Thursday, June 19, 2014

By pass auth hash php

Source code
$flag = "/flag.txt";
$id = $_POST['user_id'];
$ps = $_POST['password'];
mysql_connect("localhost","codegate","codegate");
mysql_select_db("codegate");


$id = mysql_real_escape_string($id);
$ps = mysql_real_escape_string($ps);


$ps = hash("whirlpool",$ps, true);
$result = mysql_query("select * from users where user_id='$id' and user_ps='$ps'");
$row = mysql_fetch_assoc($result);


if (isset($row['user_id'])) {
 if ($row['user_id'] == "admin") {
  echo "hello, admin
";
  die(file_get_contents($flag));
 } else {
  die("hello, ".$row['user_id']);
 }
} else {
 msg("login failed..");
}

The issue with code is that hash() function which outputs raw binary data leading to SQL injection.
    string hash ( string $algo , string $data [, bool $raw_output = false ] )
    raw_input:
    When set to TRUE, outputs raw binary data. FALSE outputs lowercase hexits.

To bypass the login, we need to find a value that when hashed with whirlpool results in string containing '='

Brute Force
        

No comments:

Post a Comment