|comment from slashdot|
Posted by Anonymous on 2004-10-07 13:57:48
|This is interesting:|
What's next: "The cat catches mice" "The pope is catholic" "There were no weapons of mass destruction in Iraq" "Water wets"?
I have news for you: 1 password-protected ASP application out of 3 can be accessed using the username ' or ''='' or ''=' and the empty password (the first and last single quote are part of the username).
Reason: SQL injection.
Supposedly these apps verify the password via a construct equivalent to the following (pseudo-syntax, I don't know enough VB to write real code):
answer = query_execute("SELECT account_id FROM users WHERE username=' "+username+" ' AND password=' "+password+" '");
Yes, they use string concatenation to build the query, rather than using wildcards (bind variables)! Not sure ASP even supports wildcards...
What happens with the magic username above, is that a query such as the following is executed against the database:
SELECT account_id FROM users WHERE username='' or ''='' or ''='' AND password=''
(the part of the query coming from the user-entered data is bold, the rest is what came from the program). This is a query that matches for all rows, so you'll usually get connected using the credentials from the first account in the table (often administrator, he!). Try it out! Go to google, seach for login asp username password [google.com] and pick one of the sites from "the middle of the stack" (i.e. not from the first few pages returned, because those are mostly either ASP tutorials, or the rare "secure" ASP sites). Saying username and password in another language (Benutzername/Passwort) helps too as you'll get a "fresher" less overfished list ;-)
If the simplistic approach doesn't work, try entering a lone single quote as the username and/or password. You'll often get an error message that shows you part of the query used, and from there you can find how to word your username so that you still get access. For instance, some sites do not use the password in the WHERE clause, but instead return it. In that case, use something such as the following as your username, and zozo as the password:
' union select 0,'zozo' from users where ''='
The query obviously neads some tweaking, as the number of columns, position of password in select clause, and names of table obviously varies among sites. But fortunately, error messages are often verbose enough that with a little bit of trial and error you can figure out a "magic" username that opens the door to the kingdom.
If you are a site administrator whose app is vulnerable: rewriting your app is indeed a solution... preferably in PHP!