Product SiteDocumentation Site

10.3. Testing SQL Injection

Before going ahead with configuring rules, we will create a PHP script which is vulnerable to SQL injection and try it out. Please note that this is just a basic PHP login script with no session handling.
  1. Download login script. 
    $ wget http://zeus.fei.tuke.sk/bps3r/login.php.txt
    $ cp login.php.txt /var/www/html/login.php
    <html>
<body>
<?php
    if(isset($_POST['login']))
    {
        $username = $_POST['username'];
        $password = $_POST['password'];
        $con = mysqli_connect('localhost','root','','sample');
        $result = mysqli_query($con, "SELECT * FROM `users` WHERE username='$username' AND password='$password'");
        if(mysqli_num_rows($result) == 0)
            echo 'Invalid username or password';
        else
            echo '<h1>Logged in</h1><p>A Secret for you....</p>';
    }
    else
    {
?>
        <form action="" method="post">
            Username: <input type="text" name="username"/><br />
            Password: <input type="password" name="password"/><br />
            <input type="submit" name="login" value="Login"/>
        </form>
<?php
    }
?>
</body>
</html>
    This script will display a login form. Entering the right credentials will display a message "A Secret for you."
  2. We need credentials in the database. Create a MySQL database and a table, then insert usernames and passwords. 
    $ mysql -u root
    Enter following commands: 
    create database sample;
connect sample;
create table users(username VARCHAR(100),password VARCHAR(100));
insert into users values('jesin','pwd');
insert into users values('alice','secret');
quit;
  3. Open your browser, navigate to http://192.168.56.XYZ/login.php and enter the right pair of credentials.

    Note

    Username: jesin Password: pwd
  4. You'll see a message that indicates successful login. Now come back and enter a wrong pair of credentials-- you'll see the message Invalid username or password.
  5. We can confirm that the script works right. The next job is to try our hand with SQL injection to bypass the login page. Enter the following for the username field: 
    ' or true --

    Warning

    Note that there should be a space after -- this injection won't work without that space. Leave the password field empty and hit the login button.
    Voila! The script shows the message meant for authenticated users.

10.3.1. Setting Up Rules

To make your life easier, there are a lot of rules which are already installed along with mod_security. These are called CRS (Core Rule Set).
  1. Install additional modsecurity rules. 
    $ yum -y install mod_security_crs
  2. Activate SQL Injection configuration: 
    $ cd /etc/httpd/modsecurity.d
    $ cp activated_rules/modsecurity_41* ./
    $ cp activated_rules/modsecurity_crs_41_s* ./
    $ \rm activated_rules/*
  3. Restart Web Server 
    $ service httpd restart
  4. Now open the login page we created earlier and try using the SQL injection query on the username field.
    http://192.168.56.XYZ/login.php