Waraxe IT Security Portal
Login or Register
November 25, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 67
Members: 0
Total: 67
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other security holes -> The end of CSS and SQL Injection in forums?
Post new topicReply to topic View previous topic :: View next topic
The end of CSS and SQL Injection in forums?
PostPosted: Fri Apr 29, 2005 9:42 am Reply with quote
balafou
Beginner
Beginner
Joined: Apr 29, 2005
Posts: 2




I've been using SQL injections and cross-site-scripting methods to obtain md5 hashes in IPB, PHPBB and VBulletin forums for quite a long and i was able to crack 80% of those hashes successfully. Until now.]

Today i prepared a script to get a bunch of MD5's (well, i thought) in an IPB forum and while testing it on me (using my cookie) i noticed that the MD5 hash didn't look like the one i remembered my password giving. I started searching in the net and....

Things seem to have been hardened now. IPB forums use randomly salted MD5 hashes, and others will follow very soon i think.

Invision Power Board stores the password in the "ibf_members_converge" table in the following format:

converge_pass_hash = md5( md5( converge_pass_salt ) . md5( plain_text_password ) );

The password salt (converge_pass_salt) is a random 5 character string generated from the "ips_kernel/class_converge.php" module. It can include any character except the backslash character.



Is this the end of CSS and SQL Injection in forums?
View user's profile Send private message
PostPosted: Tue May 03, 2005 8:10 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




In many cases you do not have to know whats in the hash, its
enought you have it, and you can pretend to be someone else.
sql injection is more wider subject since there might be vulnearabilities in sql server itself, and there might be other valuable data in database other than password hashes. xss has also much wider use range than simple cookie stealing , user might be tricked into doing something, like, deleting user, or grant administrator privileges if GET is used, or buy something or even attack another site.. with careful research and planning, many possibilities.

i don't know about particular software you are talking about but, i think methods themselves are not subject to get lost in near time.

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Wed May 04, 2005 4:59 am Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




ive allready get md5 hash from ibf_members > legacy_password
n the hash is work fine, coz with rainbow i could crack it

i dont know about the version , but i tell you it was from a big forum Smile

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Sun Jun 12, 2005 9:49 am Reply with quote
unnamed
Beginner
Beginner
Joined: Jun 12, 2005
Posts: 1




can any1 see if they can crack this password(its from the members converge on invision):

converge_pass_hash converge_pass_salt
c60c3941ba6d338d044b0f9675bd048a a6`HK
View user's profile Send private message
PostPosted: Sun Jun 12, 2005 10:52 am Reply with quote
Shadow
Regular user
Regular user
Joined: Aug 08, 2004
Posts: 7
Location: Where dingos eat babies




I dont think xss or sql injection exploits will stop. They will just evolve as the software does. Just think how many ppl mod their cms or forum many of whom no not what they doing there by opening new exploits. There are alot of smart ppl out there someone will find a way around it be it crack it or use it. Exploits wont stop as long as their are sloppy programmers or lazy ppl that dont update i call them install and forget ppl. eg: I just found a site still running php-nuke 7.2 unpatched + they have 5 sub domains using the same ver. I have emailed them twice with their admin passes and it still remains unpatched 2 months later! I think I might change their site so they get the messege maybe publicly display their passes on the index page.

I think this 1 liner is due here
Quote:

"If debugging is the process of removing bugs, then programming must be the process of putting them in."


Thats my 2 cents


Just a add on:
If its randomly salted how does the database know were or what to add to the pass. So it cant be that random? Mind you I havent looked up on it much. Anyone got any decent links to salting md5 hashes?

_________________
My software never has bugs. It just develops random features.
View user's profile Send private message
PostPosted: Mon Jun 13, 2005 12:30 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




i think the problem relies in "non-trained" people coding/practising and just not being aware about sql injections or other abusive ways to make use of the script, while thei're making their softwares v 1.0, and later are just too lazy to rewrite the whole code with good design and improved skills.

anyways "randomly salted" means that the salt *is* random. the salt is stored with the hash, so there is no need to make a salt from the password itself. salt is readed and concenated with password, before the digesting is done.

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
md5
PostPosted: Sun Jun 26, 2005 11:36 am Reply with quote
helloworld
Beginner
Beginner
Joined: Jun 26, 2005
Posts: 1




I have a md5-hashes, but I can't decipher.

4B3DD5CF0F25CC1F9D0E81B82DE53EAD
000706FD8817D156C426D1DB428338C2

Help me please and send result on localhost127@fastmail.fm . Thankful in advance.
View user's profile Send private message
The end of CSS and SQL Injection in forums?
www.waraxe.us Forum Index -> All other security holes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.045 Seconds