Secure Web Panel From SQL Injection

August 5, 2017 | Views: 6893

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hello, everyone, it’s Zubair Ansari from Pak Cyber kullz. As you might know, “How to hack a website by bypassing the admin page” is a commonly searched sentence in Google. There are a lot of methods on how to bypass admin pages, but I will not discuss them now. I want to provide just security now. I have a method to secure admin page and protect it from bypassing (via SQL Injection) a website by using a little query.

If you really want to read about web application security, you know there is a common method of bypassing admin page (using a string) like st_1:’or’ ‘=’  st_2:’ or 1=1 limit 1 — -+  .

We can get admin access by using these strings.

Username:|' or 1=1 limit 1 -- -+  |

Password:|' or 1=1 limit 1 -- -+  |
We have to find post data directory of username and password.
The easy method is to find post data dir: Goto admin/index.php and note which PHP page you used to post admin data.

Query of form will as: <form method="POST" action="login_check.php" name="form" >

Login_check.php (Might be changed on your own) is form of posting user data.

Now we have to go login_check.php to find dir of user data like username and password.

Query will as :$username=$_POST['username'];


$password=$_POST['password'];

Now it's simple to add little query at post data dir.

Quer is : mysql_real_escape_string(htmlspecialchars(      ----(For username)

mysql_real_escape_string(htmlspecialchars(md5(  ----(For password)


After adding query to data dir script will as :

$username = mysql_real_escape_string(htmlspecialchars($_POST['username']));

$password = mysql_real_escape_string(htmlspecialchars(md5($_POST['password'])));


After adding this little query admin page can't bypass. Page will give you an error message.

Error: Please enter correct detail!  (Might Be Your's Own)

 

Prove of concept and complete video tutorial, below.

Thank you for reading, and I’m sorry for bad English.

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel