DZOIC Handshakes Authentication Bypass via SQL Injection

What this paper is

This paper, published by R3d-D3V!L in 2010, describes a vulnerability in the "DZOIC Handshakes" web application. The vulnerability allows an attacker to bypass the authentication mechanism by exploiting a remote SQL injection flaw in the login form. This means an attacker can log in as any user, including administrators, without knowing their actual credentials.

Simple technical breakdown

The core of the vulnerability lies in how the web application handles user input for the username and password fields during the login process. Instead of properly sanitizing or validating the input, the application directly incorporates it into a SQL query.

An attacker can craft a special string for the password field. This string, when inserted into the SQL query, manipulates the query's logic. Specifically, it tricks the database into believing that a condition is always true (e.g., 1=1), thereby allowing the login to succeed without a valid password.

Complete code and payload walkthrough

The provided "exploit" is not actual code in the traditional sense of a script or program. It's a demonstration of the malicious input string that can be used to exploit the vulnerability.

[?] Exploit:
- FROM Members Login: This indicates the context of the exploit – the member login page of the DZOIC Handshakes application.
- [?] Username : admin_name: This is a placeholder for a valid or potentially valid username. The attacker might try common usernames like "admin" or "administrator," or they might try to guess a username if they have some information.
- [?] password : x' or ' 1=1--: This is the crucial part of the exploit. Let's break down this string:
  - x': This part is likely intended to close the string literal for the username or password field in the original SQL query. For example, if the query was SELECT * FROM users WHERE username = 'admin_name' AND password = 'user_input', the x' would attempt to terminate the password string.
  - or ' 1=1: This is the core of the SQL injection. It introduces an OR condition. The condition 1=1 is always true. So, the query effectively becomes ... AND (password = '...' OR '1'='1'). Since '1'='1' is always true, the entire AND condition will evaluate to true, regardless of the actual password.
  - --: This is a SQL comment. It tells the database to ignore anything that comes after it in the current query. This is important because it effectively removes any remaining parts of the original SQL query that might have been intended to check for a valid password or other conditions, preventing syntax errors and ensuring the injected logic is executed.

Mapping:

x' or ' 1=1-- -> Malicious input string for the password field, designed to bypass authentication via SQL injection.

Shellcode/Payload:

There is no shellcode or executable payload in this paper. The "exploit" is purely a data injection technique. The "payload" is the crafted input string itself, which manipulates the database query.

Practical details for offensive operations teams

Required Access Level: Network access to the target web application. No elevated privileges on the server are initially required, as this is a remote web vulnerability.
Lab Preconditions:
- A local or accessible instance of the DZOIC Handshakes application. Since the vendor is listed as www.dzoic.com, the target would likely be a self-hosted installation of this software.
- A web browser to interact with the login form.
- A proxy tool (e.g., Burp Suite, OWASP ZAP) is highly recommended for intercepting and modifying the login request.
Tooling Assumptions:
- Standard web browser.
- Proxy tool for request manipulation.
- Basic understanding of SQL syntax.
Execution Pitfalls:
- Incorrect Input Termination: The x' might not be the correct character to terminate the string in the specific SQL dialect or implementation used by the application. Other characters like a single quote (') might be sufficient.
- WAF/IDS Evasion: Modern Web Application Firewalls (WAFs) or Intrusion Detection Systems (IDS) might detect the OR 1=1 pattern or the -- comment as malicious. Evasion techniques might be necessary.
- Application Logic: The application might have additional checks beyond the database query that could prevent a successful bypass.
- Username Enumeration: While the bypass allows login, knowing a valid username is still beneficial. If the username is unknown, an attacker might need to perform username enumeration first.
- Database Specifics: The exact SQL syntax and how string literals are handled can vary between database systems (e.g., MySQL, PostgreSQL, SQL Server). The -- comment is common but not universal.
Telemetry:
- Web Server Logs: Look for unusual login attempts, especially those with malformed or suspicious password fields.
- Database Logs: If available, database logs might show queries with unexpected structures or syntax errors if the injection isn't perfectly formed.
- Application Logs: The application might log failed login attempts or, if successful, might log the user who logged in. A successful bypass might appear as a legitimate login for a user that the attacker shouldn't have access to.

