.

Password Encoding in Database

<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Wed Jun 10, 2009 4:02 am

Password Encoding in Database

Hi

I’m currently learning abut SQL Injection and as luck happens I was asked to have a poke around at an internal web application that we have to see if it has any problems.  I’m by no means a pen tester just someone who likes to poke around at stuff.

I was quickly able to find a way to return logon names and passwords from the SQL database using SQL injection but password seem to be encoded/encrypted.

Is there a way to tell what encoding/encryption is used?

What I could see was that many accounts have the same stored password (12 characters and always starting with a = symbol) which I guessed correctly is “password”. However, my stored password (which isn’t “password”) is 16 characters and also starting with a = symbol. Other accounts that I now are not “password” are also 16 characters.

I have verified my findings with the backend database but I would like to demonstrate that although I can retrieve information on all the accounts I can then use the credentials to log in.

I have run the stored passwords through encoders on clez.net but it doesn’t decode my password to what I know it should be.

Thanks in advance for any help.

Regards

Syn

PS. I have permission to do this testing.
----------------------------------
http://synjunkie.blogspot.com
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Wed Jun 10, 2009 4:36 am

Re: Password Encoding in Database

Just a followup on this. 

I tried encoding my known password (using the encoding page on clez.net) and after comparing it to the stored password and found it to be base64 but reversed.  So i tested this on a password which I didn't know and bingo!

Maybe this might help someone else out there.

One other question to anyone who may be experienced in this, is this a common method of storing passwords? Are there any other common ways of storing passwords?

Cheers

Syn
----------------------------------
http://synjunkie.blogspot.com
<<

ethicalhack3r

Full Member
Full Member

Posts: 139

Joined: Fri Nov 28, 2008 11:29 am

Post Wed Jun 10, 2009 6:51 am

Re: Password Encoding in Database

Here is a list of MySQL's encryption and compression functions:
http://dev.mysql.com/doc/refman/5.1/en/ ... tions.html

Id say most of them in the link are pretty common.

Heres a good tut on PHP encryption and salts:
http://www.onlamp.com/pub/a/php/2001/07/26/encrypt.html
Last edited by ethicalhack3r on Wed Jun 10, 2009 6:54 am, edited 1 time in total.
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Wed Jun 10, 2009 10:49 am

Re: Password Encoding in Database

Thanks for the links.  They look pretty interesting although a bit over my head at the moment.  Maybe it will all make sense one day :-)

Cheers

Syn
----------------------------------
http://synjunkie.blogspot.com
<<

mambru

Jr. Member
Jr. Member

Posts: 98

Joined: Wed Jun 03, 2009 3:11 pm

Post Wed Jun 10, 2009 11:00 am

Re: Password Encoding in Database

SynJunkie wrote:
One other question to anyone who may be experienced in this, is this a common method of storing passwords? Are there any other common ways of storing passwords?



I'd say that the fact of storing passwords is a bad practice, what you'd like to store are hashes of them
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Wed Jun 10, 2009 11:14 am

Re: Password Encoding in Database

Agreed.

The question was really not "what should we do" but more "what are people doing in webapps". This is the first live web app I have looked at and I was curious if this was type of encoding was common.
----------------------------------
http://synjunkie.blogspot.com
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Wed Jun 10, 2009 12:02 pm

Re: Password Encoding in Database

I'll caveat this by saying that the only web applications I've done any pentesting on were government and on "secure" networks.

I see one of three things done with web application authentication.  The first is PKI, which is becoming more and more common.  The second is storing the password hashes (I most often see SHA1 being used when used with MySQL).  Storing the hashes helps some, but they can be cracked offline with a dictionary attack if you can get them dumped via SQL injection.  These two are the methods I see when a "professional" has developed the web application.

When someone has read the PHP/mysql programming for dummies book and sets out to leave their mark on the organization, I see LOTS of SQL injection errors and plain text passwords stored in the database (or worse in a text file in the application directory).  One of the first things I do with these web applications is to try to get a directory listing of the location of the web app.  The second thing is that if they are using poorly designed classes that don't have an extension the server recognizes, I try to download those directly.  They often contain the database passwords (which often makes user passwords unnecessary).  The final thing I do before even trying SQL injection is to try to induce an error in the application with URL hacking to get it do display some of the logic (if error reporting isn't turned off).

At any rate, passwords in the clear and SQL injection are way to common.  They are becoming even more common (in my experience) with the multitudes of inexperienced web "programmers" out there.  My only consolation is that these systems don't touch the Internet so they are only vulnerable to insider attacks.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Wed Jun 10, 2009 3:04 pm

Re: Password Encoding in Database

Useful to know.  Thanks. lovin this SQL Injection stuff though.  As soon as I figured out how to read the errors and tune my injection against the right columns to get the usernames and passwords out I was totally diggin it.

Cheers

Syn
----------------------------------
http://synjunkie.blogspot.com

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software