NOT NULL); | |
insert into users (name, password, fullname) values ('admin', 'sekrit', 'Mr Admin'); | |
insert into users (id, name, password, fullname) values (1, 't0m', 'supersekrit', 'Tomas Doran'); | |
insert into users (id, name, password, fullname) values (2, 'jrandom', 'password', 'J Random'); | |
create table user_credit_cards (id PRIMARY KEY, cc_number TEXT NOT NULL); | |
INSERT INTO user_credit_cards (id, cc_number) values (1, '4539390243132435'); | |
INSERT INTO user_credit_cards (id, cc_number) values (2, '5547899433555475'); | |
create table posts (id INT PRIMARY KEY AUTO_INCREMENT, user_id INT NOT NULL, post TEXT NOT NULL); | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
<head> | |
<html> | |
<head> | |
<title>Workshop examples</title> | |
</head> | |
<body> | |
<h1>Examples</h1> | |
<ul><li><a href="simple.php">Simple HTML injection</a></li> | |
<li><a href="sql.php">Simple SQL injection</a></li> | |
<li><a href="board.php">Simple BBS with storage, logins and sessions</a></li> | |
</ul> | |
</body> | |
</html> | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<html> | |
Data is: <form> | |
<input name="foo" value="<?php echo $_GET['foo'] ?>" /> | |
<input type="submit" /> | |
</form> | |
</html> | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
$m = mysql_connect(); | |
mysql_select_db("test", $m); | |
function login_form () { | |
?> | |
<html> | |
<body> | |
Please login: <form method="POST"> | |
Username: <input name="username" value="<?php echo $_POST['username'] ?>" /><br /> | |
Password: <input name="password" type="password"><br /> | |
<input type="submit" /> | |
</form> | |
<h2>Details about how to hack this</h2> | |
<h3>Working login</h3> | |
Username: admin<br> | |
Password: sekrit | |
<h3>SQL query</h3> | |
<pre> | |
SELECT id, fullname FROM users where name = '%s' | |
AND password = '%s'; | |
</pre> | |
Note the <i>%s</i> sequences get interpolated with your data. | |
<h3>Things to try to do</h2> | |
<ul> | |
<li>Login as admin without the password</li> | |
<li>Enumerate all users by expanding that data into the 'fullname' column</li> | |
<li>Enumerate all tables in the database</li> | |
<li>Steal the credit card numbers</li> | |
</body> | |
</html> | |
<?php | |
} | |
if (!isset($_POST['username'])) { | |
login_form(); | |
} | |
else { | |
$qs = sprintf("SELECT id, fullname FROM users where name = '%s' | |
AND password = '%s'", $_POST['username'], $_POST['password']); | |
$q = mysql_query($qs, $m); | |
$data = mysql_fetch_array($q); | |
if (false != $data) { | |
echo "ID: "; echo $data['id']; echo "<br />"; | |
echo "Name: "; echo $data['fullname']; echo "<br />"; | |
} | |
else { | |
echo "Bad username or password"; | |
} | |
} | |
?> | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment