Follow us on Twitter!
Society leans ever heavily on computers, if you have the power to take out computers you can take out society. - cubeman372
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 26
Guests Online: 24
Members Online: 2

Registered Members: 82903
Newest Member: Piriformis
Latest Articles

Cookie Poisoning

Arrow Image A basic introduction to cookie poisoning



One of the major mistakes which web masters make is considering that all data they set stay the same. These things are usually harmless to them such as cookies and hidden form details.

To start with I am going to show how the web master sets his data for his vulnerable CMS.

He begins with a form :-

[username] Username
[********] Password
[Button] Submit button

Once the form is submitted, the backend PHP which recieves the $_POST is as follows.

<?php

if ((isset($_POST['user'])) && (isset($_POST['pass']))) {
$user = $_POST['user'];
$pass = $_POST['pass'];

<Database connection>
// mysql_real_escape_string stops SQL Injection
$query = mysql_query("SELECT * FROM `usertbl` WHERE 'user' = '".mysql_real_escape_string($user)."' AND

'pass' = '".mysql_real_escape_string($pass)."'");

$num_rows = mysql_num_rows($query);

if (isset($num_rows)) {
if ($num_rows >= 1) {
echo "Username accepted";
setcookie("UID", ($user . ":" . $pass), time()+7200);
}
echo "Username Incorrect";
}
echo "MySQL Error";
}

}
echo "<FORM Details>";

}

?>

Right, so now we have checked the database for for a the username and password and set the cookie.
Presuming our attacker's username and password are correct then the cookie will be something of the folowing

UID = "tom:password123".

Later on our attack visits a protected page and his cookie is checked with this code.

<?php
if (isset($_COOKIE['UID'])) {
$cookies = $_COOKIE['UID'];
$cookies = explode(":", $cookie);

<Database connection>
// $cookies[0] is the first part of $cookie ie User
$query = mysql_query("SELECT * FROM `usertbl` WHERE 'user' = '".($cookies[0])."' AND

'pass' = '".($cookies[1])."'");

// Notice here the webmaster forgot to prevent SQL Injection

$num_rows = mysql_num_rows($query);

if (isset($num_rows)) {
if ($num_rows >= 1) {
viewPage;
}
}
}
?>

Now, if the cookie stays the same the SQL query is safe. However, if you change the cookie you can use it as simply as a basic SQL injection.

Right, now we have see how basic cookie poisoning works with SQL Injection. This can also be utilised in all other major web vulnerabilities.

Comments

tolchockeron August 02 2006 - 14:17:01
what? no chocolate chips?:wow:
The_Cellon August 02 2006 - 17:53:35
Nice article. This proves yet again how important it is to consider all data not filtered as tainted.
minermonkon August 02 2006 - 22:01:23
bacause of this i learn something, therefore it forfils its pupose Grin good article mozzer
mozzeron August 03 2006 - 07:58:01
Cheers, every webmaster should take something from this
chislamon August 03 2006 - 18:57:00
Yes, good article, you always gotta be sure you are filtering every possible string.
el3v3ntyon August 04 2006 - 06:09:26
Man this is good stuff. Wink for some reason i wasnt even thinkin about it like that :whoa: I know that is a security vulnerability i wouldve let slide by Angry but now.. now i feel like i can do so much more :evil: oh yeaah thas right good stuff man, real good stuff
ranmaon September 22 2006 - 01:59:52
That is sweet! I wonder how many sites have that vulnerability?Grin
thk-h3xon June 08 2007 - 15:55:31
Too many.:ninja:
a240on March 09 2008 - 23:29:53
Good article, you should make more.
sam207on September 23 2008 - 08:16:06
It's so sweet nice & well written.. Thanks mozzer.
styloverte116on February 17 2009 - 22:36:23
ok so.... im doin basic challenge 20, and i cant quite figure this out. after looking at this article (well written btw) i thought i knew how to do it. but whatever i tried, i couldnt figure anything out. can i pm someone?
styloverte116on February 17 2009 - 22:43:34
ok so.... im doin basic challenge 20, and i cant quite figure this out. after looking at this article (well written btw) i thought i knew how to do it. but whatever i tried, i couldnt figure anything out. can i pm someone?
stealth-on December 04 2009 - 02:09:36
Amazing article for basic 20, well written and doesn't give too much away. We need more articles like this!
Shazrahon April 06 2010 - 14:31:45
awsome article, really explains things without making it like hello skiddie take this and paste there. :love::love: very well written ty
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.