Forum Thread: SQL Injection with 2 Parameters in LAN

I use cable broadband and my isp uses a captive portal to authenticate users. I was just examining the login page and saw that it php file to verify the user.

like /user_check.php?user_id=id&pass=pass . I tried to access this php directly by providing my id and pass manually the result was :

id=694 pass=1234
result:-
"SELECT * FROM login_master WHERE login_id = '694'pass -12341"

I tried using sql injection here but it doesn't seem to work.The pass is always appended with a '-' sign and ends with 1.

I know it is an Apache web server,database is mySQL and OS is CentOS.

How should i proceed next?

Thanks in advance.

5 Responses

Please be advised that this could already be considered to be an attack and could get you in trouble.
Of course this depends on the country that you are in.

Always ensure that you are safe by e.g. routing your requests through TOR, VPN or something alike.

Two options:
He either relates to the portal on his local box... in this case he should be fine.

The other option is that he connects to the portal OUTSIDE of this LAN... in this case this would be a risky attack. He is just automatically redirected to the portal which is accessible through the internet.

"Not connected to the internet" would only be the case if he could still access the portal even if the box is only connected to his laptop and not at all to the outside world. This would also mean that he chosed the credentials for the 'portal' himself and the authentication happens locally on this box. I seriously doubt that.

Hello BOB,

Thanks for the warning but don't worry. The portal is not accessible through the internet. The ISP provides a cat5 cable upto my house so that I can access the LAN. The portal is locally stored in the gateway and is served to clients whenever someone wishes to connect to the internet.

That being said, the coding for the portal seems too shabby and flawed. They are using some "Smartguard" from XSinfosol. Last night I found out that I can change the password of any user just by knowing the userid.

Hi,

I believe this is not an SQLi Inj. vulnerability and more of an SQL Dump in the websites server, which would get you nowhere.

Regards,

R00T

Agree With R&J

Share Your Thoughts

  • Hot
  • Active