This is SQLi. easy to guess. Which field is vulnerable : username.
But the tricky part is how to exploit it.
If you disect the code, you would notice that SQL statement should always return one single word. Otherwise comparison will anyway fail in PHP code.
What next ?
What do you think will happen if I input :
" or 1=1;--
Think first !!
.
.
.
.
.
.
This will make SQL return entire password column.
Inturn, PHP check will fail at line #2.
So, you have to make SQL statement return 1 single word, and that should be password which u can match.
If you want to achieve that, you can not use, generic 1=1 payload.
If you know In SQL there are UNIONS right ? Can we use them ?
Can we use UNION to dump the password which can match the check in PHP ?
I think yes !!
Go on !!
Slight detour, in SQL you can dump whatever you want. You know there is DUAL table ? A dummy table.
SELECT 'sec_r0' from DUAL;
This will dump a single value `sec_r0` in the output.
.
.
.
.
.
Can we use something like this to dump password of our own wish?
Lets see the modified SQL query with UNION stmts
" or 1=1 UNION (SELECT 'sec_r0' from DUAL) ; --
What do you think this would do ?
.
.
.
.
THINK
.
.
.
.
This will dump the entire password col with last value of our own wish, right ?
But we don't want the password col !!
If we dont want password col, can we remove the results of previous table of UNION completely ?
<table1> UNION <table2>
where
table1 output is coming from
SELECT password from USER where username="" or 1=1
and entire table is dumped because of 1=1, what if we negate it?
Yes, that the magic. No see the payload.
" or 1!=1 UNION (SELECT 'sec_r0' from DUAL) ; --
.
.
.
.
THINK
.
.
.
.
This would negate the first table query completely and would only dump 'sec_r0' in output, yes ?
That's the magic of UNION.
Are we done ?
Is this our final exploit ?
.
.
.
.
No
Why ?
Because, PHP is assuming the passwords are stored in MD5. That's why the input password is first MD5ed and then compared.
So guess what would be perfect exploit.
So lets calculate value of MD5 of sec_r0.
MD5(sec_r0) = ccf0d111cd0c1e45708a0aef7b2bcb74
So in payload I would put.
" or 1!=1 UNION (SELECT 'ccf0d111cd0c1e45708a0aef7b2bcb74' from DUAL) ; --
and in input password I would put, sec_r0.
And Bingo.
I will bypass the Auth.
Isnt that amazing ?
Keep this tweet bookmarked. You never know if someone ask you this in an interview.
Also,
If you like the way I explained, consider π the thread.
Also, stay tuned(follow @sec_r0 ) for more such interesting threads.
SOP is browser security model, and I find lot of folks out there, who still dont understand it in and out.
Let me cover it here, in few threads.
Let's Start.
It is a browser security model π₯. Now what does that means ?
It simply means this control is enforced by browser to make user visiting a site more secure from attackers.
Browser creates virtual boundaries to segregate sites and this boundary is identified with ORIGINS.
Header
β
Summary
β
Work Exp
β
A Section for Books, Patents, Blogs, OSS, Certs Etc
β
Your Skill relevant to job you are applying.
β
Awards & Recognition
β
Educational Qualifications (Last thing I care for)
β
Who are you out of work.
πͺHeader Section. Keep it short, keep it clear. This is a hook.
Few things to put in header section (Good to have links).
1β£ Links to Certifications.
2β£ Public profiles: github, dev, medium, twitter, linkedin etc
3β£ Info : How to reach you back.
4β£ Your current role title
1/n Using: CE so that everyone can explore.
Intruder in CE is limited in multithreading, Turbo-Intruder can overcome that.
- Install through Extender
- Send req to the plugin.
2/n Once you send req to the plugin, a python editor will open. This will show a couple of existing python scripts to take reference from and to use.