Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
December 10, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 225
Members: 0
Total: 225
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other security holes -> The end of CSS and SQL Injection in forums?
Post new topic  Reply to topic View previous topic :: View next topic 
The end of CSS and SQL Injection in forums?
PostPosted: Fri Apr 29, 2005 9:42 am Reply with quote
balafou
Beginner
Beginner
 
Joined: Apr 29, 2005
Posts: 2




I've been using SQL injections and cross-site-scripting methods to obtain md5 hashes in IPB, PHPBB and VBulletin forums for quite a long and i was able to crack 80% of those hashes successfully. Until now.]

Today i prepared a script to get a bunch of MD5's (well, i thought) in an IPB forum and while testing it on me (using my cookie) i noticed that the MD5 hash didn't look like the one i remembered my password giving. I started searching in the net and....

Things seem to have been hardened now. IPB forums use randomly salted MD5 hashes, and others will follow very soon i think.

Invision Power Board stores the password in the "ibf_members_converge" table in the following format:

converge_pass_hash = md5( md5( converge_pass_salt ) . md5( plain_text_password ) );

The password salt (converge_pass_salt) is a random 5 character string generated from the "ips_kernel/class_converge.php" module. It can include any character except the backslash character.



Is this the end of CSS and SQL Injection in forums?
View user's profile Send private message
PostPosted: Tue May 03, 2005 8:10 pm Reply with quote
Heintz
Valuable expert
Valuable expert
 
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




In many cases you do not have to know whats in the hash, its
enought you have it, and you can pretend to be someone else.
sql injection is more wider subject since there might be vulnearabilities in sql server itself, and there might be other valuable data in database other than password hashes. xss has also much wider use range than simple cookie stealing , user might be tricked into doing something, like, deleting user, or grant administrator privileges if GET is used, or buy something or even attack another site.. with careful research and planning, many possibilities.

i don't know about particular software you are talking about but, i think methods themselves are not subject to get lost in near time.

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Wed May 04, 2005 4:59 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




ive allready get md5 hash from ibf_members > legacy_password
n the hash is work fine, coz with rainbow i could crack it

i dont know about the version , but i tell you it was from a big forum Smile

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Jun 12, 2005 9:49 am Reply with quote
unnamed
Beginner
Beginner
 
Joined: Jun 12, 2005
Posts: 1




can any1 see if they can crack this password(its from the members converge on invision):

converge_pass_hash converge_pass_salt
c60c3941ba6d338d044b0f9675bd048a a6`HK
View user's profile Send private message
PostPosted: Sun Jun 12, 2005 10:52 am Reply with quote
Shadow
Regular user
Regular user
 
Joined: Aug 08, 2004
Posts: 7
Location: Where dingos eat babies




I dont think xss or sql injection exploits will stop. They will just evolve as the software does. Just think how many ppl mod their cms or forum many of whom no not what they doing there by opening new exploits. There are alot of smart ppl out there someone will find a way around it be it crack it or use it. Exploits wont stop as long as their are sloppy programmers or lazy ppl that dont update i call them install and forget ppl. eg: I just found a site still running php-nuke 7.2 unpatched + they have 5 sub domains using the same ver. I have emailed them twice with their admin passes and it still remains unpatched 2 months later! I think I might change their site so they get the messege maybe publicly display their passes on the index page.

I think this 1 liner is due here
Quote:

"If debugging is the process of removing bugs, then programming must be the process of putting them in."


Thats my 2 cents


Just a add on:
If its randomly salted how does the database know were or what to add to the pass. So it cant be that random? Mind you I havent looked up on it much. Anyone got any decent links to salting md5 hashes?

_________________
My software never has bugs. It just develops random features.
View user's profile Send private message
PostPosted: Mon Jun 13, 2005 12:30 pm Reply with quote
Heintz
Valuable expert
Valuable expert
 
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




i think the problem relies in "non-trained" people coding/practising and just not being aware about sql injections or other abusive ways to make use of the script, while thei're making their softwares v 1.0, and later are just too lazy to rewrite the whole code with good design and improved skills.

anyways "randomly salted" means that the salt *is* random. the salt is stored with the hash, so there is no need to make a salt from the password itself. salt is readed and concenated with password, before the digesting is done.

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
md5
PostPosted: Sun Jun 26, 2005 11:36 am Reply with quote
helloworld
Beginner
Beginner
 
Joined: Jun 26, 2005
Posts: 1




I have a md5-hashes, but I can't decipher.

4B3DD5CF0F25CC1F9D0E81B82DE53EAD
000706FD8817D156C426D1DB428338C2

Help me please and send result on localhost127@fastmail.fm . Thankful in advance.
View user's profile Send private message
The end of CSS and SQL Injection in forums?
  www.waraxe.us Forum Index -> All other security holes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Book Opinions
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.085 Seconds