Give a right username and a right password and you're in...
-
I was asked to make small amendments to an ages old ASP Classic website. So I tried to log into the "administration" area, didn't know what username/password to use, and opened up the code to see where in the database (MSAccess) I should look for valid credentials... Behold (some details left out/altered to protect involved parties):
Dim msg
msg=""
Dim sql
sql="SELECT * FROM USERS WHERE (usr= '" + username +"')"Dim rs
Set rs = Server.CreateObject("ADODB.Recordset")
rs.ActiveConnection = dbconnSTRING
rs.Source = sql
rs.CursorType = 0
rs.CursorLocation = 2
rs.Open()if rs.Eof And rs.Bof then
msg="Invalid username"
end if
sql="SELECT * FROM USERS WHERE (pswd= '"+ password +"')"
rs.Close()
rs.Open(sql)
if rs.Eof And rs.Bof then
if msg="Invalid username" then
msg="Invalid username and password"
else
msg="Invalid password"
end if
end ifSo basically if I know your username and I have my own account, I can use your username and my password and log in as you... Nice eh?
Φευ! Εδόμεθα υπό ρηννοσχήμων λύκων! (Alas! We're devoured by lamb-guised wolves!)
-
I was asked to make small amendments to an ages old ASP Classic website. So I tried to log into the "administration" area, didn't know what username/password to use, and opened up the code to see where in the database (MSAccess) I should look for valid credentials... Behold (some details left out/altered to protect involved parties):
Dim msg
msg=""
Dim sql
sql="SELECT * FROM USERS WHERE (usr= '" + username +"')"Dim rs
Set rs = Server.CreateObject("ADODB.Recordset")
rs.ActiveConnection = dbconnSTRING
rs.Source = sql
rs.CursorType = 0
rs.CursorLocation = 2
rs.Open()if rs.Eof And rs.Bof then
msg="Invalid username"
end if
sql="SELECT * FROM USERS WHERE (pswd= '"+ password +"')"
rs.Close()
rs.Open(sql)
if rs.Eof And rs.Bof then
if msg="Invalid username" then
msg="Invalid username and password"
else
msg="Invalid password"
end if
end ifSo basically if I know your username and I have my own account, I can use your username and my password and log in as you... Nice eh?
Φευ! Εδόμεθα υπό ρηννοσχήμων λύκων! (Alas! We're devoured by lamb-guised wolves!)
:thumbsup: A thing of beauty. Thanks for immortalizing it here. P.S. I'll also take a moment to point out that such a validation routine should never indicate what went wrong, only that it failed. Telling a potential baddy that the user name doesn't exist makes his job easier -- he's simply stop trying that username and move on to the next without trying any more passwords.
-
I was asked to make small amendments to an ages old ASP Classic website. So I tried to log into the "administration" area, didn't know what username/password to use, and opened up the code to see where in the database (MSAccess) I should look for valid credentials... Behold (some details left out/altered to protect involved parties):
Dim msg
msg=""
Dim sql
sql="SELECT * FROM USERS WHERE (usr= '" + username +"')"Dim rs
Set rs = Server.CreateObject("ADODB.Recordset")
rs.ActiveConnection = dbconnSTRING
rs.Source = sql
rs.CursorType = 0
rs.CursorLocation = 2
rs.Open()if rs.Eof And rs.Bof then
msg="Invalid username"
end if
sql="SELECT * FROM USERS WHERE (pswd= '"+ password +"')"
rs.Close()
rs.Open(sql)
if rs.Eof And rs.Bof then
if msg="Invalid username" then
msg="Invalid username and password"
else
msg="Invalid password"
end if
end ifSo basically if I know your username and I have my own account, I can use your username and my password and log in as you... Nice eh?
Φευ! Εδόμεθα υπό ρηννοσχήμων λύκων! (Alas! We're devoured by lamb-guised wolves!)
-
I was asked to make small amendments to an ages old ASP Classic website. So I tried to log into the "administration" area, didn't know what username/password to use, and opened up the code to see where in the database (MSAccess) I should look for valid credentials... Behold (some details left out/altered to protect involved parties):
Dim msg
msg=""
Dim sql
sql="SELECT * FROM USERS WHERE (usr= '" + username +"')"Dim rs
Set rs = Server.CreateObject("ADODB.Recordset")
rs.ActiveConnection = dbconnSTRING
rs.Source = sql
rs.CursorType = 0
rs.CursorLocation = 2
rs.Open()if rs.Eof And rs.Bof then
msg="Invalid username"
end if
sql="SELECT * FROM USERS WHERE (pswd= '"+ password +"')"
rs.Close()
rs.Open(sql)
if rs.Eof And rs.Bof then
if msg="Invalid username" then
msg="Invalid username and password"
else
msg="Invalid password"
end if
end ifSo basically if I know your username and I have my own account, I can use your username and my password and log in as you... Nice eh?
