|
|
Posted by Dikkie Dik on 12/17/05 14:01
I hate to disappoint you, but the address:
' OR 1=1 LIMIT 1;-- haha@haha.com
IS a valid e-mail address. I tried it. Replaced haha.com with my own
subdomain and I had absolutely no problem sending and recieving a
message to that address.
But you e-mail validation will probably filter it out. If it doesn't, it
gets part of your SQL statement, which then reads:
SELECT * FROM cms_users WHERE cms_user_email = '' OR 1=1 LIMIT 1;--
haha@haha.com' AND cms_user_passwd = ''
Which just returns the first user from the table without any error
messages. (cms_user_email = '' OR 1=1 is always TRUE and -- is a start
of a comment and switches the rest off for parsing. I added the LIMIT
clause to return exactly one record. From your code, I think you may
have a problem when a user registers twice, as there will be 2 records
found with his address)
When I think about it, I could probably better use the password for
that. And I don't even have to know the database structure, as I will
make the site simply tell me. First try:
User: john@someplace.com
Password 'BigUglyError
(Notice the single quote) If you dont filter out illegal passwords as
well, your page now "dies" with a detailed error message containing the
table names and the full WHERE clause.
Now I can try a password like:
' UNION SELECT * FROM cms_users LIMIT 1--
which basically does the same.
Angelos Devletoglou wrote:
> Dikkie Dik wrote:
>
>> Just one thing. Look at what happens if the user types his email as:
>> ' OR 1=1 LIMIT 1;-- haha@haha.com
>>
>> I hope you use some addslashes function before passing it to the
>> database.
>
>
> I do not understand what you mean by that.. What exactly if he types ?
> I don't use any addslashes, the only think I do is I check if the e-mail
> that the user enters is valid (valid syntax
Navigation:
[Reply to this message]
|