logo
::[Home]
::[News]
::[Challenges]
::[Ranking]
::[My Account]
::[Forum]
::[Chat]
::[Private Messages]
::[Vulnerable Code]
::[Tutorials]
::[Downloads/Scripts]
::[Support]
::[Links]
::[Contact/FAQ]
::[Login]
0 anonymous
Views: 1074521 Challenges: 342
Users: 12689 Online: 10

Settings
Search
0 new posts

Login, Password guessing – 2 Posts

  • Login, Password guessing

    05/29/2006 09:34
    theblacksheep's Avatar theblacksheep 5610
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    Hi,<br><br>lately I have seen quite a few scripts with the following login procedure:<br><br>-------------------------------------------------------------------<br> $login_rs = mysql_query(\"SELECT id, pass FROM user WHERE login='$news_user'\");<br> if(mysql_num_rows($login_rs) &gt; 0){<br> $login_array = mysql_fetch_array($login_rs);<br> if($login_array[\"pass\"] == $news_pass){<br> ...<br> } else { $login_err=TRUE; }<br> } else { $login_err=TRUE; }<br>-------------------------------------------------------------------<br><br>I can't think of a way to use this for a successful sql-injection (getting the admin's id and pass).<br>The output is always the same unless I really enter the correct pass (at least I do not have to guess the user).<br><br>Nevertheless often there is the option given to retrieve the pass via email.<br>-------------------------------------------------------------------<br> $email_rs = mysql_query(\"SELECT * FROM user WHERE email='$email'\");<br> $email_array = mysql_fetch_array($email_rs);<br><br> if(mysql_num_rows($email_rs)&gt;0){<br> ...<br> $msg = (\"The password has been sent.\");<br> } else {<br> $msg = (\"Unknown email address!\");<br> }<br>-------------------------------------------------------------------<br>I can use this code for intelligent password guessing because I do get two different ouputs depending on success or failure.<br><br>Example: a' or length(pass)&lt;10/*<br>This should give me the output \"The password has been sent.\" if the pass is no longer than 9 chars.<br>The problem is that every time I am successful with my guessing the script tries to send an email.<br><br>Any ideas how to use those two code snippets to retrieve the admin's data without causing a huge sensation?<br><br>tbs<br><br>Example: Scarnews v1.2.1
    Edit
    Reply
    Quote
    0 Likes
  • 05/29/2006 09:34
    UnknownUser's Avatar UnknownUser 2,7290
    Not SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot SpecifiedNot Specified
    i guess it depends wheter or not they use your user input as the email address to send the data to, or the one retrieved from db.
    Edit
    Reply
    Quote
    0 Likes