Hello, everyone, it's Zubair Ansari from Pak Cyber kullz. As you might know, "How to hack a website by bypassing the admin page" is a commonly searched sentence in Google. There are a lot of methods on how to bypass admin pages, but I will not discuss them now. I want to provide just security now. I have a method to secure admin page and protect it from bypassing (via SQL Injection) a website by using a little query.If you really want to read about web application security, you know there is a common method of bypassing admin page (using a string) like st_1:'or' '=' st_2:' or 1=1 limit 1 -- -+ .
We can get admin access by using these strings.Username:|' or 1=1 limit 1 -- -+ |Password:|' or 1=1 limit 1 -- -+ |We have to find post data directory of username and password.
The easy method is to find post data dir: Goto admin/index.php and note which PHP page you used to post admin data.Query of form will as: <form method="POST" action="login_check.php" name="form" >Login_check.php (Might be changed on your own) is form of posting user data.Now we have to go login_check.php to find dir of user data like username and password.Query will as :$username=$_POST['username'];$password=$_POST['password'];Now it's simple to add little query at post data dir.Quer is : mysql_real_escape_string(htmlspecialchars( ----(For username)mysql_real_escape_string(htmlspecialchars(md5( ----(For password)After adding query to data dir script will as :$username = mysql_real_escape_string(htmlspecialchars($_POST['username']));$password = mysql_real_escape_string(htmlspecialchars(md5($_POST['password'])));After adding this little query admin page can't bypass. Page will give you an error message.Error: Please enter correct detail! (Might Be Your's Own)
Prove of concept and complete video tutorial, below.Thank you for reading, and I'm sorry for bad English.