FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Please hack my new login screen: 100 Frih$ if you do.





ocalhoun
I've made a new admin control panel for my diskpost store, which requires a login.
The site is only partialy complete, but this part of it works flawlessly now.
It is made with php and mysql, if that helps any.

What you should do:
Go to the diskpost store at http://www.diskpost.onet.frih.net/store/Store.php
At the very bottom of the page, there is a link to the administration panel; click it.
Hack through or past the login screen.
Get to the main admin menu.
Click 'submit a new disk', and go through the process, adding the new listing so that there is proof that you were there. (That's the only item on the admin menu that works so far.)
PM me and tell me what you did and how, and I'll give you the frih$.
I'll give you an additional 50frih$ to tell me how to fix whatever vulnerability you found.

Only one person will be paid for exploiting each security flaw (the one that PM's me first).
Good luck!
hexkid
ocalhoun wrote:
What you should do:
Go to the diskpost store [...]

What you should do:
Post the code or a link to it (if it's largish)!
Stubru Freak
Yes, posting the code would save us time, so more people would be willing to help you.
[FuN]goku
i will take on this challange.. i really screwed my friends php script over last week rly bad Razz with html stuff and all.. he didnt have html tags disabled so i defaced his site XD
ocalhoun
Giving you the code seems to be making it a bit too easy for you, but here it is:
http://www.onet.frih.net/frih/adminview.html
It'll look all screwed up when you view that version of it, but if you display the source code, it'll be nice and neat.
hexkid
ocalhoun wrote:
Giving you the code seems to be making it a bit too easy for you, but here it is:
http://www.onet.frih.net/frih/adminview.html
It'll look all screwed up when you view that version of it, but if you display the source code, it'll be nice and neat.


NOT TESTED -- maybe you'd like to review your script as soon as possible after reading this Smile

I can enter a username like

Code:
' union select * from phpbb_dp_users where userlevel=1 or username='


to create a select like

Code:
select * from phpbb_dp_users where username ='' union select * from phpbb_dp_users where userlevel=1 or username=''


Don't ever trust input from the users!

If you have magic_quotes_gpc turned on, this will not work (but I don't like to rely on magic stuff).
I can't study your code attentively now ... if you still want me to, I'll do that tomorrow.
Marston
Looks like it's been haxxored.
[FuN]goku
hexkid wrote:
ocalhoun wrote:
Giving you the code seems to be making it a bit too easy for you, but here it is:
http://www.onet.frih.net/frih/adminview.html
It'll look all screwed up when you view that version of it, but if you display the source code, it'll be nice and neat.


NOT TESTED -- maybe you'd like to review your script as soon as possible after reading this Smile

I can enter a username like

Code:
' union select * from phpbb_dp_users where userlevel=1 or username='


to create a select like

Code:
select * from phpbb_dp_users where username ='' union select * from phpbb_dp_users where userlevel=1 or username=''


Don't ever trust input from the users!

If you have magic_quotes_gpc turned on, this will not work (but I don't like to rely on magic stuff).
I can't study your code attentively now ... if you still want me to, I'll do that tomorrow.


isnt that sql injection?
Rhysige
Yes thats a form of SQL injection..

Rule No. 1
- Whenever you are inserting into or reading from the database and using a variable that the user can input use
Code:
$variableTheyCanEnter = mysql_real_escape_string($variableTheyCanEnter);
Stubru Freak
Rhysige wrote:
Yes thats a form of SQL injection..

Rule No. 1
- Whenever you are inserting into or reading from the database and using a variable that the user can input use
Code:
$variableTheyCanEnter = mysql_real_escape_string($variableTheyCanEnter);


Not only when the user can enter it, you should always do that with any strings you want to insert!
The-Master
I got to this bit:
Code:
Your login information is wrong. You should not be able to get to this page with an incorrect login.
Hacking is not tolerated at this site. An E-mail describing this intrusion has been sent to the site adminisrator.
If you somehow managed to get here by an honest mistake, contact the administrator as soon as possible and explain yourself.


Does that mean I get the fri$ or do I have to actually manage to submit it...

I also got to the editing page but that didn't do anything.

I would say it doesn't matter if people can get to that page if they still have to submit a user name there...
ocalhoun
The-Master wrote:
I got to this bit:
Code:
Your login information is wrong. You should not be able to get to this page with an incorrect login.
Hacking is not tolerated at this site. An E-mail describing this intrusion has been sent to the site adminisrator.
If you somehow managed to get here by an honest mistake, contact the administrator as soon as possible and explain yourself.


Does that mean I get the fri$ or do I have to actually manage to submit it...

I also got to the editing page but that didn't do anything.

I would say it doesn't matter if people can get to that page if they still have to submit a user name there...

