Training: MySQL I (MySQL, Exploit, Training)
MySQL Authentication Bypass - The classic
This one is the classic mysql injection challenge.
Your mission is easy: Login yourself as admin.
Again you are given the sourcecode, also as highlighted version.
Enjoy!
Your mission is easy: Login yourself as admin.
Again you are given the sourcecode, also as highlighted version.
Enjoy!
GeSHi`ed PHP code
1 2 3 4 56 7 8 9 1011 12 13 14 1516 17 18 19 2021 22 23 24 2526 27 28 29 3031 32 33 34 3536 37 38 39 4041 42 43 44 4546 47 48 49 5051 52 53 54 5556 57 58 59 6061 62 63 64 6566 67 68 69 7071 72 73 74 7576 | <?php /* TABLE STRUCTURE CREATE TABLE IF NOT EXISTS users ( userid INT(11) UNSIGNED AUTO_INCREMENT PRIMARY KEY, username VARCHAR(32) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL,password CHAR(32) CHARACTER SET ascii COLLATE ascii_bin NOT NULL ) ENGINE=myISAM; */ # Username and Password sent?if ( ('' !== ($username = Common::getPostString('username'))) && (false !== ($password = Common::getPostString('password', false))) ) { auth1_onLogin($chall, $username, $password); } /** * Get the database for this challenge. * @return GDO_Database */ function auth1_db() { if (false === ($db = gdo_db_instance('localhost', WCC_AUTH_BYPASS1_USER, WCC_AUTH_BYPASS1_PASS, WCC_AUTH_BYPASS1_DB))) { die('Database error 0815_1!'); } $db->setLogging(false); $db->setEMailOnError(false); return $db; } /** * Exploit this! * @param WC_Challenge $chall * @param unknown_type $username * @param unknown_type $password * @return boolean */function auth1_onLogin(WC_Challenge $chall, $username, $password) { $db = auth1_db(); $password = md5($password); $query = "SELECT * FROM users WHERE username='$username' AND password='$password'"; if (false === ($result = $db->queryFirst($query))) { echo GWF_HTML::error('Auth1', $chall->lang('err_unknown'), false); # Unknown user return false; } # Welcome back! echo GWF_HTML::message('Auth1', $chall->lang('msg_welcome_back', htmlspecialchars($result['username'])), false); # Challenge solved? if (strtolower($result['username']) === 'admin') { $chall->onChallengeSolved(GWF_Session::getUserID()); } return true; } ?> <form action="index.php" method="post"><table> <tr> <td><?php echo $chall->lang('username'); ?>:</td> <td><input type="text" name="username" value="" /></td> </tr><tr> <td><?php echo $chall->lang('password'); ?>:</td> <td><input type="password" name="password" value="" /></td> </tr> <tr> <td></td> <td><input type="submit" name="login" value="<?php echo $chall->lang('btn_login'); ?>" /></td> </tr> </table> </form> |
© 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 and 2024 by Gizmore