Just a plain looking login page, lets jump to the source code:
So $query is being initialized with unsanitized user input via $_REQUEST[“username”] and $_REQUEST[“password”]. I wonder what would happen if we put a quotation mark(“) in either field? Let’s try it, we’ll also include “?debug=1” in the URL because per lines 20 – 22 this will show us the actual query which is executed:
Well that’s interesting, we got an error message, which is telling us that the argument to mysql_num_rows() should be a boolean value (“true” or “false”). Well in this case the argument to mysql_num_rows() is the return value of mysql_query($query, $link). Something must be causing it to return an error rather than boolean. Our argument to mysql_query() is:
SELECT * from users where username=””” and password=””
It’s saying username=””, which is just an empty username, then there is a random / extraneous quotation mark, then it continues with the query. The extra quotation makes this query invalid. It also tells us we can hack the query, and maybe get authenticated without a password 😀
Let’s the setting the username to natas15, and the password to (” or “1” = “1).
We won! So the final query that was executed on the database was this:
SELECT * from users where username=”natas15″ and password=”” or “1” = “1”
Select all the rows from the table “users” where the username equals natas15 and the password (is the actual password for natas15) or 1=1. Well we didn’t know the password for natas15, but we knew we could add another logical operator to our query, which in this case was the “OR” operator. 1 = 1, always evaluates to “true”, and anything OR’d with true is always true. So by adding OR 1 = 1 we make the condition evaluate to true even though we don’t have the password.