Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: MD5 Securing SQL Injections

  1. #11
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Posting a username like

    a' OR 1=1;

    Short circuits the whole deal... The SQL statement will become:

    SELECT r34ln4m3 FROM 1nside0ut WHERE
    md5(l0gn4m3)=’a’ OR 1=1; AND entryw41=’$passwd’;

    If he'd done something like:

    $username = md5($_POST["username"]);
    $passwd = md5($_POST["passwd"]);

    $md5_un=calc_md5($username);
    $md5_pw=calc_md5($password);

    $query = “SELECT r34ln4m3 FROM 1nside0ut WHERE
    l0gn4m3=’$md5_un’ AND entryw41=’$md5_pw’”;

    That would have protected him... Unfortunately the guy's rather clueless..
    Last edited by SirDice; October 30th, 2008 at 08:49 AM.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  2. #12
    Member Slartarama's Avatar
    Join Date
    May 2008
    Location
    Pacific Northwest
    Posts
    53
    Got it! Thanks, that's what I was missing. Now I see how it breaks it.

    I did a quick google of calc_md5, nothing really official comes up, is it built in? I see a PHP function named that that someone wrote, but I am not familiar with it,

    thanks
    Last edited by Slartarama; October 30th, 2008 at 03:19 PM. Reason: Spelling, again

  3. #13
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    No, it's just something I used as an example. The idea is that it's a function that can read an arbitrary string and return it's MD5 hash.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #14
    Member d34dl0k1's Avatar
    Join Date
    Mar 2007
    Posts
    58
    yeah, before everyone assumes it's the database md5 function, see original article using md5() before sending to the db:

    Code:
    <?php
    
    $username = md5($_POST["username"]);
    $passwd = md5($_POST["passwd"]);
    
    $handle = mysql_connect(”user”,”pass”,”mySQLHost”);
          mysql_select_db(”yourdb”);
    $query = “SELECT r34ln4m3 FROM 1nside0ut WHERE
          md5(l0gn4m3)=’$username’ AND entryw41=’$passwd’”;
    
    $result = mysql_query($query, $handle);
    
    if (mysql_num_rows($result)!=0) {
          //mark as valid user
          header(”Location: private.php”);
          exit;
    }
    
    //if the code reaches this part then the login failed
    //wrong username/password
    
    header(”Location: public.php”);
    
    ?>
    As for the rest of the code... ack.... but whatever.

  5. #15
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Another mistake in the code is the fact that he doesn't check how many results he got.
    Besides checking for no results (incorrect username/password), you obviously can only have ONE unique username too.

    Therefor the query should result in ONE (!) row, anything more and some thing's fishy.
    Last edited by SirDice; October 31st, 2008 at 12:02 PM.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #16
    Junior Member
    Join Date
    Nov 2008
    Posts
    1
    omg... there has been so much debate/arguing since I wrote this script... for what, for nothing...

    @SirDice: yes I'm clueless concerning the fact that so many people keep saying that the script is vulnerable... although as the PoC code that it is, nobody can prove that...

    I mean, the entire input is md5ed; here let me compress the entire script into one single line, assuming that when you (and everybody else) see the entire line you will argue no more on its effectiveness (no other word came to mind).

    Code:
    $result = mysql_query(
        "SELECT r34ln4m3 FROM 1nside0ut WHERE md5(l0gn4m3)='"
        .md5($_POST['username']).
        " AND entryw41='"
        .md5($_POST['password']). "'",
    
        $handle
    );
    ok so there are more than one line, but compacted the code so that it would be easier to understand (don't know why people won't understand the original code)...

    now for those of you which want to see the working "internals".

    a' OR 1=1; = 6ec741675c969f8c9a355f144c7b0c47

    if you can conceive this result, than you realize that the query won't be
    Code:
    SELECT r34ln4m3 FROM 1nside0ut WHERE
    md5(l0gn4m3)=’a’ OR 1=1; AND entryw41=’$passwd’;
    but instead it will be

    Code:
    SELECT r34ln4m3 FROM 1nside0ut WHERE
    md5(l0gn4m3)=’6ec741675c969f8c9a355f144c7b0c47' AND entryw41=’d41d8cd98f00b204e9800998ecf8427e’
    an empty password will generate the above password hash...

    hope that now everybody's got the picture...

    by the way, sql injection don't end with ; ... you either user # or /*...

    cheers

  7. #17
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Quote Originally Posted by just_visiting View Post
    Code:
    $result = mysql_query(
        "SELECT r34ln4m3 FROM 1nside0ut WHERE md5(l0gn4m3)='"
        .md5($_POST['username']).
        " AND entryw41='"
        .md5($_POST['password']). "'",
    
        $handle
    );
    This is secure and I hadn't looked close enough at your original source. It does protect you from SQL injection. The only snag I see now is that this query is a rather big load on the SQL server, especially if the table is large. As for each entry in the table it would need to calculate MD5 hashes. So you're better off storing the username/passwords as MD5 hashes instead of calculating them on the fly.

    A much simpler approach is to use placeholders, prepare and execute.

    $query="SELECT * FROM 1nside0ut where l0gn4m3=? and entryw41=?";
    $sth=$dbh->prepare($query);
    $sth->execute($username, $password);

    Also, don't forget to check if you get more then 1 (one) row
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #18
    Junior Member
    Join Date
    Nov 2008
    Posts
    1

    Cool It is true to say. Support you.

    It is true. Support you.

  9. #19
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Quote Originally Posted by just_visiting View Post
    by the way, sql injection don't end with ; ... you either user # or /*...
    Didn't see this one up until now. A ; indicates the end of a query in MySQL. It doesn't really matter if what comes after it is syntactically correct or not, it'll still processes the first query (before the ; ). You'd use remarks to cull any syntax errors but since they don't matter anyway why bother?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Similar Threads

  1. SQL Tutorial – Basics
    By mikester2 in forum Other Tutorials Forum
    Replies: 5
    Last Post: January 31st, 2005, 01:16 PM
  2. SQL Tutorial
    By ch4r in forum Other Tutorials Forum
    Replies: 5
    Last Post: January 18th, 2005, 08:20 AM
  3. Securing Windows 2000 and IIS
    By spools.exe in forum Microsoft Security Discussions
    Replies: 0
    Last Post: September 15th, 2003, 09:47 PM
  4. Heads Up - Cumulative Patch for Microsoft SQL Server (815495)
    By CXGJarrod in forum Microsoft Security Discussions
    Replies: 0
    Last Post: July 23rd, 2003, 10:00 PM
  5. SQL Sapphire Worm Analysis
    By s0nIc in forum AntiVirus Discussions
    Replies: 2
    Last Post: January 27th, 2003, 12:23 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •