吊炸天
- UID
- 5
- 积分
- 4382
- TBS
- 6922
- 智商
- 6445
- 节操
- 44176
- 海贝
- 627
- 阅读权限
- 200
- 在线时间
- 1976 小时
- 注册时间
- 2014-1-1
- 最后登录
- 2024-10-30
|
发现神书。已Mark下一部分。
---[ 0x03: Exploiting a Login Form ]
Sometimes happends that coders doesn't properly sanitize 2 important variables
such as user-name and password in the login form and this involve a critical
vulnerability that will allow to the attacker the access to a reserved area.
Let's make an example query here below:
SELECT * FROM users WHERE username = 'admin' and password = 'secret'
With this query the admin supply the username 'admin' and the password 'secret'
if those are true, the admin will login into the application.
Let us suppose that the script is vulnerabile to sql injection; what happends
if we know the admin username (in this case 'admin')? We don't know the password, but
can we make an SQL Injection attack? Yes, easily and then we can gain the access to the application.
In this way:
SELECT * FROM users WHERE username = 'admin' /*' and password = 'foobar'
So, we supplied this information:
- As username = admin' /*
- As password = foobar (what we want..)
Yes, the query will be true because admin is the right username but then with the
' /* ' symbol we commented the left SQL Statement.
Here below a funny (but true) example:
$sql = "SELECT permissions, username FROM $prefix"."auth WHERE
username = '" . $_POST['username'] . "' AND password = MD5('".$_POST['wordpass']."');";
$query = mysql_query($sql, $conn);
The variables passed with the POST method are not properly sanitized before being used
and an attacker can inject sql code to gain access to the application.
This is a simple attack but it has a very critical impact.
-------------------------------------------------------------------------------[/]
|
|
发表于 2014-6-5 12:58:59
QQ好友和群
收藏
吊炸
坑货
变色卡
发表于 2014-6-5 13:12:35
看不懂 不晓得你发这些要做什
楼主
我只是真的看不懂吗