Where this was used and when

Context: This vulnerability was specific to the "DZOIC Handshakes" web application, likely a commercial or custom-built application for managing handshakes or similar business interactions.
Timeframe: The paper was published on January 1, 2010. Therefore, this vulnerability was relevant around 2010 and likely existed for some time before the publication. It's unknown if this specific software is still in widespread use or if it has been patched.

Defensive lessons for modern teams

Input Validation and Sanitization: This is the most critical lesson. Never trust user input. All data submitted by users must be rigorously validated against expected formats and sanitized to remove potentially harmful characters or code.
Parameterized Queries (Prepared Statements): Use parameterized queries or prepared statements for all database interactions. This separates the SQL code from the data, preventing user input from being interpreted as executable SQL commands.
Principle of Least Privilege: Ensure that database accounts used by web applications have only the necessary permissions. This limits the damage an attacker can do even if they manage to inject SQL.
Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common web attack patterns, including SQL injection attempts. However, WAFs are not a silver bullet and should be part of a layered defense.
Regular Security Audits and Patching: Regularly audit web applications for vulnerabilities and ensure all software, including web applications and their underlying frameworks, is kept up-to-date with security patches.
Logging and Monitoring: Implement comprehensive logging for web applications and databases, and actively monitor these logs for suspicious activity.

ASCII visual (if applicable)

This vulnerability is a direct manipulation of a web request and its interaction with a backend database. An ASCII visual can illustrate the flow of data.

+-----------------+      +-----------------+      +-----------------+
| Attacker's Input|----->| Web Application |----->| Database Server |
| (Malicious Pass) |      | (Login Form)    |      | (SQL Query)     |
+-----------------+      +-----------------+      +-----------------+
                                   |
                                   |  (Query with injected logic)
                                   v
                         +-----------------+
                         | Authentication  |
                         |   Bypassed      |
                         +-----------------+

Source references

PAPER ID: 10901
PAPER TITLE: DZOIC Handshakes - Authentication Bypass
AUTHOR: R3d-D3V!L
PUBLISHED: 2010-01-01
KEYWORDS: PHP, webapps
PAPER URL: https://www.exploit-db.com/papers/10901
RAW URL: https://www.exploit-db.com/raw/10901

Original Exploit-DB Content (Verbatim)

[?] ?????????????????????????{In The Name Of Allah The Mercifull}??????????????????????
[?]
[~] Tybe: DZOIC Handshakes suffer from auth bypass remote sql injection
[~] Vendor: www.dzoic.com
[?] Software: DZOIC Handshakes
[-]
[?] author: ((R3d-D3v!L))
[?] TEAM: ArAB!AN !NFORMAT!ON SeCuR!TY
[?] contact: N/A
[-]
[?] Date: 1.Jan.2010
[?] T!ME: 12:27 pm     GMT
[?] Home: WwW.xP10.ME
[?]
[?]
[-]??????????????????????{DEV!L'5 of SYST3M}??????????????????




[?] Exploit:

FROM Members Login

[?] Username : admin_name

[?] password : x' or ' 1=1--

[~]-----------------------------{D3V!L5 0F 7h3 SYS73M!?!}----------------------------------


N073:


REAL RED DEV!L W@S h3r3 LAMERZ

GAZA !N our hearts !



[~]-----------------------------{((Angela Bennett))}---------------------------------------

[~] Greetz tO: dolly & L!TTLE 547r & 0r45hy & DEV!L_MODY & po!S!ON Sc0rp!0N & mAG0ush_1987

[~]70 ALL ARAB!AN HACKER 3X3PT : LAM3RZ

[~] spechial thanks : ab0 mohammed & XP_10 h4CK3R & JASM!N & c0prA & MARWA & N0RHAN & S4R4

[?]spechial SupP0RT: MY M!ND ;) & ((OFFsec))

[?]4r48!4n.!nforma7!0N.53cur!7y ---> ((r3d D3v!L))--M2Z--JUPA-aNd-Devil ro0t : Goo Goo Cs Tiroo

[~]spechial FR!ND: 74M3M

[~] !'M 4R48!4N 3XPL0!73R.

[~]{[(D!R 4ll 0R D!E)]};

[~]--------------------------------------------------------------------------------

By exploitdb papers bot•January 1, 2010•

papers