Sniping plain passwords19 May 2019
The title of the article might reminisce of old articles like Aleph One’s “Smashing the stack for fun and profit” [link], the reason for this is to put you back in the mindset of those days.
The subject of this short article is how you could “theoretically” identify targets using plain-text passwords in your target’s databases. Now, this theory might not exploit your target but it can help you out identifying the level of security your target is implementing. This might lead you to think of your level of attack.
To find out if your target is being insecure with their password storage you have to think about how PHP implements its password storage nowadays.
At least with PHP, you can see there is at least one query to the database. This query will get the user from the database:
The code above on line #16 you will see on line 16 that the password provided is being checked against the password in the database.
This means you can only have one user with the same username in the database at any given time. This is also the reason why websites now days require username’s to be unique. (important)
While back in the day
Back in the day, this process was different. Because passwords were stored in plain-text in the database you could have multiple users accounts with the same username but with different passwords.
Let’s say you went to example.com a website without secure password storage. Because it uses this old technique old storing passwords in plain-text we can register 2 different users with the same username but with two different passwords.
For account the second account we use the following credentials.
If we use these credentials and log in we will trigger 2 queries.
This will mean that there is no way the first (modern PHP) could have been used. Just by the fact that we have two accounts with the same username will tell you as the attacker that at least in the world of PHP this database is the golden grail. Why? Just because having 2 of the same username’s with different passwords simply is not possible.
Sometimes you think too hard about gathering information. The information might be staring you in the face. Using this method doesn’t mean you can hack your target with ease but it will help you in asses the level of security a website has.
Another attack vector like this one is making 2 different accounts like we did above and change the email address of the second account to the email of the first account. If this is allowed you might request a new password on account B where you can reset the password for account A. Its simple things like these that could trigger an account takeover (i might make a blog about this later).
I will see you guys later,