login panel php :S

[marcelo380]

Hello people \o

I'm trying to create a login panel to player on the site, but the perfect world uses MD5 + salt to register.

Exploitation of the registration:

      $Salt = $Login.$Pass;
                                    $Salt = md5($Salt);
                                    $Salt = "0x".$Salt;
                                    MySQL_Query("call adduser('$Login', $Salt, '0', '0', '0', '0', '$Email', '0', '0', '0', '0', '0', '0', '0', '', '', $Salt)") or die ("Can't execute query.");
     
    mysql_query("INSERT INTO e107_user (user_loginname, user_password, user_email)
    VALUES ('$Login', '$Salt', '$email')") or die ("Account <b>".$Login."</b> has been registered.");
     
    echo "Account <b>".$Login."</b> has been registered.";

Example login system:

<?php
ob_start();
include "config.php";

function getPost($var)
{
        $val = isset($_POST[$var]) ? $_POST[$var] : '';
        
        if ( get_magic_quotes_gpc() )
                stripslashes($val);

        return $val;
}

$Login = getPost('login');
$Pass = getPost('passwd');

if ( empty($Login) || empty($Pass) )
{
        echo "Por favor preencha todos os campos<br>."; exit;
}

//login
$Link = MySQL_Connect($DBHost, $DBUser, $DBPassword) or die ("Can't connect to MySQL");
MySQL_Select_Db($DBName, $Link) or die ("Database ".$DBName." do not exists.");

// Impede o SQL Injection
$Login = mysql_real_escape_string($Login);
$Pass = mysql_real_escape_string($Passwd);

$rs = mysql_query("SELECT * FROM users WHERE name='$Login'") or die (mysql_error());
$row = mysql_fetch_object($rs);

$user_login = $row->name;
$user_passwd  = $row->passwd;
 
							 $Salt = $Login.$Passwd;
                                    $Salt = md5($Salt);
                                    $Salt = "0x".$Salt;

if ( $user_passwd == $Salt )
{
        echo "<font color=\"green\"><b>User Log *-*</b></font>";
        setcookie("log-PW", "1", time()+3600*24*7, '/');
        header("Location: main.php");
}
else
{
        echo "<font color=\"red\"><b>Error Password</b></font>";
        header("Location: erro.php");
}
?>

I did so, but I'm not getting someone help me?


Thank you.

 

[zMagenta]

Il try to help with PHP. Send me a email with more details - Steve_retros@hotmail.co.uk.

 

[das7002]

0x is only there for inserting into database, if you remove

"0x".

from your example login system it should work as PHP is doing a string comparison so

md5 <- the one from db
0xmd5 <- what you are trying to compare it to

So when the string comparison runs it sees they aren't equal and that is why it fails. (From my quick glance over anyway)

 

[343]

moved to development...

 

[renan7899]

Why don't you use a cookie system?

First create a login page, make it encrypt the password like the registration do. And then:

setcookie(name, $login, time()+3600); setcookie(passwd, $senha, time()+3600);

config.php:

<?

$host = "192.168.1.65"; // Host valor padrao é localhost

$usuariodb="root"; //Usuario de Conexao com  o MySQL

$senhadb="renan"; // Senha de Conexao com o MySQL

$db="dbo"; //Banco de Dados MySQL

$tb2="users";

$conexao=mysql_connect ("$host", "$usuariodb", "$senhadb") or die ("<script type=\"text/javascript\">alert('Falha na conexão com o banco de dados');history.back();</script>");
$db = mysql_select_db ("$db") or die ("<script type=\"text/javascript\">alert('Falha ao selecionar o banco de dados');history.back();</script>");
?>

Cookie validator:

<?
$username = $_COOKIE['name'];
$senha = $_COOKIE['passwd'];
 if( (!empty($username)) && (!empty($senha)) )
{
include "config.php";
$sql = "SELECT * FROM users WHERE (name='$username') AND (passwd='$senha')";
$resultado = mysql_query($sql, $conexao);

if(mysql_num_rows($resultado) == 1)
{
if($username!=mysql_result($resultado,0,"name"))
{
if($senha!=mysql_result($resultado,0,"passwd"))
{
setcookie("name",$username,time()+3600); setcookie("passwd",$senha,time()+3600);
echo "<br /><br /><center><font style=\"font-family: Tahoma, Geneva, sans-serif; font-weight: bold; color: #bbbbbb; font-size: 14px;\"><center>Você não efetuou o login. username e senha errados <a href=index.php> Logar </a></font></center>"; exit;
}
}
}
else
{
setcookie("name",$username,time()+3600); setcookie("passwd",$senha,time()+3600);
echo "<br /><br /><center><font style=\"font-family: Tahoma, Geneva, sans-serif; font-weight: bold; color: #bbbbbb; font-size: 14px;\">Você não efetuou o login. - 1 <a href=index.php> Logar </a><meta http-equiv='refresh' content='2;URL=index.php'></font></center>";
exit;
}
}
else
{
echo "<br /><br /><center><font style=\"font-family: Tahoma, Geneva, sans-serif; font-weight: bold; color: #bbbbbb; font-size: 14px;\">Você não efetuou o login. - 2 <a href=index.php> Logar </a><meta http-equiv='refresh' content='2;URL=index.php'></font></center>";
exit;
}
mysql_close($conexao);
?>

And then include the cookie validator in the userCP index.

PS: using time()+3600 will make the cookie last 1 hour.

 

[marcelo380]

we thank.

I'm not getting.
will be someone who has an example of a login panel? : S

 

[renan7899]

we thank.

I'm not getting.
will be someone who has an example of a login panel? : S

Why don't you start reading and understand and stop asking everything ready?

