is this login code vulnerable to sqli ?

**Crim3R** · 08-15-2012, 07:16 PM

hi all i have get this code by a source code disclosure bug tryed to login to mysql after reading config but remote access is disabled. i want to know is this login code vulnerable to sqli ?
thanks

Code:

<?php session_start();?>
<?php
require("../dbconnect/newsite.php");

$showform=true;
if (isset($_POST['login'])){
	if (!empty($_POST['usr'])){
		$un=trim($_POST['usr']);
	}
	if (!empty($_POST['pass'])){
		$pw=trim(md5($_POST['pass']));
	}
	$scode=$_POST["scode"];
	if ( ($scode == $_SESSION["security_code"]) && (!empty($scode) && !empty($_SESSION["security_code"])) ) 

{
//echo "SELECT * FROM admins WHERE user='$un' AND pass='$pw'";
	$rs=mysql_query("SELECT * FROM admins WHERE user='$un' AND pass='$pw'")or die("hahaha");
	if( mysql_num_rows($rs) > 0 )
	{
		$row=mysql_fetch_array($rs);
		$_SESSION['adminId']=$row['id'];	
		$_SESSION['adminName']=$row['name'];
		//echo"Welcome <b>".$row['name']."</b>";
		$showform=false;
	
	}
	else
{
	$_SESSION['adminId']=0;
}
}

	
else{
		$_SESSION['adminId']=0;
		//$showform=true;
	}
header("location:index.php");
	
}		
?>

**Anant Shrivastava** · 08-16-2012, 12:19 AM

--- posted an answer but removing it coz this looks like a direct attempt to mount an attack.

**Crim3R** · 08-16-2012, 09:27 PM

direct attempt to mount an attack ?
are u kidding ? there is 1000 of 0days publishing mountly.
and ur worried about this little code ? well i should say i already hacked the target in another way i was just trying to learn something
anyway thanks for answer

**fb1h2s** · 08-17-2012, 12:53 AM

@anant There would't be much we[mods] would be able to do when he speaks up with so much confident , he will eventually will do what He want's

.

@crimer what anant and [We all] wanted for the forum is to keep the offensive rate low, and wann keep this place as professional as possible. So in future what ever motive you'r asking questions , please do not mention you'r intentions, or lie to us that you'r doing it for something good #simple .

Any way it's exploitable now that u have found ur way, it does't make sense.

**Crim3R** · 08-17-2012, 12:21 PM

@fb1h2s yeah ok.
i shlould say my porpose from hacking is not bad in the first place
Files from Crim3R ≈ Packet Storm
ive just started bug researching in few mounts and i got few things in this little time .
about the target i hacked it from server . but im still Curious about this code.
and i will be thankful if u tell me how to understand these things myself

**fb1h2s** · 08-17-2012, 02:27 PM

I can explain that code, but would not help you anyway for future .

And here is everything you need to know on HOW TO.

Road to Web Application Security

**"vinnu"** · 08-17-2012, 05:33 PM

Namaste
The answer is simple. And as others i too wrote but did not posted it. The code is simple to understand, If u were able to grab the code, then it will take very less effort to understand this code..."vinnu"

**amolnaik4** · 08-17-2012, 07:32 PM

@Crim3r: The best "to do" for you is get RIPS n scan this code. It will give you report whether this is vulnerable or not to any vulnerability. And best part is it gives potential exploit code as well.

Try it:
RIPS - free PHP security scanner using static code analysis

AMol NAik

**[s]** · 08-18-2012, 05:55 PM

Crim3r , You can try my tool PHP Source Code Testing Tool

Code:

http://www.sandeepkamble.com/skl337/2011/08/09/psa-php-source-code-testing-tool/

all the best ..

Thread: is this login code vulnerable to sqli ?

LinkBack

Thread Tools

Search Thread

Display