^No, that is my hacker alert system I built in to warn me that someone is trying to hack in.

hexkid did find a vulnerability and tell me about it so he gets the 50 frih$ for that, however, he wasn't able (or didn't take the time) to actualy change anything, so it dosn't qualify for the 100frih$, at least not yet.
hexkid
ocalhoun wrote:
hexkid did find a vulnerability and tell me about it so he gets the 50 frih$ for that, however, he wasn't able (or didn't take the time) to actualy change anything, so it dosn't qualify for the 100frih$, at least not yet.


Thank you for the FRIH$ Smile
I found out that the magic_quotes_gpc is on, so my vulnerability doesn't work with the current server configuration. However, you should change it now as you don't know when the server admin will change the configuration (PHP 6 will ship out with magic_ stuff disabled)


Did I insert a record into your database?
According to my screenshot it appears I did ...

http://media.pixpond.com/b2o6ozm.png (image will be deleted in 30 days)

... but that record does not appear in the diskpost store.

Do you want to know how I got to that screen?
ocalhoun
^Oh, I didn't find it because it wasn't designated into any catagory, and didn't display. I have found it in the database, though.
And, yes, if the vulnerability you mentioned earlier can't be used right now, I'd surely like to know how that was accomplished.
hexkid
ocalhoun wrote:
^Oh, I didn't find it because it wasn't designated into any catagory, and didn't display. I have found it in the database, though.

Ah! That's good to know.
Knowing my attempt made it into the database and doesn't show up because it lacks a category I can make another try Smile


ocalhoun wrote:
And, yes, if the vulnerability you mentioned earlier can't be used right now, I'd surely like to know how that was accomplished.

No matter how I tried I couldn't get an SQL injection to work.
Trying to login with "anything" for username and "Mc'Donalds" for the password reveals you do, indeed, have magic_quotes_gpc turned on.

I'll try to find a bit of time to make another attempt and write about it. Would you prefer I kept my findings private, just between me and you?
hexkid
hexkid wrote:
Would you prefer I kept my findings private, just between me and you?

Nahhhhhhhhhhhhh ...

Code:
<?php
$con = mysql_connect("localhost","____________","______");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
//connected to database, select table
mysql_select_db("ocalhoun_disk", $con);

########################
### This won't accept an empty username
### or an username with one single character
If (strlen($_GET["username"]) > 1)
{
   //user has entered a username

   ########################
   ### This won't accept an empty password
   ### or a password with one single character
   IF (strlen($_GET["password"]) > 1)
   {
      //user has entered a username and a password

      ########################
      ### // Beware SQL injections. You should validate $_GET['username']
      ###
      ### $MAGIC_GPC = ini_get('magic_quotes_gpc'); // 0 or 1
      ### if ($MAGIC_GPC) {
      ###   // undo magic_quotes_gpc
      ###   $get_username = stripslashes($_GET['username']);
      ### } else {
      ###   $get_username = $_GET['username'];
      ### }
      ### $sql_username = mysql_real_escape_string($_GET['username']);
      ### // if the client sent "Mc'Donalds",
      ### // $get_username is now "Mc'Donalds" and
      ### // $sql_username is "Mc\'Donalds"
      ### // $_GET['username'] is either "Mc'Donalds" or "Mc\'Donalds"
      ### // Luckily the guys at PHP HQ decided to remove magic_quotes from PHP :)
      # $sqlrow = mysql_query("SELECT * FROM phpbb_dp_users WHERE username='" . $_GET["username"] ."'");
      $sqlrow = mysql_query("SELECT * FROM phpbb_dp_users WHERE username='$sql_username'");

      ########################
      ### Don't forget to test the return value of mysql_* functions
      $row = mysql_fetch_array($sqlrow);

      ########################
      ### if (!$row) {
      ###   // no user in the database with username=$sql_username
      ### }
      //echo $_GET["username"] . "<-- Entered Username <br>";
      //echo $row;
      //echo "<-- row <br>";
      //echo $row['username'];
      //echo "row username<br>";
      //echo $row["user_store_password"];
      //echo "row password <br>";
      //echo $row["user_id"];
      //echo "row user_id <br>";
      // ^Those are just diagnostic tools: They should normaly be disabled.
      IF ($row["user_store_password"] == $_GET["password"])

      ########################
      ### What if there isn't any $sql_username in the table?
      ### In that case $row is false, and $row["user_store_password"] is NULL
      ### You failed to test the return value of mysql_fetch_array()
      ### But even if $_GET["password"] is "00" (two or more characters) or "false"
      ### if will not match, so it's safe (but I wouldn't code like this)
      {
         //login successfull

         ########################
         ### So we can't get here normally without knowing a username/password combination,
         ### but we have the code, which is just about the same thing :)
         echo "login successfull <hr>";
         echo "<hr><b>diksmaker links</b> <br>"; //show the links that both admins and diskmakers use

         ########################
         ### Ah! This seems interesting.
         echo "<a href='http://www.diskpost.onet.frih.net/store/Submit.php?username=" . $_GET['username'] ."&password=" . $_GET["password"] . "'>submit a new disk</a> <br>";

<snip>


So, I went to that URL, and, as I didn't have the source, tried a few things until one of them worked.

