phpBB Academy at StarTrekGuide

[Highway of Life]

As usual, please enclose your answers in the spoiler BBCode:

Code: Select all

[spoiler]your answers[/spoiler]

Find the vulnerabilities in this code and explain how they might be exploited, then explain how the coder could have protected his web application from these possible exploits.

admin/login.php

Code: Select all


$username = SafeAddSlashes($_POST['username']);
$passcode = SafeAddSlashes(md5($_POST['passcode']));
$time = time();
$check = SafeAddSlashes($_POST['setcookie']);

$query = "SELECT user, pass FROM grestullogin WHERE user = '$username' AND pass = '$passcode'";

$result = mysql_query($query, $db);
if (mysql_num_rows($result))
{
    $_SESSION['loggedin'] = 1;
    if ($check)
    {
        setcookie("grestul[username]", $username, $time + 3600);
        setcookie("grestul[passcode]", $passcode, $time + 3600);
    }
} 

admin/index.php

Code: Select all

if (isset($_COOKIE['grestul']))
{

    include 'inc/config.php';

    $username = $_COOKIE['grestul']['username'];
    $passcode = $_COOKIE['grestul']['passcode'];

    $query = "SELECT user, pass FROM grestullogin WHERE user = '$username' AND pass = '$passcode'";
    $result = mysql_query($query, $db);
} 

[Obsidian]

Can we safely assume SafeAddSlashes(); proofs against SQL inject via $_POST?

[Mr_Bond Deadpool]

Was wondering the same thing, probably a wrapper of some sort for addslashes() if I had to guess...

[Highway of Life]

Was wondering the same thing, probably a wrapper of some sort for addslashes() if I had to guess...

Yes, follow that assumption.

[Obsidian]

Oooh, think I found the exploit/vulnerability.

Spoiler:

Code: Select all

if (isset($_COOKIE['grestul']))
{

    include 'inc/config.php';

    $username = $_COOKIE['grestul']['username'];
    $passcode = $_COOKIE['grestul']['passcode'];

    $query = "SELECT user, pass FROM grestullogin WHERE user = '$username' AND pass = '$passcode'";
    $result = mysql_query($query, $db); 

Simply by falsifying the cookie, and tossing an inject into the username field for $_COOKIE['grustul'], you could do some real damage.

[Handyman]

Spoiler:

Simply by falsifying the cookie, and tossing an inject into the username field for $_COOKIE['grustul'], you could do some real damage.

I think can be exploited using

' OR 1=1 #

instead of the username, that # tells to the MySql to ignore everything that follows being itself a comment. If that query executes that way, being 1 = 1 it returns all nicknames and PWs from the DB.. I guess. that sholud look like this..

Code: Select all

$query = "SELECT user, pass FROM grestullogin WHERE user = ' OR 1=1 # AND pass = '$passcode'";

[Highway of Life]

Please use a spoiler if you provide an answer (3Di).
sTraTo, you are on the right track, now can you provide a working example of how one might exploit it?

[chaoskreator Jason]

Spoiler:

Shouldn't the author have md5'ed the password in the database, and then the user inputted when checking?

[ Post made via Mobile Device ]

[eviL3 Igor]

Shouldn't the author have md5'ed the password in the database, and then the user inputted when checking?

Assume that the value stored in the database is MD5'd (like phpBB2).

[mtotheikle]

Not though just a plain MD5 will not protect passwords that great. The author should also at least salt the MD5.