Yet another PHP login script, please help
Hello,
I've recently found a php login on a site that might be exploitable… I've looked up and found the source code, but don't really know if this is exploitable… I found this code snippet:
$ok = explode(":",$HTTP_COOKIE_VARS["mcPass"]);
if(empty($ok[0])){ header ("location:http://$HTTP_HOST/mcPass.php?go=$PHP_SELF"); }
?>```
and later on, it says:
```markupfunction PassCookie ($user,$pwd)
{
SetCookie("VALUE", "$user:$pwd");
}
I guess that some cookie exploit is possible? Any help would be highly appreciated =)
Good evening and thanks for your quick answer =) Here is the whole code:
// Configuration MySQL - Set this
$host="";
$login="";
$pass="";
$base="";
// Language - Set this
$lErrLog= "Nom Incorrect"; // "Wrong Login";
$lErrPass= "Mot de Passe Incorrect"; // "Wrong Password";
$lLogin= "Nom"; // "Login";
$lPass= "Mot de Passe"; // "Password";
$lValider= "Valider"; // "Submit";
/*
------------------------------------------------------------------------
--------------
-----------------
------------------------------------------------------------------------
-----------------
<?
$ok = explode(":",$HTTP_COOKIE_VARS["mcPass"]);
if(empty($ok[0])){ header
("location:http://$HTTP_HOST/mcPass.php?go=$PHP_SELF"); }
?>
------------------------------------------------------------------------
-----------------
------------------------------------------------------------------------
-----------------
*/
if(!$go)
{
$connect= mysql_connect($host,$login,$pass);
mysql_select_db($base, $connect);
$result = mysql_list_tables ($base);
$i = 0;
while ($i < mysql_num_rows($result)) {
$tb_names[$i] = mysql_tablename ($result, $i);
if ($tb_names[$i]=="mcpass_tbl") $table=1;
$i++;
}
if ($table==1)
{
$install= 'Running';
}
}
if((isset($SubInst))&&($b==md5($base)))
{
$connect= mysql_connect($host,$login,$pass);
mysql_select_db($base, $connect);
$query="DROP TABLE IF EXISTS mcpass_tbl;";
mysql_query($query);
$query="CREATE TABLE mcpass_tbl (
user varchar(20) NOT NULL default '',
pwd varchar(20) NOT NULL default '',
KEY user (user)
) TYPE=MyISAM;";
mysql_query($query);
$query="insert into mcpass_tbl values('$user', '$pwd')";
mysql_query($query, $connect);
$query="select * from mcpass_tbl";
$res=mysql_query($query);
$aff=mysql_fetch_array($res);
}
function mcPassCookie ($user,$pwd)
{
SetCookie("mcPass", "$user:$pwd");
}
if(isset($submit))
{
$connect= mysql_connect($host,$login,$pass);
mysql_select_db($base, $connect);
$query="select * from mcpass_tbl where user='$user'";
$res=mysql_query($query);
$verif=mysql_fetch_array($res);
if($pwd==$verif[pwd] && mysql_num_rows($res)!=0)
{
mcPassCookie($user,$pwd);
?>
<SCRIPT TYPE="text/javascript" LANGUAGE="JavaScript">
document.location.replace("<? echo $go.''; ?>");
</script>
<?
}
elseif (mysql_num_rows($res)==0) $Err1=$lErrLog;
else $Err2=$lErrPass;
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>mcPass</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<META HTTP-EQUIV="Expires" CONTENT="Fri, Jan 01 1900 00:00:00 GMT">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Cache-Control" CONTENT="no-cache">
<style type="text/css">
<!--
a:actif { font-family: Verdana; color: black; text-decoration: none}
a:link { font-family: Verdana; color: black; text-decoration: none}
a:visited { font-family: Verdana; color: black; text-decoration: none}
a:hover { font-family: Verdana; color: white; text-decoration: none}
-
</style>
</head>
<body bgcolor="#C0C0C0" text="black">
<p align="right"><font face="verdana" size="5" color="black">
<?
if((!$go)&&(!$install)) echo ' - Set Up';
if ((!$go)&&(isset($install)))
{
echo ' is running.</font></p><hr>';
echo '<p align="right"><a
href="http://'.$HTTP_HOST.'"><b>OK</b></a></p>';
echo '</body></html>';
exit();
}
?>
</font>
</p><hr>
<form action="mcPass.php" method="get">
<table align="right">
<tr>
<td align="right"><font face="Verdana, Arial, Helvetica,
sans-serif" size="2"><b>
<?
if(isset($Err1))
{
echo '<font color="red" size="2" face="verdana"><b>'.$Err1.'!
</b></font>';
}
echo $lLogin;
?>
: </b></font>
</td>
<td>
<?
if (isset($aff[0])) echo '<font color="red" size="2"
face="verdana"><b>'.$aff[0].'</b></font>';
else echo '<input type="text" name="user" value="'.$user.'">';
?>
</td>
</tr>
<tr>
<td align="right"><font face="Verdana, Arial, Helvetica,
sans-serif" size="2"><b>
<?
if(isset($Err2))
{
echo '<font color="red" size="2" face="Verdana"><b>'.$Err2.'!
</b></font>';
}
echo $lPass;
?>
:</b></font>
</td>
<td>
<?
if (isset($aff[1])) echo '<font color="red" size="2"
face="verdana"><b>'.$aff[1].'</b></font>';
else echo '<input type="password" name="pwd">';
?>
</td>
</tr>
<tr>
<td>
</td>
<td>
<?
if((!$go)&&(!$SubInst))
{
echo '<input type="submit" name="SubInst"
value="'.$lValider.'">';
echo '<input type="hidden" name="b" value="'.md5($base).'">';
}
elseif(isset($SubInst)) echo '<a
href="http://'.$HTTP_HOST.'"><b>OK</b></a>';
else
{
echo '<input type="submit" name="submit"
value="'.$lValider.'">';
echo '<input type="hidden" name="go" value="'.$go.'">';
}
?>
</td>
</tr>
</table>
</form>
<br><br><br><br><br><br>
<br><br><br><br><br><br>
<p align="center">
</p>
</body>
</html>```
Thanks in advance =)
That site is either using register_globals, or you're missing something in the source. How did you get it? Is it a live page or an inactive, older version of a live one? Did you leave out includes / some kind of templating / sensitive pieces of code?
Describe, don't compromise. Through all posting, we must keep the very limited forum rules in mind.
moshbat wrote: Looks like a pre-built CMS to me. Commenting is a BIG BIG giveaway. I mean, do you ever use comments like that? Well, no… but, then again, the code is amateurish in nature and somewhat peculiar. I agree that it looks like some sort of package to me but, without the parts that we're not seeing in relation to this one, it's not going to make much sense. Looks like some goofy 0-use login script… at a glance. :P
@Zephyr_Pure: I saw that the login name is called mcpass.php…a bit google job gave me the same script called mcPass. It's very old script and is for sure running on old php versions. The only thing I left out is the information about the coder and his comments. @all: I got the code from http://www.phpforums.net The queries aren't filtered, but the server is using mysql_real_escape_string , so no luck for there.
P.S: I can't get the info whether register_globals is on or off
oh, and i always thought (through google articles that mysql_escape_string was the ultimate solution against sql injections…thanks gonna work in that direcrtion ;) I also thought that cookie modifying could bring the same result (aka logging in as admin,) but I'm not sure for now, it may also be that I haven't baken the right cookie till now ;)
buddinger wrote: oh, and i always thought (through google articles that mysql_escape_string was the ultimate solution against sql injections… It is merely the best language-provided default function for handling SQL injections. The list of common characters that it escapes are here:
http://us.php.net/mysql_real_escape_string
Ultimately, though, real_escape_string is only one step in securing your queries.