Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: hacker challenge... pwn3d login form

From: "Tyler Johnson" <tjohnson () novacoast com>
Date: Sat, 06 Sep 2008 18:04:32 -0700
Actually, you did it the hard way. If you register an account  (like 'test') and log in you'll find the cookie value is 
an md5 hash of your username (test = 098f6bcd4621d373cade4e832627b4f6 ). 

If you edit that value to be the md5 hash of 'admin' (21232f297a57a5a743894a0e4a801fc3) and refresh the page you're 
logged in as admin and presented with users and passwords.


-- 
Tyler Johnson
Network Manager
Novacoast Inc.
800-949-9933 Ext. 4800
805-202-6153

Novell's Solution Provider of the Year, Americas
2002, 2004, 2005, 2006, 2007

GulfTech Security Research <security () gulftech org> 09/06/08 4:37 PM >>>

Hi Jorge,

Did you say the cookie bit to throw people off? I notice that basically 
the cookie is using an md5'ed version of the username as the id, and I 
get that, but I actually got in by using the username "admin' -- /*" and 
the password "1".

Also, I have been able to exploit the search feature to get this 
information also by sending a query like this.

-99' UNION SELECT 1,2,username,password,5 FROM members -- /*

Kind Regards,

James

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: