SQL Injection Authentication Bypass

EDB-ID:

14340

CVE:

N/A

Author:

novaca!ne

Type:

papers

Platform:

Multiple

Published:

2010-07-12

¸'´.`''´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`'´.`''´.`'¸
iI                                                                                                                                     Ii
!I                                                  Auth Bypass by J0hn.X3r and novaca!ne                                              !I
I!                                                                                                                                     I!
!I     # Date: 30.03.2010                                                                                                              !I
I!     # Author:  novaca!ne                                                                                                            I!
!I     # Website: http://j0hnx3r.org                                                                                                   !I
I!                http://novacaine.biz                                                                                                 I!
!I     # Contact: J0hn.X3r@free-hack.com                                                                                               !I
I!                novacaine@no-trace.cc                                                                                                I!
!I                                                                                                                                     !I
I!                                                                                                                                     I!
!I                                                                                                                                     !I
I!     I. Introduction                                                                                                                 I!
!I                                                                                                                                     !I
I!     II. What is Auth Bypass                                                                                                         I!
!I                                                                                                                                     !I
I!     III. How to exploit it                                                                                                          I!
!I                                                                                                                                     !I
I!     IV. How to fix it                                                                                                               I!
!I                                                                                                                                     !I
I!     V. Shouts                                                                                                                       I!
!I                                                                                                                                     !I
I!                                                                                                                                     I!
!I                                                                                                                                     !I
I!                                                                                                                                     I!
!I                                                                                                                                     !I
I!   I. Introduction                                                                                                                   !I
!I                                                                                                                                     I!
I!   Dear Reader, this Paper is about „Auth Bypass“.                                                                                   !I
!I   It was written by J0hn.X3r and edited by novaca!ne (see original version here: http://j0hnx3r.org/?p=55 ).                        I!
!I                                                                                                                                     !I
I!   This technique is used to bypass a php & MySQL Authorization with SQL Query's.                                                    I!
!I   It was written to share knowledge.                                                                                                !I
I!                                                                                                                                     I!
!I                                                                                                                                     !I
I!   II. What is Auth Bypass                                                                                                           I!
!I                                                                                                                                     !I
I!   „Auth Bypass“, short form for „Authorization Bypass.“                                                                             I!
!I   A Auth Bypass flaw comes up every time a website doesn't filter the attackers input.                                              !I
I!   It deals with Sql command injection.                                                                                              I!
!I                                                                                                                                     !I
I!   For example the target website uses this vulnerable, unsecured authorization script:                                              I!
!I                                                                                                                                     !I
   <?php
   $sql = "SELECT * FROM users WHERE username='" . $_POST['username'] . "' AND password='" . $POST_['password'] . "'";
   response = mysql_query($sql);
   ?>
!I                                                                                                                                     I!
I!   As you can see, the user's input is not getting checked or filtered.                                                              !I
!I                                                             > This is how the MySQL Query looks now: <                              I!
I!                                                             > SELECT * FROM users WHERE user='' AND password='' <                   !I
!I                                                                                                                                     I!
I!                                                                                                                                     !I
!I   III. How to exploit it:                                                                                                           I!
I!                                                                                                                                     !I
!I   Let's take a simple username (mostly admin or administrator) and as a password, we choose:                                        I!
!I                                                                                                                                     !I
     ' OR 'a' = 'a
!I                                                             > This is how the MySQL Query looks now: <                              I!
I!                                                             > SELECT * FROM users WHERE user='admin' AND password='' OR 'a' = 'a' < !I
!I                                                                                                                                     I!
I!   'a' = 'a is a true value, just like 1 = 1 or 'cats' = 'cats                                                                       !I
!I                                                                                                                                     I!
I!   Let's analyze the situation in words:                                                                                             !I
        > Username=’admin’ AND Password=” OR ‘a’ = ‘a’ <
        > means -> Username admin and Password TRUE    <
!I                                                             > This is how the MySQL Query looks now: <                              I!
I!                                                             > SELECT * FROM users WHERE user='admin' AND TRUE <                     !I
!I                                                                                                                                     I!
I!   That means we're getting logged in as the administrator, without a password by manipulating the query!                            !I
!I                                                                                                                                     I!
I!                                                                                                                                     !I
!I   IV. How to fix:                                                                                                                   I!
I!                                                                                                                                     !I
!I   One of the method's to fix and secure such Auth Bypass flaw's, is to use the php function mysql_real_escape_string,               I!
I!   (http://de3.php.net/mysql_real_escape_string).                                                                                    !I
!I   It causes that every of this characters:                                                                                          I!
   \x00, \n, \r, \, '
!I   get's replaced with a simple Backslash „/“, so the attackers commands become useless.                                             I!
I!                                                                                                                                     !I
!I   Example:                                                                                                                          I!
I!                                                                                                                                     !I
    <?php
    $username = mysql_real_escape_string($_POST["username"]);
    $password = mysql_real_escape_string($_POST["password"]);
    $sql = "SELECT * FROM users WHERE username='" . $username . "' AND password='" . $password . "'";
    $response = mysql_query($sql);
    ?>
I!                                                                                                                                     !I
!I                                                                                                                                     I!
I!   V. Shouts:                                                                                                                        !I
!I                                                                                                                                     I!
I!   Greetz fly out to:                                                                                                                !I
!I   -tmh-, ck/cee-kay, Nazrek, bl0b, c1ox,h0yt3r (and his cat <3), soulstoned, Lidloses_Auge, Suicide, -=Player=-,                    I!
II   wacked, DizzY_D, eddy14, fred777, OpCodez, Lorenz, Easy Lester, Bursali, Vinzenco,                                                !I
!I   Free-hack.com, NovuSec.com, HackBase.cc, board.core.am...                                                                         I!
I!                                                                                                                                     !I
!I                                                           # END OF FILE #                                                           I!
`'._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._..._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._.'´