Credit
Aponie
Assalamualaikum..
Sila baca artikel dibawah mengenai cara bypass authentication menggunakan teknik sql injection. Dalam artikel ini juga mengajar cara bagaimana untuk fix masalah nie. Amat berguna untuk mereka yang baru dalam bidang security. Selamat menambah ilmu..
sumber
Sila baca artikel dibawah mengenai cara bypass authentication menggunakan teknik sql injection. Dalam artikel ini juga mengajar cara bagaimana untuk fix masalah nie. Amat berguna untuk mereka yang baru dalam bidang security. Selamat menambah ilmu..
Quote:# Date: 30.03.2010
# Author: novaca!ne
# Website: http://j0hnx3r.org
http://novacaine.biz
# Contact: J0hn.X3r@free-hack.com
novacaine@no-trace.cc
I. Introduction
II. What is Auth Bypass
III. How to exploit it
IV. How to fix it
V. Shouts
I. Introduction
Dear Reader, this Paper is about „Auth Bypass“.
It was written by J0hn.X3r and edited by novaca!ne (see original version here: http://j0hnx3r.org/?p=55 ).
This technique is used to bypass a php & MySQL Authorization with SQL Query's.
It was written to share knowledge.
II. What is Auth Bypass
„Auth Bypass“, short form for „Authorization Bypass.“
A Auth Bypass flaw comes up every time a website doesn't filter the attackers input.
It deals with Sql command injection.
For example the target website uses this vulnerable, unsecured authorization script:
<?php
$sql = "SELECT * FROM users WHERE username='" . $_POST['username'] . "' AND password='" . $POST_['password'] . "'";
response = mysql_query($sql);
?>
As you can see, the user's input is not getting checked or filtered.
> This is how the MySQL Query looks now: <
> SELECT * FROM users WHERE user='' AND password='' <
III. How to exploit it:
Let's take a simple username (mostly admin or administrator) and as a password, we choose:
' OR 'a' = 'a
> This is how the MySQL Query looks now: <
> SELECT * FROM users WHERE user='admin' AND password='' OR 'a' = 'a' <
'a' = 'a is a true value, just like 1 = 1 or 'cats' = 'cats
Let's analyze the situation in words:
> Username=’admin’ AND Password=” OR ‘a’ = ‘a’ <
> means -> Username admin and Password TRUE <
> This is how the MySQL Query looks now: <
> SELECT * FROM users WHERE user='admin' AND TRUE <
That means we're getting logged in as the administrator, without a password by manipulating the query!
IV. How to fix:
One of the method's to fix and secure such Auth Bypass flaw's, is to use the php function mysql_real_escape_string,
(http://de3.php.net/mysql_real_escape_string).
It causes that every of this characters:
\x00, \n, \r, \, '
get's replaced with a simple Backslash „/“, so the attackers commands become useless.
Example:
<?php
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
$sql = "SELECT * FROM users WHERE username='" . $username . "' AND password='" . $password . "'";
$response = mysql_query($sql);
?>
sumber
Code:
http://www.exploit-db.com/papers/14340/
0 comments:
Post a Comment