|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 65
Members: 0
Total: 65
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
The end of CSS and SQL Injection in forums? |
|
Posted: Fri Apr 29, 2005 9:42 am |
|
|
balafou |
Beginner |
|
|
Joined: Apr 29, 2005 |
Posts: 2 |
|
|
|
|
|
|
|
I've been using SQL injections and cross-site-scripting methods to obtain md5 hashes in IPB, PHPBB and VBulletin forums for quite a long and i was able to crack 80% of those hashes successfully. Until now.]
Today i prepared a script to get a bunch of MD5's (well, i thought) in an IPB forum and while testing it on me (using my cookie) i noticed that the MD5 hash didn't look like the one i remembered my password giving. I started searching in the net and....
Things seem to have been hardened now. IPB forums use randomly salted MD5 hashes, and others will follow very soon i think.
Invision Power Board stores the password in the "ibf_members_converge" table in the following format:
converge_pass_hash = md5( md5( converge_pass_salt ) . md5( plain_text_password ) );
The password salt (converge_pass_salt) is a random 5 character string generated from the "ips_kernel/class_converge.php" module. It can include any character except the backslash character.
Is this the end of CSS and SQL Injection in forums? |
|
|
|
|
|
|
|
|
Posted: Tue May 03, 2005 8:10 pm |
|
|
Heintz |
Valuable expert |
|
|
Joined: Jun 12, 2004 |
Posts: 88 |
Location: Estonia/Sweden |
|
|
|
|
|
|
In many cases you do not have to know whats in the hash, its
enought you have it, and you can pretend to be someone else.
sql injection is more wider subject since there might be vulnearabilities in sql server itself, and there might be other valuable data in database other than password hashes. xss has also much wider use range than simple cookie stealing , user might be tricked into doing something, like, deleting user, or grant administrator privileges if GET is used, or buy something or even attack another site.. with careful research and planning, many possibilities.
i don't know about particular software you are talking about but, i think methods themselves are not subject to get lost in near time. |
|
_________________ AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
|
|
|
Posted: Wed May 04, 2005 4:59 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
ive allready get md5 hash from ibf_members > legacy_password
n the hash is work fine, coz with rainbow i could crack it
i dont know about the version , but i tell you it was from a big forum |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
Posted: Sun Jun 12, 2005 9:49 am |
|
|
unnamed |
Beginner |
|
|
Joined: Jun 12, 2005 |
Posts: 1 |
|
|
|
|
|
|
|
can any1 see if they can crack this password(its from the members converge on invision):
converge_pass_hash converge_pass_salt
c60c3941ba6d338d044b0f9675bd048a a6`HK |
|
|
|
|
|
|
|
|
Posted: Sun Jun 12, 2005 10:52 am |
|
|
Shadow |
Regular user |
|
|
Joined: Aug 08, 2004 |
Posts: 7 |
Location: Where dingos eat babies |
|
|
|
|
|
|
I dont think xss or sql injection exploits will stop. They will just evolve as the software does. Just think how many ppl mod their cms or forum many of whom no not what they doing there by opening new exploits. There are alot of smart ppl out there someone will find a way around it be it crack it or use it. Exploits wont stop as long as their are sloppy programmers or lazy ppl that dont update i call them install and forget ppl. eg: I just found a site still running php-nuke 7.2 unpatched + they have 5 sub domains using the same ver. I have emailed them twice with their admin passes and it still remains unpatched 2 months later! I think I might change their site so they get the messege maybe publicly display their passes on the index page.
I think this 1 liner is due here Quote: |
"If debugging is the process of removing bugs, then programming must be the process of putting them in." |
Thats my 2 cents
Just a add on:
If its randomly salted how does the database know were or what to add to the pass. So it cant be that random? Mind you I havent looked up on it much. Anyone got any decent links to salting md5 hashes? |
|
_________________ My software never has bugs. It just develops random features. |
|
|
|
|
|
|
|
Posted: Mon Jun 13, 2005 12:30 pm |
|
|
Heintz |
Valuable expert |
|
|
Joined: Jun 12, 2004 |
Posts: 88 |
Location: Estonia/Sweden |
|
|
|
|
|
|
i think the problem relies in "non-trained" people coding/practising and just not being aware about sql injections or other abusive ways to make use of the script, while thei're making their softwares v 1.0, and later are just too lazy to rewrite the whole code with good design and improved skills.
anyways "randomly salted" means that the salt *is* random. the salt is stored with the hash, so there is no need to make a salt from the password itself. salt is readed and concenated with password, before the digesting is done. |
|
_________________ AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
md5 |
|
Posted: Sun Jun 26, 2005 11:36 am |
|
|
helloworld |
Beginner |
|
|
Joined: Jun 26, 2005 |
Posts: 1 |
|
|
|
|
|
|
|
I have a md5-hashes, but I can't decipher.
4B3DD5CF0F25CC1F9D0E81B82DE53EAD
000706FD8817D156C426D1DB428338C2
Help me please and send result on localhost127@fastmail.fm . Thankful in advance. |
|
|
|
|
www.waraxe.us Forum Index -> All other security holes
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|