| goldendragon | Date: Saturday, 2011-11-26, 6:27 PM | Message # 1 |
 Sergeant
Group: Moderators
Messages: 23
Awards: 0
Reputation: 1
Status: Offline
| What is Auth Bypass
"Auth Bypass“, short form for „Authorization Bypass.“
A Auth Bypass flaw comes up every time a website doesn't filter the attackers input.
It deals with Sql command injection.
For example the target website uses this vulnerable, unsecured authorization script:
<?php
$sql = "SELECT * FROM users WHERE username='" . $_POST['username'] . "' AND password='" . $POST_['password'] . "'";
response = mysql_query($sql);
?>
As you can see, the user's input is not getting checked or filtered.
> This is how the MySQL Query looks now: <
> SELECT * FROM users WHERE user='' AND password='' <
How to exploit it:
Let's take a simple username (mostly admin or administrator) and as a password, we choose:
' OR 'a' = 'a
> This is how the MySQL Query looks now: <
> SELECT * FROM users WHERE user='admin' AND password='' OR 'a' = 'a' <
'a' = 'a is a true value, just like 1 = 1 or 'cats' = 'cats
Let's analyze the situation in words:
> Username=’admin’ AND Password=” OR ‘a’ = ‘a’ <
> means -> Username admin and Password TRUE <
> This is how the MySQL Query looks now: <
> SELECT * FROM users WHERE user='admin' AND TRUE <
That means we're getting logged in as the administrator, without a password by manipulating the query!
How to fix:
One of the method's to fix and secure such Auth Bypass flaw's, is to use the php function mysql_real_escape_string,
(http://de3.php.net/mysql_real_escape_string).
It causes that every of this characters:
\x00, \n, \r, \, '
get's replaced with a simple Backslash „/“, so the attackers commands become useless.
Example:
<?php
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
$sql = "SELECT * FROM users WHERE username='" . $username . "' AND password='" . $password . "'";
$response = mysql_query($sql);
?>
Message edited by goldendragon - Saturday, 2011-11-26, 6:41 PM |
| |
| |
