When I first searched for hacking reference (after getting this real-time mission), I found a pretty good introduction. It was the first hit on Google.
After I understood that technique (I think it's pretty simple) I was thinking about "No way that could work here", but than "Oh well, lets try at least". I went to the victim's site's (I'll call it Lamer hereafter, even tho I admire that work) main page. There is a login form. So I typed the following as user-name and password:
'
If you introduce a wrong username/password combination, you'll get a warning, a cute little girl saying that you're not doing the right way, but this time there was an SQL error. Something like syntax error near... and gave me a string. Yeah, a bit from the SQL code from a stored procedure.
I knew I was in, I just had to use the hole to create a fake login. But a little problem occurred there. The user-string from the password input was used in a function, not in a condition. It couldn't be helped, after 1 day of struggle I gave up, and wrote to the system administrator about the hole. I just couldn't lose and tried over and over again, but no success. I could earn that a string like this:
mypassword') or ('1'='1
was working, but no other variation. And this wasn't good ether if I left the mypassword part behind. Yes, like this I could even delete the whole database, writing multiple query's there, but couldn't log in as somebody else.
The bug got fixed. It was my lost. After a while I went back to check out the bugfix, and was true, the apostrophe on the password input gave me a handled error not an SQL one. But...
The username input still lacked the bugfix. Than I had the grand return. I wrote the following inputs:
username: ') or ('1'='1
password: butterfly
And ta-daaaam logged in into a simple unused account. Well I explain this: the username is always true, so that was the first user in the database whose password was butterfly (it was a girl, I mean no offense... but so naive).
You may ask what did I felt when I took a greedy look on my first successful hacker attack, whereof a long time I was dreaming. Well I was a bit disappointed. It was, because I had to choose between telling everyone in a fancy way that look, what have I done or tell the administrator and remain nameless forever. But that's it. I had to remember my rules of being an elite hacker.
No comments:
Post a Comment