Φευ! Εδόμεθα υπό ρηννοσχήμων λύκων! (Alas! We're devoured by lamb-guised wolves!)
Bah, I don't need a valid username OR a valid password...
Username: 'or''='
Password: 'or''='I know, I know... I'm supposed to drop/wipe the table, but that's just mean.
Proud to have finally moved to the A-Ark. Which one are you in?
Author of the Guardians Saga (Sci-Fi/Fantasy novels) -
I was asked to make small amendments to an ages old ASP Classic website. So I tried to log into the "administration" area, didn't know what username/password to use, and opened up the code to see where in the database (MSAccess) I should look for valid credentials... Behold (some details left out/altered to protect involved parties):
Dim msg
msg=""
Dim sql
sql="SELECT * FROM USERS WHERE (usr= '" + username +"')"Dim rs
Set rs = Server.CreateObject("ADODB.Recordset")
rs.ActiveConnection = dbconnSTRING
rs.Source = sql
rs.CursorType = 0
rs.CursorLocation = 2
rs.Open()if rs.Eof And rs.Bof then
msg="Invalid username"
end if
sql="SELECT * FROM USERS WHERE (pswd= '"+ password +"')"
rs.Close()
rs.Open(sql)
if rs.Eof And rs.Bof then
if msg="Invalid username" then
msg="Invalid username and password"
else
msg="Invalid password"
end if
end ifSo basically if I know your username and I have my own account, I can use your username and my password and log in as you... Nice eh?
Φευ! Εδόμεθα υπό ρηννοσχήμων λύκων! (Alas! We're devoured by lamb-guised wolves!)
-
Bah, I don't need a valid username OR a valid password...
Username: 'or''='
Password: 'or''='I know, I know... I'm supposed to drop/wipe the table, but that's just mean.
Proud to have finally moved to the A-Ark. Which one are you in?
Author of the Guardians Saga (Sci-Fi/Fantasy novels)Nah, username and password were sanitized earlier in the code. Surprisingly, the sanitization routine is pretty solid (probably copy-pasted from elsewhere though, seems quite out-of-place in terms of coding style).
Φευ! Εδόμεθα υπό ρηννοσχήμων λύκων! (Alas! We're devoured by lamb-guised wolves!)
-
I think the lesson you can derive from this is to teach the developer who wrote this what the AND keyword means in SQL syntax.
Actually, the person who originally wrote this little gem currently has something close to 25 years of active development under their belt, with extensive SQL work as well. I've seen other samples of their work, written about the same time as this, and they are REALLY better than this. So this leads me to think that they were smoking something REALLY good when they wrote this.
Φευ! Εδόμεθα υπό ρηννοσχήμων λύκων! (Alas! We're devoured by lamb-guised wolves!)
-
Actually, the person who originally wrote this little gem currently has something close to 25 years of active development under their belt, with extensive SQL work as well. I've seen other samples of their work, written about the same time as this, and they are REALLY better than this. So this leads me to think that they were smoking something REALLY good when they wrote this.
Φευ! Εδόμεθα υπό ρηννοσχήμων λύκων! (Alas! We're devoured by lamb-guised wolves!)
Or as a back door?
-
Or as a back door?
-
I was asked to make small amendments to an ages old ASP Classic website. So I tried to log into the "administration" area, didn't know what username/password to use, and opened up the code to see where in the database (MSAccess) I should look for valid credentials... Behold (some details left out/altered to protect involved parties):
Dim msg
msg=""
Dim sql
sql="SELECT * FROM USERS WHERE (usr= '" + username +"')"Dim rs
Set rs = Server.CreateObject("ADODB.Recordset")
rs.ActiveConnection = dbconnSTRING
rs.Source = sql
rs.CursorType = 0
rs.CursorLocation = 2
rs.Open()if rs.Eof And rs.Bof then
msg="Invalid username"
end if
sql="SELECT * FROM USERS WHERE (pswd= '"+ password +"')"
rs.Close()
rs.Open(sql)
if rs.Eof And rs.Bof then
if msg="Invalid username" then
msg="Invalid username and password"
else
msg="Invalid password"
end if
end ifSo basically if I know your username and I have my own account, I can use your username and my password and log in as you... Nice eh?
Φευ! Εδόμεθα υπό ρηννοσχήμων λύκων! (Alas! We're devoured by lamb-guised wolves!)
Code from the time that Sex was safe and flying dangerous ;P
-
Code from the time that Sex was safe and flying dangerous ;P
-
:thumbsup: A thing of beauty. Thanks for immortalizing it here. P.S. I'll also take a moment to point out that such a validation routine should never indicate what went wrong, only that it failed. Telling a potential baddy that the user name doesn't exist makes his job easier -- he's simply stop trying that username and move on to the next without trying any more passwords.