Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
C0D4669027yGood lord 😳
although I have come across admin/admin for the admin account of a webDev site and all its clients, some people are just idiots. -
Now i'd like to know what happens on "%" / "%", that query returns all users and you'll most likely be logged in as the first one (which is the admin in most cases)
-
xonya50807y@YouAreAPIRate I tried that. The application thrown an exception, because it expected only one or zero record from the query. It would have been awesome to be logged in with all users at the same time :D
-
@xonya at least they got that right. Most applications only take the first query result and ignore the rest because there shouldn't be any more. If they really would save all users in the session that would fuck up the whole web application ^^"
-
@coolmox some applications even show an error message where you can see the query. So if you feed chars like "\' etc. to the application you force an error and might see query.
That way you can look at it even if you don't have access to the code. -
xonya50807y@YouAreAPIRate Yes, sometimes that happens too. In this case I had access to the whole source code, so it has been easy to found this vulnerability.
-
@ziadkiwan i had to work on a similar program, and sql-injections are still found regularely* in the wild. This is dumb but it's happening way more often than you think. It makes you think.
*there even is a search engine for that -
I mean there is libraries every where, that they are very easy to use to avoid sql injection.. Etc..
-
@ziadkiwan you might think that (i do too) but no library can compete against idiots. At least OWASP says sql-injections are not (really) slowing down even we got parameterized/prepared statements years ago and escaping decades ago.
-
donuts236727ybut how do you know the SQL and if you know the SQL then you have access to the DB anyway so it doesn't really matter?
-
xonya50807y@billgates Yes, I could query the DB directly. The fact remains that it was a really poor designed application.
-
donuts236727y@xonya Yea agreed... just like my workplace... if it were me i'd burn down pretty much the whole codebase and build it again without all the unneccessary mess and redundant code.
-
It's not even funny. Sounds like some ultra-n00b dumb sh*t. Like I have never really seen any 'programmer' do something like this, yet alone a company. Umm, are you sure that's a real company? Can you share more info about it with us? Like what country is it located in? What kind of industry is it in? And maybe the name of the company?
-
spawnpt867yI know of a university wherw its case insensitive and after a certain amount of characters it doesnt matter what you put. Its unbelievable
-
xonya50807y@adminadmin I obviously can't tell the name of the company. In any case it was a quite old project and data "protected" by that passwords were not so critical/sensitive.
Related Rants
** The most hilarious authentication implementation I've ever seen **
They stored password in cleartext, but never mind, this is sadly quite common.
For some reasons credentials were also case insensitive (maybe to avoid silly tickets from CAPS LOCK lovers?).
Then I had a look to the query executed during the login:
SELECT * FROM users WHERE username LIKE ? AND password LIKE ?;
So I tried logging in with user "admin" and password "%"... and it worked!
I laughed all the day.
rant
stupid people
sql
authentication
security
wildcard