I have a php code that I need to login without knowing the username or the password using SQL injection...I have tried so many of the examples on the internet and it doesnt seem to work. for e.g.
' or '1'='1
' or 'x'='x
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
... and many more!
This is the php code:
$query="SELECT user_name,password,display_name from members where user_name='".$_POST['user_name']."';";
$result=mysqli_query($Connect,$query);
$row=mysqli_fetch_assoc($result);
$user_pass = md5($_POST['pass_word']);
$user_name = $row['user_name'];
$display_name = $row['display_name'];
if(strcmp($user_pass,$row['password'])!=0)
{
echo "Login failed for user ".$_POST['user_name'];
}
else
{
# Start the session
session_start();
$_SESSION['USER_NAME'] = $user_name;
$_SESSION['DISP_NAME'] = $display_name;
echo "<head> <meta http-equiv=\"Refresh\" content=\"0;url=home.php\" ></head>";
}
Can someone explain to me what sql injection I can use to login?
Thank you
Ignore the PHP. Focus on the SQL:
... WHERE username='$value'
You have to subvert that into something like
... WHERE username = '$value' OR truevalue
But you have that pesky ' after $value in there, getting in the way, so
... WHERE username = '$value' OR ''=''
^---------------^--- original quotes
^^^^^^^^^^^^^^^---injected value
so
$_POST['username'] = "' or ''='"
But note that this won't allow a login anyways, as you still compare the passwords in a non-injectionable fashion. This will just act to retrieve ALL of the user entries in the database, instead of just the one single user account.