How to Review a Vulnerable SQL Injection Login Form in PHP

Summary

We reviewed a login form written in php and vulnerable to SQL Injection. We compared different versions of the code and built a SQL Injection payload for each case.

Get OSCP Certificate Notes

First code examination

How to review PHP Login Form For SQL Injection - Secure Coding

The code is a php code for login form. As we can see, the login username and login password are stored in two variables. The value of each variable is taken as an input from the user via HTTP POST request.

The problem here is that whatever the user enters in the login form, it is directly used in the sql query in the following line and then executed in the backend allowing for malicious input to take place.

Exploitation

The following screenshot illustrates how we injected a SQL payload into the login form

How to review PHP Login Form For SQL Injection - Secure Coding

We can try different payload variations such as

root’ or 1=1##

‘ or 1=1 — #

‘ or 1–

As long as the login fields variables aren’t used with single quotes. We will see code examples were the variables are quoted. In those cases, the SQL injection payload would differ.

The screenshot below demonstrates successful exploitation of the login form.

How to review PHP Login Form For SQL Injection - Secure Coding

Second code examination

In the following screenshot, we reviewed another vulnerable php login form to SQL Injection. The difference is that the login variables are used with single quotes in the query variable

Thus our SQL payload would differ. Our payload in this case should start and end with a quote to close the ones used in the query variable.

Example would be:

How to review PHP Login Form For SQL Injection - Secure Coding

or ”=’

‘root or ”=’

Third code examination

We modified the same code to use parentheses with single quotes in the SQL query.

In this case, our SQL Payload would also need to start with single quote and a parentheses

‘) or true–

Fourth Code examination

What if the code contained the two login variables with parentheses and double quotes.

Our SQL payloads in this case need to close the parenthesis and the double quotes

” or true–

“) or true–

‘)) or true–

Full Video Walk-Through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles