Follow us on Twitter!
The important thing is not to stop questioning. - Albert Einstein
Wednesday, April 16, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 12
Guests Online: 12
Members Online: 0

Registered Members: 82800
Newest Member: santana1744
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

Yet another PHP login script, please help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-12-08 18:33
Hello,

I've recently found a php login on a site that might be exploitable...
I've looked up and found the source code, but don't really know if this is exploitable...
I found this code snippet:
Code
  <?
  $ok = explode(":",$HTTP_COOKIE_VARS["mcPass"]);
  if(empty($ok[0])){ header ("location:http://$HTTP_HOST/mcPass.php?go=$PHP_SELF"); }
  ?>



and later on, it says:
Code
function PassCookie ($user,$pwd)
{
SetCookie("VALUE", "$user:$pwd");
}




I guess that some cookie exploit is possible?
Any help would be highly appreciated =)
Author

RE: Yet another PHP login script, please help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-12-08 21:36
Unencrypted cookies? I donno, I need the whole script.
Author

RE: Yet another PHP login script, please help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-12-08 22:10
Good evening and thanks for your quick answer =)
Here is the whole code:

Code
<?

// Configuration MySQL - Set this
$host="";
$login="";
$pass="";
$base="";


// Language - Set this
$lErrLog= "Nom Incorrect";            // "Wrong Login";
$lErrPass= "Mot de Passe Incorrect";  // "Wrong Password";
$lLogin= "Nom";                       // "Login";
$lPass= "Mot de Passe";               // "Password";
$lValider= "Valider";                 // "Submit";

/*

------------------------------------------------------------------------

--------------
-----------------
------------------------------------------------------------------------

-----------------
  <?
  $ok = explode(":",$HTTP_COOKIE_VARS["mcPass"]);
  if(empty($ok[0])){ header

("location:http://$HTTP_HOST/mcPass.php?go=$PHP_SELF"); }
  ?>
------------------------------------------------------------------------

-----------------
------------------------------------------------------------------------

-----------------
 

*/
if(!$go)
{
$connect= mysql_connect($host,$login,$pass);
mysql_select_db($base, $connect);
$result = mysql_list_tables ($base);
  $i = 0;
  while ($i < mysql_num_rows($result)) {
    $tb_names[$i] = mysql_tablename ($result, $i);
    if ($tb_names[$i]=="mcpass_tbl") $table=1;
    $i++;
  }

   if ($table==1)
   {
   $install= 'Running';
   }
}

if((isset($SubInst))&&($b==md5($base)))
{
         $connect= mysql_connect($host,$login,$pass);
         mysql_select_db($base, $connect);
         $query="DROP TABLE IF EXISTS mcpass_tbl;";
         mysql_query($query);
         $query="CREATE TABLE mcpass_tbl (
         user varchar(20) NOT NULL default '',
         pwd varchar(20) NOT NULL default '',
         KEY user (user)
         ) TYPE=MyISAM;";
         mysql_query($query);

         $query="insert into mcpass_tbl values('$user', '$pwd')";
         mysql_query($query, $connect);

         $query="select * from mcpass_tbl";
         $res=mysql_query($query);
         $aff=mysql_fetch_array($res);
}


function mcPassCookie ($user,$pwd)
{
SetCookie("mcPass", "$user:$pwd");
}


         if(isset($submit))
         {
         $connect= mysql_connect($host,$login,$pass);
         mysql_select_db($base, $connect);
         $query="select * from mcpass_tbl where user='$user'";
         $res=mysql_query($query);
         $verif=mysql_fetch_array($res);

                 if($pwd==$verif[pwd] && mysql_num_rows($res)!=0) 
                 {
                 mcPassCookie($user,$pwd);
                 ?>
                 <SCRIPT TYPE="text/javascript" LANGUAGE="JavaScript">
                 document.location.replace("<? echo $go.''; ?>");
                 </script>
                 <?
                 }
                 elseif (mysql_num_rows($res)==0)  $Err1=$lErrLog;
                 else                              $Err2=$lErrPass;
         }

?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>mcPass</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<META HTTP-EQUIV="Expires" CONTENT="Fri, Jan 01 1900 00:00:00 GMT">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<style type="text/css">
<!--
a:actif {  font-family: Verdana; color: black; text-decoration: none}
a:link {  font-family: Verdana; color: black; text-decoration: none}
a:visited {  font-family: Verdana; color: black; text-decoration: none}
a:hover {  font-family: Verdana; color: white; text-decoration: none}
-
</style>
</head>
<body bgcolor="#C0C0C0" text="black">
<p align="right"><font face="verdana" size="5" color="black">

 <?
 if((!$go)&&(!$install))   echo ' - Set Up';
 if ((!$go)&&(isset($install)))
 {
 echo ' is running.</font></p><hr>';
 echo '<p align="right"><a

href="http://'.$HTTP_HOST.'"><b>OK</b></a></p>';
 echo '</body></html>';
 exit();
 }
 ?>
 </font>
</p><hr>

<form action="mcPass.php" method="get">
  <table align="right">
    <tr>
      <td align="right"><font face="Verdana, Arial, Helvetica,

sans-serif" size="2"><b>
      <?
      if(isset($Err1))
      {
      echo '<font color="red" size="2" face="verdana"><b>'.$Err1.'!

</b></font>';
      }
      echo $lLogin;
      ?>
       : </b></font>
      </td>
      <td>
      <?
      if (isset($aff[0])) echo '<font color="red" size="2"

face="verdana"><b>'.$aff[0].'</b></font>';
      else echo '<input type="text" name="user" value="'.$user.'">';
      ?>
      </td>
    </tr>
    <tr>
      <td align="right"><font face="Verdana, Arial, Helvetica,

sans-serif" size="2"><b>
      <?

      if(isset($Err2))
      {
      echo '<font color="red" size="2" face="Verdana"><b>'.$Err2.'!

</b></font>';
      }
      echo $lPass;
      ?>
       :</b></font>
      </td>
      <td>
      <?
      if (isset($aff[1])) echo '<font color="red" size="2"

face="verdana"><b>'.$aff[1].'</b></font>';
      else echo '<input type="password" name="pwd">';
      ?>
      </td>
    </tr>
    <tr>
      <td>
      </td>
      <td>
        <?
        if((!$go)&&(!$SubInst))
        {
        echo '<input type="submit" name="SubInst"

value="'.$lValider.'">';
        echo '<input type="hidden" name="b" value="'.md5($base).'">';
        }
        elseif(isset($SubInst)) echo '<a

href="http://'.$HTTP_HOST.'"><b>OK</b></a>';
        else
        {
        echo '<input type="submit" name="submit"

value="'.$lValider.'">';
        echo '<input type="hidden" name="go" value="'.$go.'">';
        }
        ?>
      </td>
     </tr>
  </table>

</form>
<br><br><br><br><br><br>
<br><br><br><br><br><br>
<p align="center">
   
</p>
</body>
</html>




Thanks in advance =)

Edited by on 24-12-08 22:11
Author

RE: Yet another PHP login script, please help

spyware
Member



Posts: 4192
Location: The Netherlands
Joined: 14.04.07
Rank:
God
Warn Level: 90
Posted on 24-12-08 23:35
moshbat wrote:
At a ten second glance (And I may be wrong), I didn't see any filtering on the queries...


Ctrl+F "function" {
PassCookie (no filtering)
}

Ctrl+F "reg" {
no hits
}

Nope. Nothing.



img507.imageshack.us/img507/3580/spynewsig3il1.png
"The chowner of property." - Zeph
[small]
Widespread intellectual and moral docility may be convenient for leaders in the short term,
but it is suicidal for nations in the long term.
- Carl Sagan
“Since the grid is inescapable, what were the earlier lasers about? Does the corridor have a sense of humor?” - Ebert
[/s
http://bitsofspy.net
Author

RE: Yet another PHP login script, please help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-12-08 23:36
That site is either using register_globals, or you're missing something in the source. How did you get it? Is it a live page or an inactive, older version of a live one? Did you leave out includes / some kind of templating / sensitive pieces of code?

Describe, don't compromise. Through all posting, we must keep the very limited forum rules in mind.


Author

RE: Yet another PHP login script, please help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 24-12-08 23:46
moshbat wrote:
Looks like a pre-built CMS to me. Commenting is a BIG BIG giveaway. I mean, do you ever use comments like that?

Well, no... but, then again, the code is amateurish in nature and somewhat peculiar. I agree that it looks like some sort of package to me but, without the parts that we're not seeing in relation to this one, it's not going to make much sense. Looks like some goofy 0-use login script... at a glance. Pfft


Author

RE: Yet another PHP login script, please help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-12-08 00:11
@Zephyr_Pure: I saw that the login name is called mcpass.php...a bit google job gave me the same script called mcPass. It's very old script and is for sure running on old php versions. The only thing I left out is the information about the coder and his comments.
@all: I got the code from http://www.phpfor. . .
The queries aren't filtered, but the server is using mysql_real_escape_string , so no luck for there.

P.S: I can't get the info whether register_globals is on or off
Author

RE: Yet another PHP login script, please help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-12-08 00:29
oh, and i always thought (through google articles that mysql_escape_string was the ultimate solution against sql injections...thanks gonna work in that direcrtion Wink
I also thought that cookie modifying could bring the same result (aka logging in as admin,) but I'm not sure for now, it may also be that I haven't baken the right cookie till now Wink
Author

RE: Yet another PHP login script, please help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-12-08 10:16
yea, I know, but i thought that I could just create a random cookie which the schript should accept...donno if this works though
Author

RE: Yet another PHP login script, please help

SySTeM
Member

Your avatar

Posts: 1524
Location: England, UK
Joined: 27.07.05
Rank:
HBH Guru
Posted on 25-12-08 10:43
msql_real_escape_string() > mysql_escape_string() > addslashes().


img138.imageshack.us/img138/6527/sig2ak1.jpg
www.hellboundhackers.org/sig/r/2783.png

http://www.elites0ft.com/
Author

RE: Yet another PHP login script, please help


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-12-08 18:41
buddinger wrote:
oh, and i always thought (through google articles that mysql_escape_string was the ultimate solution against sql injections...

It is merely the best language-provided default function for handling SQL injections. The list of common characters that it escapes are here:

http://us.php.net/mysql_real_escape_string

Ultimately, though, real_escape_string is only one step in securing your queries.