[ALUG] Security nightmares in TZ: Part one SQL injection

Andreas Tauscher ta at geuka.net
Tue Feb 4 20:46:30 EAT 2014


Am 04.02.2014 13:48, schrieb yahaya abdallah:

> Thanks for share this, but still it is not easy to get in. check the
> script below 

> will mean you are assigning value of $row['username'] to
> $_POST['username'] variable and not comparing, hence $login will be
> assigned 1.(bad usage of if() statement) But if you change '=' into
> '==' it will compare between user supplied from form and that from
> database where it will always be not valid since the query returned
> true with empty username because no such username in the database. So
> for me such type of sql injection won't work.

It will work!
The unverified content of the $_POST is used as parameter for your
query. You give the attacker full access to your database.
It does not matter if you encode now the password in MD5. Which other
statements I could inject with the username to make the query true?
Might it be possible to inject a UPDATE statement? Might I manipulate
the SQL servers error handling? Or what about injecting a trigger or a
stored precedure? Funny thing you can do with this.
I think you can answer at leas one of this ideas with yes. Your server
is mine. I can execute any command I want. Any "protection" is useless
crap without verifying if the input is valid.
Never trust any input!

BTW: For storing passwords you should not use MD5. MD5 was suspected to
broken since 1996 and in 2004 it was proved MD5 is not collision free.
And in 2012 the FLAME maleware could infect computers because M$ was
still using the since 2008 banned as cryptographically broken and
unsuitable for further use MD5 for singing uptades.
You can save it instead also in plain text.
How much is a few hours cloud service at Amazon or others? Cheap. Enough
CPU power to check trillions of MD5 hashes per second. Or what about a
small home brew FPGA cracker? Also cheap. The GPU on a 50$ VGA adapter
is doing it also faster than any CPU you have available.
The best way to store passwords is bcrypt. sha256 or sha512 with salt is
also acceptable.

Andreas


More information about the Linux mailing list