So on the first page I looked at - login - there was a sqli. We can't get any SELECT output from the sqli (e.g. SELECT PASSWORD...), so I think that's called a 'blind' sqli.
Result:
Anyway, we can distinguish between an arbitrary proposition passing and failing (in our case by presence/absence of error message, although a timing attack would also do), and in conjunction with already knowing the table and column name (thanks to that chatty error message), it is enough to have a go at brute force mining the password, in case it is in plain text.
I mine the length first, for two reasons:
I mine the length first, for two reasons:
- It will cut the number of requests down (don't have to exhaust the character set at the end)
- My testing found that character indexes that didn't exist matched a space, and I couldn't be bothered to make a special case for detecting actual space versus a nonexistent char
I also looked up the frequency of password chars and test for them in that order, to reduce request volume.
length 9
password 'adminpass'
77 requests in total
It was plain text, which is bad. I think most people know by now to store salted hashes, and make the hash cost high.
Brute forcing is noisy, but really 77 requests is cheap to get a password! That sort of volume probably won't attract any attention, and nobody gets locked out of their account either (we aren't passing a username when we fail).
Really, any sqli will do. And if I didn't know the table/column name, I could get 'meta' and start brute force mining the schema/table/column names themselves and burrow top-down into interesting strings (really noisy, but it'll work if the permissions are good).
No comments:
Post a Comment