From: Tyler Johnson (tjohnsonnovacoast.com)
Date: Sat Sep 06 2008 - 20:04:32 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Actually, you did it the hard way. If you register an account (like 'test') and log in you'll find the cookie value is an md5 hash of your username (test = 098f6bcd4621d373cade4e832627b4f6 ).

If you edit that value to be the md5 hash of 'admin' (21232f297a57a5a743894a0e4a801fc3) and refresh the page you're logged in as admin and presented with users and passwords.

--
Tyler Johnson
Network Manager
Novacoast Inc.
800-949-9933 Ext. 4800
805-202-6153

Novell's Solution Provider of the Year, Americas
2002, 2004, 2005, 2006, 2007
>>> GulfTech Security Research <securitygulftech.org> 09/06/08 4:37 PM >>>
Hi Jorge,

Did you say the cookie bit to throw people off? I notice that basically
the cookie is using an md5'ed version of the username as the id, and I
get that, but I actually got in by using the username "admin' -- /*" and
the password "1".

Also, I have been able to exploit the search feature to get this
information also by sending a query like this.

-99' UNION SELECT 1,2,username,password,5 FROM members -- /*

Kind Regards,

James

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]