SQL injection with raw MD5 hashes (Leet More CTF 2010 injection 300) – cvk | nc -l -p 80.
Hacking like this is fascinating to me. If you work at all on the server side, it’s your responsibility to be up-to-date with exploits in the code you write.
Over the years, it’s become obvious that many programmers rely on md5 in PHP for a number of reasons, the most common of which can be considered the ‘safe’ generation of a string hash for use either in database queries or command line executions. Turns out it’s not as safe as we may have thought. Taking a look at the exploit explanation reveals an extremely clever way of exploiting a password entry field using a brute force md5 algorithm. Neat stuff!
Comments
Gah, this article has been doing the rounds today and is driving me insane for two reasons. Firstly, it relies on the developer having explicitly set PHP’s md5() function to return raw output. In all the applications I have ever written in PHP I have only ever needed to do this once.
Secondly, and *much* more importantly, no developer should be hashing a string WITHOUT A SALT! MD5 has not only been compromised for years, there are reverse tables floating around the Internet. Append a salt and you make this kind of attack, and any subsequent data leak, completely irrelevant.
It was an impressive attack, no doubt. But this is not real world stuff.
You’re totally right, the environment isn’t common per-se, but it’s the cleverness of the approach that I like. If for nothing else it can serve as a reminder to salt your hashes, right?