 

[marcelo380]

Why don't you start reading and understand and stop asking everything ready?

no you do not understand, I'm trying to learn but already read a lot on the internet, I want to learn .-.

 

[renan7899]

Me adiciona no MSN: cmVuYW5waXJlc2JyaXR6QGhvdG1haWwuY29t

Não posso colocar meu msn aqui, então tente decifrar g.g

English: ==

Add me on MSN: cmVuYW5waXJlc2JyaXR6QGhvdG1haWwuY29t

I can't post my MSN here, so try to figure it out g.g

 

[Goodlookinguy]

For the sake of security, I have to post this.

Cookie validator:

<?
$username = $_COOKIE['name'];
$senha = $_COOKIE['passwd'];
 if( (!empty($username)) && (!empty($senha)) )
{
include "config.php";
$sql = "SELECT * FROM users WHERE (name='$username') AND (passwd='$senha')";
$resultado = mysql_query($sql, $conexao);

/* Hi exploit!!
   $_COOKIE['name'] = Some User's Username
   $_COOKIE['passwd'] = ') OR ('1'='1
   
   If they set their client-side cookies to those values
   they can log in as anyone. As well as cause massive
   damage to your database if they so choose with the proper
   SQL query.
*/
// ...
?>

Just by looking at this code, I can tell you right now that there's a very serious exploit in it (A SQL Injection to be precise, read my comments). You might want to be more careful on how you handle user data.

---
On a side note, I wrote a very secure php-based perfect world API a couple of months back. I've yet to release it, as the person I was going to release it to disappeared. I'll release it here in a couple of weeks once I get back from vacation and polish it.

 

[renan7899]

For the sake of security, I have to post this.



Just by looking at this code, I can tell you right now that there's a very serious exploit in it (A SQL Injection to be precise, read my comments). You might want to be more careful on how you handle user data.

---
On a side note, I wrote a very secure php-based perfect world API a couple of months back. I've yet to release it, as the person I was going to release it to disappeared. I'll release it here in a couple of weeks once I get back from vacation and polish it.

Every function of my website have a different sql user... I NEVER use root. The users I create have less permissions than the others. Anyway, is there something to prevent this client side sql injection?

 

[Goodlookinguy]

Every function of my website have a different sql user... I NEVER use root. The users I create have less permissions than the others. Anyway, is there something to prevent this client side sql injection?

A simple mysql_real_escape_string should take care of it. Also, using functions like strlen to make sure, if it's a hashed value being saved as the cookie password, that it matches the md5 hash length. Another safer way to handle logging in and out is to just pull where the username is equal to the input. Then compare the passwords in code.

 

[renan7899]

addslashes and ereg is enough?

 

[Goodlookinguy]

addslashes and ereg is enough?

NO! Absolutely not. Here, I looked up some key words on Google to see if I could find a good example. This article goes over the multibyte exploit:

You must be registered to see links

Just trust mysql_real_escape_string.

 

[renan7899]

Alright, so the correct thing to use is mysql_real_escape_string($_POST['login']); and mysql_real_escape_string($_COOKIE['name'])???

 

[Goodlookinguy]

Alright, so the correct thing to use is mysql_real_escape_string($_POST['login']); and mysql_real_escape_string($_COOKIE['name'])???

Yes, just make sure you have a connection to the MySQL database before using it. As mysql_real_escape_string uses a built in MySQL function.

 

[renan7899]

mysql_real_escape_string doesn't scape % and _ and '.

What if I use this function:

 function anti_injection($sql)
{
$sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql); //Remove the SQL commands
$sql = strip_tags($sql);//remove html and php tags
$sql = addslashes($sql);//Add slashes to the strings
$sql = mysql_real_escape_string($sql);
return $sql;
}

$nome = anti_injection($_POST["name"]);
$senha = anti_injection($_POST["password"]);

?>

 

[Goodlookinguy]

mysql_real_escape_string doesn't scape % and _ and '.

Incorrect, it does escape single quotes. That's one of it's main features.

What if I use this function:

 function anti_injection($sql)
{
$sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql); //Remove the SQL commands
$sql = strip_tags($sql);//remove html and php tags
$sql = addslashes($sql);//Add slashes to the strings
$sql = mysql_real_escape_string($sql);
return $sql;
}

$nome = anti_injection($_POST["name"]);
$senha = anti_injection($_POST["password"]);

?>

Mmm, it'll work if you use addslashes and then mysql_real_escape_string. It just seems like overkill. The data will end up something like this.

Before
SELECT * FROM users WHERE (name='Someone') AND (passwd='') OR (1=1) -- ')

After addslashes
SELECT * FROM users WHERE (name='$username') AND (passwd='\') OR (1=1) -- ')

After mysql_real_escape_string
SELECT * FROM users WHERE (name='$username') AND (passwd='\\\') OR (1=1) -- ')

Anyways, yes, that'll take care of most attacks. I still think it's ideal to only query for the username though. As it creates security through obscurity.

<?php
// ...MySQL connection here
$username = anti_injection( $_COOKIE['name'] );
$password = anti_injection( $_COOKIE['password'] );

$query = mysql_query( "SELECT * FROM users WHERE name = '{$username}'" );

$result = mysql_fetch_array( $query );

if ( count( $result ) > 0 )
{
	if ( ! ( $result[0]['passwd'] != $password ) )
	{
		// Password correct
	}
	else
	{
		// Password incorrect
	}
}
else
{
	// No user by that name
}

 

[das7002]

Alright, so the correct thing to use is mysql_real_escape_string($_POST['login']); and mysql_real_escape_string($_COOKIE['name'])???

tbh you are better off using sessions and IP addr verification... client can relatively easily change the cookies AND they can be stole with some creative XSS...