Hand-logged SQL injection and bypass background login verification

Source: Internet
Author: User
Tags sql injection table name

Let's go straight to the bottom of the list. A reference to bypass the background login verification directly into the website background management system, presumably we can think of the classic Universal password: Or=or bar, today to share a skill and this similar, but this method is more alternative.

Before we talk about this technique, we'll simply review the classic Or=or principle, and we can search for relevant information on the Internet. We all know that the common way to log in the background is to verify the user's password entered in the login and the records in the database. and required to enter the account password is equal to the database of a record of the account password, validation through the program will give users a sssion, and then into the background, Otherwise, return to the landing port. And for or=or vulnerabilities, let's look at the following code:

The code is as follows Copy Code
<%
pwd = Request.Form ("pwd") gets the password entered by the user, assigns the value to pwd
name = Request.Form ("name") gets the user name entered by the user and assigns the value to name
without any filtering
Set rs = Server.CreateObject ("ADODB.") Connection ")
sql =" SELECT * from Manage_user where username= "& name &" and password= "&encrypt (PWD) "" To query the database by putting the username and password in the query,
Set RS = conn. Execute (SQL) executes the SQL statement, executes and gets the RS object result, "true" or "false"
If not Rs. EOF = True Then If True, execute the following code
session ("Name") = RS ("UserName") assigns the UserName property to the session custom variable
session ("pwd") = RS ( "PassWord" assigns the PassWord property to the PWD session custom variable
Response.Redirect ("manage.asp"). Use the Redirect method of the Response object to redirect manage.asp
Else otherwise execute the following code
Response.Redirect "loginsb.asp?msg= you entered the wrong account number or password, please enter again!" "
End If
%>



This is a typical example of a or=or vulnerability, and for the above example we only need to submit or=or at the user's name, which makes the SQL statement: SELECT * from Manage_user where username= ' or ' =or and PassWord = 123456. After the implementation of the RS object results are true, so that you can smoothly into the background.

In order to avoid this vulnerability, the basic background validation is now not going to use this kind of method, instead, get the user input account number and password, in the SQL first the user name and the record in the database contrast, if the database in a record of the user name is equal to the user entered the user name, then remove the password in the record, And then the user entered the password contrast, the correct pass, not correct to return. For example, code:

The code is as follows Copy Code

<%
PWD = Request.Form ("pwd") gets the password entered by the user, assigns the value to pwd
name = Request.Form ("name") gets the user name entered by the user and assigns the value to name
without any filtering
Set rs = Server.CreateObject ("ADODB.") Connection ")
sql =" SELECT * from Manage_user where username= "& name &" "To query the database in the query statement,
Set rs = Conn. Execute (SQL) executes the SQL statement, executes and gets the RS object result, "true" or "false"
If not Rs. EOF = True Then If True, execute the following code
Password=rs ("password") to obtain the password data
if PASSWORD=MD5 (PWD) Then
Session ("Name") = RS ("Use Rname ") assigns the Username property to the session custom variable
session (" pwd ") = RS (" PassWord ") assigns the PassWord property to the PWD session custom variable
Response.Redirect ("manage.asp") redirects manage.asp
Else
Response.Write password Error using the Redirect method of the Response object!!!! "
End If
Else otherwise execute the following code
Response.Redirect" loginsb.asp?msg= you entered the wrong account number or password, please enter again! "
End If
%>



Through the above example, you can know that the password verification is no longer directly in the SQL statement to do the validation, but according to the user name, take out the corresponding password, and then compared with the user input. This makes it impossible for us to use Or=or to bypass. Some friends may have questions here, and if we submit or=or then the SQL statement becomes:

The code is as follows Copy Code
SELECT * from Manage_user where username=or=or,



The resulting result should also be true, why can't it be bypassed?

In fact, even if the SQL query where the value is true, do not forget the password after the verification, if we submit the above SQL, get account is true, then the following account to the database to take out the password and the user submitted password is absolutely not pass.

OK, for the analysis of the Or=or vulnerability for the first time here, the above are my personal understanding of the loophole, does not mean that is completely correct, if there are improper places also hope that we have a lot of advice, next is our plays.

