PDA

View Full Version : is this login code vulnerable to sqli ?



Crim3R
08-15-2012, 07:16 PM
hi all i have get this code by a source code disclosure bug tryed to login to mysql after reading config but remote access is disabled. i want to know is this login code vulnerable to sqli ?
thanks


<?php session_start();?>
<?php
require("../dbconnect/newsite.php");

$showform=true;
if (isset($_POST['login'])){
if (!empty($_POST['usr'])){
$un=trim($_POST['usr']);
}
if (!empty($_POST['pass'])){
$pw=trim(md5($_POST['pass']));
}
$scode=$_POST["scode"];
if ( ($scode == $_SESSION["security_code"]) && (!empty($scode) && !empty($_SESSION["security_code"])) )

{
//echo "SELECT * FROM admins WHERE user='$un' AND pass='$pw'";
$rs=mysql_query("SELECT * FROM admins WHERE user='$un' AND pass='$pw'")or die("hahaha");
if( mysql_num_rows($rs) > 0 )
{
$row=mysql_fetch_array($rs);
$_SESSION['adminId']=$row['id'];
$_SESSION['adminName']=$row['name'];
//echo"Welcome <b>".$row['name']."</b>";
$showform=false;

}
else
{
$_SESSION['adminId']=0;
}
}


else{
$_SESSION['adminId']=0;
//$showform=true;
}
header("location:index.php");

}
?>

Anant Shrivastava
08-16-2012, 12:19 AM
--- posted an answer but removing it coz this looks like a direct attempt to mount an attack.

Crim3R
08-16-2012, 09:27 PM
direct attempt to mount an attack ?
are u kidding ? there is 1000 of 0days publishing mountly.
and ur worried about this little code ? well i should say i already hacked the target in another way i was just trying to learn something
anyway thanks for answer ;)

fb1h2s
08-17-2012, 12:53 AM
@anant There would't be much we[mods] would be able to do when he speaks up with so much confident , he will eventually will do what He want's :D .

@crimer what anant and [We all] wanted for the forum is to keep the offensive rate low, and wann keep this place as professional as possible. So in future what ever motive you'r asking questions , please do not mention you'r intentions, or lie to us that you'r doing it for something good #simple .

Any way it's exploitable now that u have found ur way, it does't make sense.

Crim3R
08-17-2012, 12:21 PM
@fb1h2s yeah ok.
i shlould say my porpose from hacking is not bad in the first place
Files from Crim3R ≈ Packet Storm (http://packetstormsecurity.org/files/author/9653/)
ive just started bug researching in few mounts and i got few things in this little time .
about the target i hacked it from server . but im still Curious about this code.
and i will be thankful if u tell me how to understand these things myself

fb1h2s
08-17-2012, 02:27 PM
I can explain that code, but would not help you anyway for future .

And here is everything you need to know on HOW TO.

http://www.garage4hackers.com/f11/road-web-application-security-1788.html

"vinnu"
08-17-2012, 05:33 PM
Namaste
The answer is simple. And as others i too wrote but did not posted it. The code is simple to understand, If u were able to grab the code, then it will take very less effort to understand this code..."vinnu"

amolnaik4
08-17-2012, 07:32 PM
@Crim3r: The best "to do" for you is get RIPS n scan this code. It will give you report whether this is vulnerable or not to any vulnerability. And best part is it gives potential exploit code as well.

Try it:
RIPS - free PHP security scanner using static code analysis (http://rips-scanner.sourceforge.net/)

AMol NAik

[s]
08-18-2012, 05:55 PM
Crim3r , You can try my tool PHP Source Code Testing Tool

http://www.sandeepkamble.com/skl337/2011/08/09/psa-php-source-code-testing-tool/ all the best ..