Jump to content

admin panel getting hacked into

jakebur01

By jakebur01
in PHP Coding Help

 Share

Recommended Posts

jakebur01 Advanced Member

jakebur01

Posted
Posted

Hello,

 

I have a friend whose login has been getting hacked into. There is not any evidence that they have been posting a username and password. We are thinking they could be getting in using a cookie or session somehow.

 

  <?php
require 'client-info.php';
if($submit) 
{
$db = mysql_connect("localhost",$dbusername,$dbpassword);
mysql_select_db($database,$db);
$sql="select * from $users_table where user_name='$login'";
$result=mysql_query($sql,$db);
$myrow=mysql_fetch_array($result);
if($myrow['user_password']==$password and $myrow['user_name']==$login) 
{
session_start();
$ses_id = session_id();
$sql2 = "UPDATE $users_table SET ses_id='$ses_id' where user_name like '$login'";
$result2=mysql_query($sql2);
require 'admin-panel.php';
} else 
{
echo "<br><br><tr><td align=center><font face=arial size=4 >";
echo "Incorrect login information.  Hit your back key to try again.";
echo "</font><br><br></td></tr>";
}
} else 
{
session_start();
$ses_id = session_id();
$db = mysql_connect("localhost",$dbusername,$dbpassword);
mysql_select_db($database,$db);
$sql="select ses_id from $users_table where user_name like '$login'";
$result=mysql_query($sql,$db);
$myrow=mysql_fetch_array($result);
if($ses_id==$myrow[ses_id]) {require 'admin-panel.php';} else { require 'login-form.php';}
}
?>

 

Thanks,

 

Jake

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

The session_start() only needs to be before any content is sent.

 

The posted code is on a server that has register_globals on. The code itself relies on register_globals to magically populate program variables from post/get/cookie/session data. Register_globals also 'magically' allows a hacker to set program and session variables by simply putting the same name GET parameter on the end of the URL. Register_globals were turned off by default 7 years ago. There is simply no excuse for any web host to have them turned on or for any code to still exist that relies on them.

 

The code is also not using mysql_real_escape_string() to prevent sql injection.

 

Both of these problems would allow a hacker to either find out existing log in information (sql injection) or to become logged in (register_globals, sql injection.)

 

Edit: Also, does the admin-panel.php code have any protection to prevent it from it being browsed to directly?

Link to comment
Share on other sites
jakebur01 Advanced Member

jakebur01

Posted
  • Author
Posted

This is the login-check.php page, which is the only thing check to see if the user is logged in. This is required at the top of all the admin pages.

 

require "client-info.php";
session_start();
$ses_id = session_id();
$db = mysql_connect("localhost",$dbusername,$dbpassword);
mysql_select_db($database,$db);
$sql="select ses_id from $users_table where user_name like '$login'";
$result=mysql_query($sql,$db);
$myrow=mysql_fetch_array($result);
if($ses_id==$myrow[ses_id]) {} else
{
header( 'Location: index.php' ) ;
}

 

 

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Most bot scripts that would be used to access a web page don't automatically follow a redirect, so the remainder of the content on that page would be directly available simply because it is being output by the web server since there is no exit; statement to stop it from being output.

Link to comment
Share on other sites
pkedpker Member

pkedpker

Posted
Posted

"select * from $users_table where user_name='$login'

 

thats instant hackzors i can even hack that shit..

 

 

i'd use (assuming $users_table = users)

' AND DELETE FROM users AND username='

 

and boom you just lost all your users.. very sad hope you had backups.. just kidding but showing you how easy it is to hack.

 

how the hackzor works?

 

select * from $users_table where user_name='$login'

becomes..

 

select * from $users_table where user_name='' AND DELETE FROM users AND username=''

 

see it fits perfectly..

Link to comment
Share on other sites
pkedpker Member

pkedpker

Posted
Posted

depends.. you could hack it without url.. even if its post method.. i'll just write a little program that does HTTP requests in POST method..

 

but i dont know what is $login? is that constant? if it is.. then maybe its not so hackable..

 

I could make the form myself in notepad.. and link it up to your site.. like 947740 said..

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

I was hoping I could test this in my browser by turning off redirects somewhere in the preferences. I am on a mac. Do you know of any program I can use to see this in action.

 

Thanks,

 

Jake

 

http://us.php.net/curl (simply don't use CURLOPT_FOLLOWLOCATION or set it to FALSE)

 

"select * from $users_table where user_name='$login'

 

thats instant hackzors i can even hack that shit..

 

 

i'd use (assuming $users_table = users)

' AND DELETE FROM users AND username='

 

and boom you just lost all your users.. very sad hope you had backups.. just kidding but showing you how easy it is to hack.

 

how the hackzor works?

 

select * from $users_table where user_name='$login'

becomes..

 

select * from $users_table where user_name='' AND DELETE FROM users AND username=''

 

see it fits perfectly..

 

mysql_query() does not support multiple queries, which would be separated by a semi-colon ; (because too many non-programmers were not escaping data to prevent sql injection), so, you cannot tack a DELETE query onto an existing mysql query. You can however inject a UNION onto a SELECT query and dump all the usernames and passwords stored in the table (and in this thread the passwords are not even md5() hashed.)

 

 

The posted code has several strikes against it -

 

register_globals

sql injection

passwords stored as plain text in the database

no exit; statements after a header redirect

 

All of these are security problems waiting to happen and if you have a hacker actively accessing the site, he has used one or more of them (and there are probably more present in the rest of the code than just these four.)

Link to comment
Share on other sites
pkedpker Member

pkedpker

Posted
Posted

    Why use a form, Register_Globals is turned on just add your GET variables to the url and you have everything you need. Please turn that off or you are asking to get hacked.

 

Lol of course register_globals can get you hacked.. but its off by default in all php if you turned it on then that could be why your getting hacked.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Please re-read my last post (which WolfRage has reposted) (and turn on the setting in your user control panel in the forum that alerts you to posts made while you were writing posts) because I posted a link to using curl that would cause it to not follow redirects.

 

Why don't you just add an exit; statement. That would take about 30 seconds. ALL header() redirect statements need an exit; statement after them to prevent the remainder of the code on the page from being executed, unless you know for a fact that you want the rest of the code on that page to be executed.

Link to comment
Share on other sites
gizmola Prolific Member

gizmola

Posted
Posted

All they need for the sql injection is to get $login to be ' OR 1=1

 

First thing to do is get register globals off.  Even if this breaks the site, it's a huge gaping security hole and it's literally been years now that everyone has known this, and the default for it has been off.  Turn that off, and get busy figuring out how to recode.

 

Also, the feedback you got on exiting after the header is very important.

 

One other word of advice, read up on session fixation.  Any time you esclate privileges, like after a login, you should regenerate the session id.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.