SQL Injection

Another type of web application attack is SQL injection. Suppose a naively implemented login page searches for records in a database which match the given username and password, like this:

$sql = "SELECT * FROM users WHERE username=\'$username\' AND password=\'$password\';";

If the input is not validated correctly, it would be possible to set $username and $password to be "' OR '1'='1". The resulting SQL query would be:
SELECT * FROM users WHERE username='' OR '1'='1' AND password='' OR '1'='1' ;

This SQL query always returns a non-empty result, bypassing the login procedure and enabling the attacker to access the application. By successfully exploiting an SQL injection vulnerability the attacker can often gain superuser/admin access to the application or even the operating system.
The following is an attack we observed against PHPNuke:


which exploits the vulnerability detailed in Secunia advisory #14866 - the 'querylang' parameter is allows an SQL injection attack against the application. This is the original Waraxe advisory about the vulnerability. The following source code is the problem:

$result9 = sql_query("SELECT pollID, pollTitle, timeStamp, voters FROM ".$prefix."_poll_desc $querylang order by voters DESC limit 0,$top", $dbi);

Because the application does not initialize the querylang parameter, an attacker can choose the value (providing register_globals is set in the PHP configuration, which used to be the default). The advisory gives the following example exploit:


and as result we can see md5 hashes of all the admin passwords in place, where normally top 10 votes can be seen :) The exploit will reveal the MD5 hashes of all the administrative users of PHPNuke. The value of seeing the MD5 hashes is being able to recover some passwords from them, as we explain below in the section "Top 10 Operating System commands issued".