Yesterday, I met a side station when I was helping to see the time. At that time is to inject, and then after the server after the passing of the program package down I studied, after two hours of analysis and testing, and finally can successfully bypass the system of the background login verification, and then the combination of program code, I will explain the whole analysis process to you in detail.

Program Type is a foreign small mall system, in the detection of the way I constructed a keyword by google search under the discovery there are many sites. In addition to foreign, the decision to further study, however, foreign programmers in the process of writing the habit and domestic still have a lot of differences, often foreign directory files and program structure is very deep, this also allows me to analyze the source code when the code led around the nose everywhere ...

When the program was first to look at the injection of the front desk, but in the open database to find the management password I gave up the intention to look for injection from the front, because the management of the password can not be cracked, even if found injection is not useful. So to find the fatal weakness of the program only to the web background or no need to verify the direction of the upload page, and then look at all the upload requires background verification to upload. The only way to get here is to break the background.

First, let's look at the code for the background landing port (login.asp):

The code is as follows Copy Code

<%
If Request.Form ("Submit") = "Login" Then
If Trim (Request ("Yanzheng")) =session ("Validcode") Then
If Dologin (Request.Form ("loginID"), Request.Form ("Password") = 1 Then
Response.Redirect ("index.asp")
End If
Else
Response. Redirect ("Login.asp?p=login")
End If
End If
%>



Through the above code can be seen, Login.asp page verification Landing is the user input account number and password to Dologin function verification, in the Dologin function, validation by will return a value of 1 (through the validation into the background), the other is not equal to redirect to the landing page. Now let's look at the contents of the Dologin function.

  code is as follows copy code

<%
Private Function Dologin (login, pass)
Set rslogin = Server.CreateObject ("Adodb.recordset")
Rslogin.cursortype = 3
strSQL = "Select admin_id, Admin_salt, Admin_password from admin_users Where admin_login =" & Login & ""
Rslogin.open strSQL, ADOcon
Response. Write strSQL
If not rslogin.eof then
Correctpass = Rslogin ("Admin_password")
Controlpass = Hashencode (pass &am P Rslogin ("Admin_salt"))
If Correctpass = Controlpass then
Dologin = 1
Session ("admin_user_id") = Rslogin ("Admi n_id ")
session (" session_id ") = Session. SessionID
Session ("Order_flag") = 1
Else
Dologin = 0
End If
Else
Dologin = 0
End If
Rslogi N.close
Set rslogin = Nothing
end Function
%>



The login in private function dologin (login, pass) is the Request.Form ("loginID") in the login.asp above and Request.Form (" Password "), from the above code can see the user entered the account and password without any filtering into the SQL statement query. The verification method after the query is similar to the verification method mentioned above.

Now know that the user entered the account and password is not filtered (this is very important), then we also need to clear the structure of the Administrator table, here I give you screenshots, the Administrator table name is admin_users, the structure of the following figure:






You can see that there are four fields in the Administrator table, the ID number, the username, the Salt and the password, and the password in column fourth. With this information we will begin to construct SQL statements to bypass the background landing.

Through the analysis of the login verification code, we can simply describe the entire verification process as: Verify the function to get the user entered the account and password, and then query from the Administrator table a user name is equal to the user entered the user name of the record, if the query after that there is a record in the management table, then continue to remove the password of the record The password is then compared with the password entered by the user (the password entered by the user is encrypted), and if the password verification succeeds, it is validated by the background.

Now our breakthrough strategy is to commit an SQL statement, let the program query from the Administrator table a user name equal to the user entered the user name of the record result is true, so that the program will continue to verify the password, and then we let the program from the previous query to get a cipher ciphertext, this will be successful through the verification.

Breakthrough Program query user name to get a true value is easier to do, but later to let the program at the same time to get a password ciphertext I think it is not easy to do, but also to be completed in one step. But the method is indeed some, here I directly to everyone posted out, this method is also I learned from the nature brother, I really really admire the way to come up with this method of cattle.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.