 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
lautrec
How do I cheat?
![]() Reputation: 0
Joined: 01 Apr 2011
Posts: 4
|
 Posted: Fri Apr 01, 2011 7:24 pm Post subject: Crypted data hacking |
 |
|
My question is not really gaming-related. My goal is this SQL-based application(image attached), which provides access to a set of tools after the user types his login and password. Although passwords are stored in a remote server(LAN), I noticed that every time someone types it's username, in this case 100986, and switch to the password field, there is a small delay in which the app requests data from the server. So, when someone types in a password, the app checks without the need of the server. In other words, the password is temporaly stored in the memory of the client's computer. I was wondering if, knowing the password for some user, I could search for it using CE, locating the address, then, typing another username, that old password(I know) would be replaced with the other one password(I want to know). Does someone understands my goal? The problem, though, is that this program may crypt the data. Anyway, would it be possible, using CE?
Edit: Lol, I can't post the image's url nor an atachment. If anybody understands even without it, it would be really apreciated.
|
|
| Back to top |
|
 |
Geri
Moderator
![]() Reputation: 112
Joined: 05 Feb 2010
Posts: 5627
|
| Posted: Fri Apr 01, 2011 9:20 pm Post subject: |
|
|
It would be stupid if password for a server would be stored locally. Anyway I don't think anyone want to help you with this as it doesn't seem to be a legal activity whether it is possible or not.
_________________
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8585
Location: 127.0.0.1
|
| Posted: Sat Apr 02, 2011 9:02 am Post subject: |
|
|
Possible yes, but depending on how the application is written the password location may change due to being allocated for a short time, checked against, then removed. Again that depends on how the application is written.
If it is doing this, you may want to advise the person that wrote it that storing the password before the user has even made a single successful login is a huge security risk to his database / software in general.
_________________
- Retired. |
|
| Back to top |
|
|
lautrec
How do I cheat?
![]() Reputation: 0
Joined: 01 Apr 2011
Posts: 4
|
| Posted: Sat Apr 02, 2011 9:24 am Post subject: |
|
|
Yes, it would be a huge security issue to a database.
Thanks anyway!
|
|
| Back to top |
|
|
AhMunRa
Grandmaster Cheater Supreme
![]() Reputation: 27
Joined: 06 Aug 2010
Posts: 1117
|
| Posted: Mon Apr 04, 2011 9:24 am Post subject: |
|
|
Generally with SQL there are more ways to crack the app than the app storing the credentials. You could use blind sql injection techniques to trick the server into thinking you are authenticated. My prefered method is to create a custom sql client that sends a null byte as a login. There used to be a bug in the sql implementation that no matter the security on a server would allow you in as root. This is an old bug and was commonly known, it has since been fixed, only reason I mentioned it.
_________________
<Wiccaan> Bah that was supposed to say 'not saying its dead' lol. Fixing >.> |
|
| Back to top |
|
|
lautrec
How do I cheat?
![]() Reputation: 0
Joined: 01 Apr 2011
Posts: 4
|
| Posted: Tue Apr 05, 2011 12:49 pm Post subject: |
|
|
| AhMunRa wrote: | | Generally with SQL there are more ways to crack the app than the app storing the credentials. You could use blind sql injection techniques to trick the server into thinking you are authenticated. My prefered method is to create a custom sql client that sends a null byte as a login. There used to be a bug in the sql implementation that no matter the security on a server would allow you in as root. This is an old bug and was commonly known, it has since been fixed, only reason I mentioned it. |
Yes, I also considered doing an injection, but I have no idea on how to start! For exemple, when logging in to the same server, the following information was sniffed: | Code: | ........SELECT APLCOD, APLNOME, APLKEY, APLEXE, APLSTATUS, APLUSEIDREDE, APLUSELOGIN, APLTENTLOGIN, APLDIASSENHA, APLUSEAUDIT, APLMOSTRAREG, APLVALIDAUSU
FROM APLICACAO
WHERE APLNOME = 'SGACRA' AND APLKEY = '2v3cJUprr0CKpk=='
.....APLCOD.APLNOME.APLKEY.APLEXE.APLSTATUS.APLUSEIDREDE.APLUSELOGIN.APLTENTLOGIN.APLDIASSENHA.APLUSEAUDIT.APLMOSTRAREG.APLVALIDAUSU.G.....8....'(....'(....'(....'.....'.....'....&. ...&.....'.....'.....'..6....SGACRA.2v3cJUprr0CKpk==.pSGA0001.exe.1.0.0......Z....1.1.0.......................... ...............SELECT USUCOD , USULOGIN , USUSENHA , USUDESC , USUDPTM , USUSTATUS , USUNOME , USUDATASENHA , USUDATAVALIDA , USUCONEXPADRAO , USUISADMIN , USUFPASSWD , USUNEPASSWD , USUNCPASSWD
FROM USUARIO
WHERE ( USULOGIN = '111111' )
............USUCOD.USULOGIN.USUSENHA.USUDESC.USUDPTM.USUSTATUS.USUNOME.USUDATASENHA
USUDATAVALIDA.USUCONEXPADRAO
USUISADMIN
USUFPASSWD.USUNEPASSWD.USUNCPASSWD.S.....8..../(..../(....'(....'.....'.....'(....o.....o.
...&.....'.....'.....'.....'......(111111 (qLwu8r== .SOMEONE'S NAME HERE
.CURSO ENG ELETRON TE M.M. .........X.........0.0.0.0.................SELECT GetDate()
...&............. .=......2............................ ..........3....SELECT PREFHIDEPASSWORD FROM PREFERENCIA ...1........PREFHIDEPASSWORD.......'...0. |
It seems that most of the information I got is still crypted!
Last edited by lautrec on Mon Mar 05, 2012 4:38 pm; edited 1 time in total |
|
| Back to top |
|
|
AhMunRa
Grandmaster Cheater Supreme
![]() Reputation: 27
Joined: 06 Aug 2010
Posts: 1117
|
| Posted: Tue Apr 05, 2011 2:32 pm Post subject: |
|
|
Storing passwords in a database in plaintext is always a bad idea. Most likely they are hashed before they are put into the database.
So your login may look like
| Code: |
<form action="login.php" method="post">
UserName: <input type="text" name="uname" /><br />
Password: <input type="password" name="passwd" /><br />
<input type="submit" value="Submit" />
</form>
|
The code itself would take the password and hash it out where passwd = 1234 | Code: |
if(isset($_POST['psswd'] )
{
$pass = md5($_POST['passwd']);
} |
So you would be posting something like http://noname.this/login.php?login=true&uname=admin&passwd=SKJLWUSudsudpuj
You could try to login using the login ' or '1'='1' password combination.
This tells the database using your initial query
| Code: | | SELECT * FROM user WHERE uname = 'user' AND pass = 'upass' ' or '1'='1'; |
Because 1 is always equal to 1 it may log you in. Unless they sanitize the user input specifically looking for this technique. Also try unicode and hex chars.
To know what the target application is would also help.
_________________
<Wiccaan> Bah that was supposed to say 'not saying its dead' lol. Fixing >.> |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
