Authorization Bypass Part - 4

Posted by Raj Monday, December 8, 2008 comments (0)



Authorization Bypass is a frighteningly simple process which can be employed against poorly designed applications or content management frameworks. You know how it is... you run a small university and you want to give the undergraduate students something to do. So they build a content management framework for the Mickey Bags research department. Trouble is that this local portal is connected to other more important campus databases. Next thing you know, there goes the farm

Authorization bypass, to gain access to the Admin backend, can be as simple as this:

  • Find weak target login page.
  • View source. Copy to notepad.
  • Delete the authorization javascript, amend a link or two.
  • Save to desktop.
  • Open on desktop. Enter anything into login fields, press enter.
  • Hey Presto.

Here's a great video of a White Hat going through the authorization-bypass process on YouTube. This was done against a small university's website. It's a two-minute process. Note that he gets into the User 1 account, which is not the Admin account in this case. Is Admin User 1 on your User table?

 

Google Hacking - Part 3

Posted by Raj comments (0)



This is by far the easiest hack of all. It really is extraordinary what you can find in Google's index. And here's Newsflash #1: you can find a wealth of actual usernames and passwords using search strings.

Copy and paste these into Google:

inurl:passlist.txt
inurl:passwd.txt
...and this one is just priceless...
"login: *" "password= *" filetype:xls

Such strings return very random results, and are of little use for targeted attacks. Google hacking will primarily be used for finding sites with vulnerabilities. If a hacker knows that, say, SQL Server 2000 has certain exploits, and he knows a unique string pushed out by that version in results, you can hone in on vulnerable websites.

For specific targets Google can return some exceptionally useful information: full server configurations, database details (so a good hacker knows what kind of injections might work), and so forth. You can find any amount of SQL database dumps as well (fooling around with a Google hack while preparing this article, I stumbled across a dump for a top-tier CMS developer's website). And a vast amount more besides.

 

SQL Injection in the Browser Address Bar - Part 2

Posted by Raj comments (0)



Injections can also be performed via the browser address bar. I don't mean to have a pop at Microsoft, but when it comes to such vulnerabilities, HTTP GET requests with URLs of the following form are most often held to be vulnerable:

http://somesite.com/index.asp?id=10

Try adding an SQL command to the end of a URL string like this, just for kicks:
http://somesite.com/index.asp?id=10 AND id=11

See if both articles come up. Don't shoot your webmaster just yet if it's your own site and you get two articles popping up: this is real low-level access to the database. But some such sites will be vulnerable. Try adding some other simple SQL commands to the end of URLs from your own site, to see what happens.

As we saw above, access to the database raises a number of interesting possibilities. The database structure can be mapped by a skilled hacker through ill-conceived visibility of error messages -- this is called database footprinting -- and then this knowledge of table names and so forth can be used to gain access to additional data. Revealing error messages are manna - they can carry invaluable table name and structural details.

The following illustrative string is from Imperva.

http://www.mydomain.com/products/products.asp?productid=123 UNION SELECT username, password FROM USERS

 

How websites are being hacked - Part 1

Posted by Raj Sunday, December 7, 2008 comments (0)

SQL Injection

SQL Injection involves entering SQL code into web forms, eg. login fields, or into the browser address field, to access and manipulate the database behind the site, system or application.

When you enter text in the Username and Password fields of a login screen, the data you input is typically inserted into an SQL command. This command checks the data you've entered against the relevant table in the database. If your input matches table/row data, you're granted access (in the case of a login screen). If not, you're knocked back out.

The Simple SQL Injection Hack

In its simplest form, this is how the SQL Injection works. It's impossible to explain this without reverting to code for just a moment. Don't worry, it will all be over soon.

Suppose we enter the following string in a Username field:

' OR 1=1 double-dash-txt.png

The authorization SQL query that is run by the server, the command which must be satisfied to allow access, will be something along the lines of:

SELECT * FROM users WHERE username = ‘USRTEXT '
AND password = ‘PASSTEXT

...where USRTEXT and PASSTEXT are what the user enters in the login fields of the web form.

So entering `OR 1=1 -- as your username, could result in the following actually being run:

SELECT * FROM users WHERE username = ‘' OR 1=1 -- 'AND password = '’

Two things you need to know about this:
['] closes the [username] text field.

'double-dash-txt.png' is the SQL convention for Commenting code, and everything after Comment is ignored. So the actual routine now becomes:

SELECT * FROM users WHERE username = '' OR 1=1

1 is always equal to 1, last time I checked. So the authorization routine is now validated.

username field examples:

  • admin'--
  • ') or ('a'='a
  • ") or ("a"="a
  • hi" or "a"="a

... and so on.

Let's hope you got this.

CLICK HERE FOR AN EXCITED VEDIO

 

Group Members

Posted by Raj Saturday, December 6, 2008 comments (0)

Durgesh N. Sharma


















Home Town : Kanpur
Gtalk ID      : rajolsharma31@gmail.com
Mob No       : +91 94556 78103
Hobbies       : Netwoking, Cricket and Music
                      Loves singing  




Abhishek Kumar
























Home Town : Kanpur
Gtalk ID      : abhishekcse2911@gmail.com
Mob No       : +91 89718 28346
Hobbies       : Cricket and gossiping
                     

Rajesh Patel



















Home Town : Jhansi, UP, India
Gtalk ID      : killer.rajesh@gmail.com
Mob No       : +91 90358 97130
Hobbies       : Swimming, Reading Books and ofcourse Blogging.


Raghvendra Jha























Home Town : Farrukhabad, India
Gtalk ID      : raghvendra.rajesh@gmail.com
Mob No       : +91 89718 28348
Hobbies       : Netwoking, Cricket and Music





Himanshu Sharma
























Home Town : Kanpur, India
Gtalk ID      : naughty.him007@gmail.com
Mob No       : +91 81058 39436
Hobbies       : Reading and Walking

  Labels:

About this blog

Hi Readers,
Welcome to my Blog
this blog is dedicated to my friends...
and for the days we enjoyed together!!

Your Suggestions are always welcome!

Meet us!

Followers

Powered by Blogger.

Copyright 2009 - Friendship Bond - Group 7

Theme designed by: Raycreations.net, Ray Hosting