I've just inserted another record, this time with categories (all of them), but it still doesn't show in the Store page.
Maybe I need to put it on only one category Smile
ocalhoun
hexkid wrote:
so it's safe (but I wouldn't code like this)

You could describe most of my programming work that way. I usually end up doing things in unusual ways.

Anyway, so now I know I need to put a maximum length on the username and password, and that I need a more secure way for the other pages to check to see if the login information is correct.

That concludes (for now) my inquisitiveness into the security of my site, so no more frih$ will be handed out. (Feel free to add more posts here if you want, but no more being paid for them (for now)).
hexkid
ocalhoun wrote:
I usually end up doing things in unusual ways.

There's only one small (depending on what you consider small) thing wrong with doing things in unusual ways.
Will you understand your code 6 months from now?
For example, I had to write a script to reach the conclusion that your "$row['user_store_password'] == $_GET['password']" was safe
Code:
<?php
$x = false;
echo 'string (empty): ';   if ($x['x'] != '')      echo 'does not '; echo "match<br>\n";
echo 'string \'false\': '; if ($x['x'] != 'false') echo 'does not '; echo "match<br>\n";
echo 'boolean false: ';    if ($x['x'] != false)   echo 'does not '; echo "match<br>\n";
echo 'string \'00\': ';    if ($x['x'] != '00')    echo 'does not '; echo "match<br>\n";
echo 'string \'0\': ';     if ($x['x'] != '0')     echo 'does not '; echo "match<br>\n";
echo 'number 0: ';         if ($x['x'] != 0)       echo 'does not '; echo "match<br>\n";
echo 'null: ';             if ($x['x'] != null)    echo 'does not '; echo "match<br>\n";
?>


ocalhoun wrote:
Anyway, so now I know [...] I need a more secure way for the other pages to check to see if the login information is correct.

Do the username/password validation once. It it's ok set a session variable which you check on every page.
ocalhoun
^ The reason I didn't use sessions: I haven't bothered to learn that yet.
(This is my first real work in php, if you couldn't tell.)
salman_500
hey,

anyone can access that forms of yours by putting any thing here:

'http://www.diskpost.onet.frih.net/store/Submit.php?username=any value

even though they cant do anything later on...i stil recomend you protect this page...... its really easy to do......

just for the sake of security......further security... Cool
ChrisCh
http://www.diskpost.onet.frih.net/store/F_Submit.php wrote:
Your login information is wrong. You should not be able to get to this page with an incorrect login.
Hacking is not tolerated at this site. An E-mail describing this intrusion has been sent to the site adminisrator.
If you somehow managed to get here by an honest mistake, contact the administrator as soon as possible and explain yourself.


I got that after trying to add a CD to your database using the vulnerability discussed in the post above.
ocalhoun
^Well, at least my security is good for something.
Personally, I think that the hacker warning E-mail is the most impressive part of the whole admin control panel.
Alie
Quote:
Well, at least my security is good for something.


http://www.diskpost.onet.frih.net/store/Store.php?type_sel=GET&op_sel=Injection%20<b>:)</b>&type2_sel=<marquee>I%20can%20upload%20shell%20to%20delete%20this%20site%20at%20all!!!</marquee><b><P>Really%20good%20hole%20for%20GET/POST%20injections!</b>

One little security detail, I've already wrote it in my GET injection. Only enter adress row into your browser to read it Laughing
I hope this will help you better protect your online shop! Cool
Keep upgrading. Good work!Twisted Evil
Related topics
Make Me an Avatar Worthy of Mordor! xD (100 FRIH$) 80x80
Need help how to move a forum - Offer 100 frih$!!
Logo Needed - Paying 100 Frih$...
Make A Simple Response: Earn 100 FRIH$ For Your Opinion!!!
OVER, PLEASE LOCK!
50+50 Frih$ . AHCI driver problem. Solve and get 100 Frih$.
100 frih$ for Grab!
Login Screen Problem
100 $Frih - Make a flash video for my site
Login Screen
100 frih for banner
Need logo 100 frih$
MOTORSPORTS AND EXTREME MOVIE FORUM! 100 frih$ for posting
Change Your Windows 7 Login Screen Pic
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.