MySQL and PHP Integration Lab - savannahc502/SavC-TechJournal-SEC260 GitHub Wiki
Check that httpd and mariadb are running:
systemctl status httpd
systemctl status mariadb
Connect to the mysql configuration and make sure the pets database is present:
mysql -u root -p
mysql> SHOW DATABASES;
Create a new MySQL user that Apache/PHP will use to access the DB and then show the users:
CREATE USER 'apache_php'@'localhost' IDENTIFIED BY 'password';
SELECT User, Host FROM mysql.user;
Give the new user privileges:
GRANT ALL PRIVILEGES ON pets.* To 'apache_php'@'localhost' IDENTIFIED BY 'password';
Exit MySQL - and then log back in as your new user to verify the account works and can access the pets database:
mysql -u apache_php -p
mysql> SHOW DATABASES;
For this challenge, you will create an html form to look up a cat's birthday from the 'pets' database. To do this, you can create two files in your /var/www/html directory:
- birthday.html: this file has the form that users can browse to and enter a cat's name
- birthday.php: the php script that the birthday.html form calls and performs a query in the mysql database
birthday.html:
<html>
<body>
<form action="birthday.php" method="post">
Look up your cat's birthday! Silly bois </br>
Cat's Name: <input type="text" name="name" id="name"></br>
<input type="Submit">
</form>
</body>
</html>
birthday.php:
<?php
$username="apache_php";
$password="password";
$database="pets";
$name=$_POST['name'];
$mysqli=new mysqli('localhost', $username, $password, $database);
$query="SELECT * FROM cats WHERE name='".$name."'";
$result=$mysqli->query($query) or die($mysqli->error.__LINE__);
if ($result->num_rows > 0) {
while($row=$result->fetch_assoc()) {
echo $row['name']."'s birthday is ".$row['birth']."</br>";
}
}
else {
echo 'NO RESULTS';
}
?>
Go to a browser on your network and check it out!
It is easiest to modify the birthday page/script for this challenge so make copies of birthday.html and birthday.php as owner.html and owner.php
Modify owner.html so that the form asks for owner's last name and then calls owner.php
- in addition to the text changes, update name="name" to name="owner" for the input box.
<html>
<body>
<form action="owner.php" method="post">
Look up your cat's birthday! Type in your name as the owner. </br>
Owner's name: <input type="text" name="owner" id="name"></br>
<input type="Submit">
</form>
</body>
</html>
Modify owner.php so it looks up and displays the cat record for that owner.
- The POST parameter is now called "owner"
- Update the echo line to have the different fields from the database display for the cat's record.
- "" adds a line break if you want them on different lines.
<?php
$username="apache_php";
$password="password";
$database="pets";
$name=$_POST['owner'];
$mysqli=new mysqli('localhost', $username, $password, $database);
$query="SELECT * FROM cats WHERE owner='".$name."'";
$result=$mysqli->query($query) or die($mysqli->error.__LINE__);
if ($result->num_rows > 0) {
while($row=$result->fetch_assoc()) {
echo $row['name']."'s birthday is ".$row['birth']."</br>";
echo $row['name']."'s owner is ".$row['owner']."</br>";
}
}
else {
echo 'NO RESULTS';
}
?>
The forms and scripts we have created are vulnerable to SQL injection! The challenge is to see if you can display all cat's birthdays (birthdate form) and/or records (owner form) using SQL injection.
<?php
$username="apache_php";
$password="password";
$database="pets";
$name=$_POST['owner'];
$mysqli=new mysqli('localhost', $username, $password, $database);
$query="SELECT * FROM cats WHERE owner='".$name."' OR 1=1"; //This is the big change here.
$result=$mysqli->query($query) or die($mysqli->error.__LINE__);
if ($result->num_rows > 0) {
while($row=$result->fetch_assoc()) {
echo $row['name']."'s birthday is ".$row['birth']."</br>";
echo $row['name']."'s owner is ".$row['owner']."</br>";
}
}
else {
echo 'NO RESULTS';
}
?>
- With that OR 1=1 line, now any input will show all records
Instead, let's revert back to the original code and input this vulnerability:
'OR '1'='1
