Saturday, 2018-05-26, 4:34 PM
Welcome Guest

Sec_rity without U

Main | Auth Bypass | Golden Dragon - Forum | Registration | Login | RSS
[ New messages · Members · Forum rules · Search · RSS ]
  • Page 1 of 1
  • 1
Forum » Hacks, Exploits & discussions » Website & Forum security » Auth Bypass | Golden Dragon (Auth Bypass & Exploit)
Auth Bypass | Golden Dragon
goldendragonDate: Saturday, 2011-11-26, 6:27 PM | Message # 1
Sergeant
Group: Moderators
Messages: 23
Awards: 0
Reputation: 1
Status: Offline
What is Auth Bypass

"Auth Bypass“, short form for „Authorization Bypass.“
A Auth Bypass flaw comes up every time a website doesn't filter the attackers input.
It deals with Sql command injection.

For example the target website uses this vulnerable, unsecured authorization script:

<?php
$sql = "SELECT * FROM users WHERE username='" . $_POST['username'] . "' AND password='" . $POST_['password'] . "'";
response = mysql_query($sql);
?>

As you can see, the user's input is not getting checked or filtered.
> This is how the MySQL Query looks now: <
> SELECT * FROM users WHERE user='' AND password='' <

How to exploit it:

Let's take a simple username (mostly admin or administrator) and as a password, we choose:

' OR 'a' = 'a
> This is how the MySQL Query looks now: <
> SELECT * FROM users WHERE user='admin' AND password='' OR 'a' = 'a' <

'a' = 'a is a true value, just like 1 = 1 or 'cats' = 'cats

Let's analyze the situation in words:
> Username=’admin’ AND Password=” OR ‘a’ = ‘a’ <
> means -> Username admin and Password TRUE <
> This is how the MySQL Query looks now: <
> SELECT * FROM users WHERE user='admin' AND TRUE <

That means we're getting logged in as the administrator, without a password by manipulating the query!

How to fix:


One of the method's to fix and secure such Auth Bypass flaw's, is to use the php function mysql_real_escape_string,
(http://de3.php.net/mysql_real_escape_string).
It causes that every of this characters:
\x00, \n, \r, \, '
get's replaced with a simple Backslash „/“, so the attackers commands become useless.

Example:

<?php
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
$sql = "SELECT * FROM users WHERE username='" . $username . "' AND password='" . $password . "'";
$response = mysql_query($sql);
?>


Message edited by goldendragon - Saturday, 2011-11-26, 6:41 PM
 
Forum » Hacks, Exploits & discussions » Website & Forum security » Auth Bypass | Golden Dragon (Auth Bypass & Exploit)
  • Page 1 of 1
  • 1
Search: