-
October 30th, 2008, 08:42 AM
#11
Posting a username like
a' OR 1=1;
Short circuits the whole deal... The SQL statement will become:
SELECT r34ln4m3 FROM 1nside0ut WHERE
md5(l0gn4m3)=’a’ OR 1=1; AND entryw41=’$passwd’;
If he'd done something like:
$username = md5($_POST["username"]);
$passwd = md5($_POST["passwd"]);
$md5_un=calc_md5($username);
$md5_pw=calc_md5($password);
$query = “SELECT r34ln4m3 FROM 1nside0ut WHERE
l0gn4m3=’$md5_un’ AND entryw41=’$md5_pw’”;
That would have protected him... Unfortunately the guy's rather clueless..
Last edited by SirDice; October 30th, 2008 at 08:49 AM.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
October 30th, 2008, 03:13 PM
#12
Got it! Thanks, that's what I was missing. Now I see how it breaks it.
I did a quick google of calc_md5, nothing really official comes up, is it built in? I see a PHP function named that that someone wrote, but I am not familiar with it,
thanks
Last edited by Slartarama; October 30th, 2008 at 03:19 PM.
Reason: Spelling, again
-
October 30th, 2008, 04:59 PM
#13
No, it's just something I used as an example. The idea is that it's a function that can read an arbitrary string and return it's MD5 hash.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
October 31st, 2008, 06:44 AM
#14
yeah, before everyone assumes it's the database md5 function, see original article using md5() before sending to the db:
Code:
<?php
$username = md5($_POST["username"]);
$passwd = md5($_POST["passwd"]);
$handle = mysql_connect(”user”,”pass”,”mySQLHost”);
mysql_select_db(”yourdb”);
$query = “SELECT r34ln4m3 FROM 1nside0ut WHERE
md5(l0gn4m3)=’$username’ AND entryw41=’$passwd’”;
$result = mysql_query($query, $handle);
if (mysql_num_rows($result)!=0) {
//mark as valid user
header(”Location: private.php”);
exit;
}
//if the code reaches this part then the login failed
//wrong username/password
header(”Location: public.php”);
?>
As for the rest of the code... ack.... but whatever.
-
October 31st, 2008, 11:59 AM
#15
Another mistake in the code is the fact that he doesn't check how many results he got.
Besides checking for no results (incorrect username/password), you obviously can only have ONE unique username too.
Therefor the query should result in ONE (!) row, anything more and some thing's fishy.
Last edited by SirDice; October 31st, 2008 at 12:02 PM.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 2nd, 2008, 07:26 AM
#16
Junior Member
omg... there has been so much debate/arguing since I wrote this script... for what, for nothing...
@SirDice: yes I'm clueless concerning the fact that so many people keep saying that the script is vulnerable... although as the PoC code that it is, nobody can prove that...
I mean, the entire input is md5ed; here let me compress the entire script into one single line, assuming that when you (and everybody else) see the entire line you will argue no more on its effectiveness (no other word came to mind).
Code:
$result = mysql_query(
"SELECT r34ln4m3 FROM 1nside0ut WHERE md5(l0gn4m3)='"
.md5($_POST['username']).
" AND entryw41='"
.md5($_POST['password']). "'",
$handle
);
ok so there are more than one line, but compacted the code so that it would be easier to understand (don't know why people won't understand the original code)...
now for those of you which want to see the working "internals".
a' OR 1=1; = 6ec741675c969f8c9a355f144c7b0c47
if you can conceive this result, than you realize that the query won't be
Code:
SELECT r34ln4m3 FROM 1nside0ut WHERE
md5(l0gn4m3)=’a’ OR 1=1; AND entryw41=’$passwd’;
but instead it will be
Code:
SELECT r34ln4m3 FROM 1nside0ut WHERE
md5(l0gn4m3)=’6ec741675c969f8c9a355f144c7b0c47' AND entryw41=’d41d8cd98f00b204e9800998ecf8427e’
an empty password will generate the above password hash...
hope that now everybody's got the picture...
by the way, sql injection don't end with ; ... you either user # or /*...
cheers
-
November 2nd, 2008, 11:53 AM
#17
Originally Posted by just_visiting
Code:
$result = mysql_query(
"SELECT r34ln4m3 FROM 1nside0ut WHERE md5(l0gn4m3)='"
.md5($_POST['username']).
" AND entryw41='"
.md5($_POST['password']). "'",
$handle
);
This is secure and I hadn't looked close enough at your original source. It does protect you from SQL injection. The only snag I see now is that this query is a rather big load on the SQL server, especially if the table is large. As for each entry in the table it would need to calculate MD5 hashes. So you're better off storing the username/passwords as MD5 hashes instead of calculating them on the fly.
A much simpler approach is to use placeholders, prepare and execute.
$query="SELECT * FROM 1nside0ut where l0gn4m3=? and entryw41=?";
$sth=$dbh->prepare($query);
$sth->execute($username, $password);
Also, don't forget to check if you get more then 1 (one) row
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 7th, 2008, 04:48 AM
#18
Junior Member
It is true to say. Support you.
-
November 7th, 2008, 09:44 AM
#19
Originally Posted by just_visiting
by the way, sql injection don't end with ; ... you either user # or /*...
Didn't see this one up until now. A ; indicates the end of a query in MySQL. It doesn't really matter if what comes after it is syntactically correct or not, it'll still processes the first query (before the ; ). You'd use remarks to cull any syntax errors but since they don't matter anyway why bother?
Oliver's Law:
Experience is something you don't get until just after you need it.
Similar Threads
-
By mikester2 in forum Other Tutorials Forum
Replies: 5
Last Post: January 31st, 2005, 01:16 PM
-
By ch4r in forum Other Tutorials Forum
Replies: 5
Last Post: January 18th, 2005, 08:20 AM
-
By spools.exe in forum Microsoft Security Discussions
Replies: 0
Last Post: September 15th, 2003, 09:47 PM
-
By CXGJarrod in forum Microsoft Security Discussions
Replies: 0
Last Post: July 23rd, 2003, 10:00 PM
-
By s0nIc in forum AntiVirus Discussions
Replies: 2
Last Post: January 27th, 2003, 12:23 PM
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|