Bypass
Bypass
Bypass
ne
# Date: 30.03.2010
# Author: novaca!ne
# Website: j0hnx3r.org novacaine.biz
# Contact: [email protected] [email protected]
1. Introduction
2. What is Auth Bypass
3. How to exploit it
4. Bypass magic_quotes
5. How to fix it
6. Shouts
Introduction
Dear Reader, this Paper is about „Auth Bypass“.
It was written by J0hn.X3r and edited by novaca!ne
(see original version here: http://j0hnx3r.org/?p=55 ).
You can use this simple technique to pentest your own website or when you forgot your own
password.
It was written to share knowledge, knowledge should be free and available for everyone.
What is Auth Bypass
„Auth Bypass“, short form for „Authorization Bypass.“
A Auth Bypass flaw comes up everytime a website doesn't filter the attackers input.
It deals with Sql command injection.
For example the target website uses this vulnerable, unsecured script:
<?php
$sql = "SELECT * FROM users WHERE username='" . $_POST['username'] . "' AND
password='" . $POST_['password'] . "'";
response = mysql_query($sql);
?>
That means we're getting logged in as the administrator, without a password by manipulating the
query!
Bypass magic_quotes
magic_quotes is a php setting (php.ini).
It causes that every ' (single-quote), " (double quote) and \ (backslash)
are escaped with a backslash automatically, a weak but wellknown securing method.
This is how to bypass it:
Use the funktion called „String.fromCharCode()“, you need to translate your MySQL command
into ascII (http://www.asciizeichen.de/tabelle.html) and put it input into the handling.
‘ OR ‘a’ = ‘a equals
String.fromCharCode(8216, 32, 79, 82, 32, 8216, 97, 8217, 32, 61, 32, 8216, 97)
How to fix
One of the method's to fix and secure such Auth Bypass flaw's, is to use the php function
mysql_real_escape_string, (http://de3.php.net/mysql_real_escape_string).
It causes that every of this characters:
\x00, \n, \r, \, '
get's replaced with a simple Backslash „/“, so the attackers commands getting useless.
<?php
$username = mysql_real_escape_string($_POST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
$sql = "SELECT * FROM users WHERE username='" . $username . "' AND password='" .
$password . "'";
$response = mysql_query($sql);
?>
Shouts
Greetz fly out to:
-tmh-, ck/cee-kay, Nazrek, bl0b, c1ox, h0yt3r (and his cat <3), soulstoned, Lidloses_Auge, Suicide,
-=Player=-, Montaxx, Lorenz, Easy Lester, Vinzenco, Free-hack.com, NovuSec.com,
HackBase.cc,...
# END OF FILE