Now that I spoke about the basic of how to break an Admin Panel, now lets see basic ways to save an Admin Panel.
So the trend in the Last post was, Users enters value, the values are directly passed to the Database, and Database being a novice spits out according the query given.
User >>> PHP Script >>> Database
Now, If we do some kind of filtering of values before the PHP script builds the Query, chances gets reduced for an attack, and thus saving it from very basic SQL Injection attack.
User >>> Filter >>> PHP Script >>> Database
The Login Form Code:
<form method = "GET" action = "filter.php" >
Name: <input type = "text" name = "uname" />
Password: <input type = "password" name= "pwd" />
So the trend in the Last post was, Users enters value, the values are directly passed to the Database, and Database being a novice spits out according the query given.
User >>> PHP Script >>> Database
Now, If we do some kind of filtering of values before the PHP script builds the Query, chances gets reduced for an attack, and thus saving it from very basic SQL Injection attack.
User >>> Filter >>> PHP Script >>> Database
The Login Form Code:
<form method = "GET" action = "filter.php" >
Name: <input type = "text" name = "uname" />
Password: <input type = "password" name= "pwd" />
<br />
<input type = "submit" value = "Login" name= "login" /></form>
Which would gives us the below section:
ADMIN LOGIN PANEL
<?php
//One Of the Way used to Prevent SQL Injection
if ( isset ( $_GET [ 'login' ] ))
{
//Connect To Database
$conn = mysql_connect ( "localhost" , "username" , "password" ) or die ( " Could Not Connect To Database" );
//Get the Username
$name = $_GET [ 'uname' ];
//Get the password
$passwd = $_GET [ 'pwd' ];
//Filtering Process
$filname = mysql_real_escape_string ( $name );
$filpass = mysql_real_escape_string ( $passwd );
//Build the Query
$query = " SELECT * FROM Users WHERE user = " .$filname. " AND password = " .$filpass ";
//Make the Query
$result = mysql_query ( $query );
//Count the Rows Returned
$rows = mysql_num_rows ( $result );
if ( $rows != 0)
{
header ( "Location: admin.php" );
}
else
{
die ( "Invalid Username or Password" );
}
}
?>
So, here before we make the query we are filtering the User Input Values
"mysql_real_escape_string" this is a function, that escapes quotes if found any
Now, if the users enters:
Username = Computer
Password = Korner
Nothing to Filter here, but as there is Null records found with the Values Entered, We would get:
"Invalid Username or Password"
Now lets try to change the Logic
Username = Computer
Password = Korner OR '1' = '1'
With this script the The values will not change neither the logic
SELECT id FROM Users
WHERE user = 'Computer'
AND password = 'Korner OR \'1\' = \'1\'';
Now due to "mysql_real_escape_string", the password enter with SQL Injection will become "Korner OR \'1\' = \'1\'"
Since the Single Quotes are escaped, this query will have No effect. and will return
"Invalid Username or Password"
Thus making the Basic SQL Injection Unsuccessful.
Still This can be bypassed But The K-Scripters will move on to some another website or Admin Panel.
To bypass this, we can append Queries Like:
/*OR*/ 1--
/*OR*/ True--
/*OR*/ 1=1
/* --> This Means a Comment in PHP
-- --> This forces to execute an SQL Statement
There are other ways too, If you are interested, you should be in search.
I will discuss other ways too, But If you know other ways to prevent SQL Injection feel free to comment it.
The purpose is make awareness, and To Protect From Being Hacked By K-Scripters
Thank You
0 comments:
Post a Comment