MD5 Hashing Insecure

kafecadm · May 7, 2020, 9:28pm

ancr2001:

kafecadm,

I really appreciate you figuring this out. However, I’m having issues after following your instructions. I created a new user with the first php code and then replaced the event on login with the second set of code. I increased the DB field to 64 to contain the 512 hash. When I attempt to log in with the new user under SHA512, I get a 1054: Unknown column ‘c2c6161a45329e01d419c10374bd89604f5ab95466f1d6cab716927d61fdd968817285e3b95074de6257b145c5d8604c20d4f5aec52258b5a5a8ebbb6cd3df3b’ in ‘where clause’. I search online for help and can only find a Stack Overflow thread mentioning the treatment of strings with a ’ mark. I attempted to change the code with different combinations of ’ " but with no success. From other replies on this thread, it seems like your solution works. What am I doing wrong?
$slogin = sc_sql_injection({login});
$spswd = hash('sha512',{pswd});

$sql = "SELECT
s.priv_admin,
s.active,
s.name,
s.email,
s.emp_id,
s.comp_id,
e.c_member,
s.group_id
FROM sdh_sec_users s
join emp_comp_access e on e.login = s.login and s.comp_id = e.c_member
WHERE e.login = ".$slogin."
AND s.pswd = ".$spswd."";

sc_lookup(rs, $sql);

Hello Man:

Have you figure what your problem is?.. remember that you are comparing a string so the login and the password must be enclosed in single quotes… the sc_sql_injection function encloses the login but the password is not… so change your SQL statement to:


$slogin = sc_sql_injection({login});
$spswd = hash('sha512',{pswd});

$sql = "SELECT
s.priv_admin,
s.active,
s.name,
s.email,
s.emp_id,
s.comp_id,
e.c_member,
s.group_id
FROM sdh_sec_users s
join emp_comp_access e on e.login = s.login and s.comp_id = e.c_member
WHERE e.login = ".$slogin."
AND s.pswd = '".$spswd."'";

sc_lookup(rs, $sql);

regards

Giu · May 7, 2020, 8:55pm

Adding to kafe post. The reason you don’t need to enclose $slogin on single quotes is due to sql_injection macro, but you are not using it on $spswd, then, you have to enclose on single quotes $spswd to be a string on the SQL

ancr2001 · May 7, 2020, 8:58pm

Thanks guys, all is working now!

aducom · May 7, 2020, 8:58pm

If you go to the routine in the application you can change it any way you like. A tutorial is too much, you’ll find loads of samples here: http://www.w3schools.com/php/func_string_sha1.asp

MikeDE · May 7, 2020, 8:58pm

Thank you Albert, I used sha512 and everything works fine by the way, I sent you a mail few days back.

aducom · May 7, 2020, 8:58pm

Hi Mike,

I haven’t received that. Will look into my spamboxes.
I haven’t found any messages of you in my spamdrain boxes. When did you send it? Can you send it again to a dot drent at aducom dot com?

b.r. Albert

MikeDE · May 7, 2020, 8:58pm

thank you Albert, i saw your reply, maybe you want to remove your encoded email above, spammers will use it to add the method to their dictionary loool

aducom · May 7, 2020, 8:58pm

They already have it. Have spamdrain on it which works perfectly fine.