FLIXEY.COM

(preview)

This is another one of the scripts I wrote quite a while ago. It just wrote it out of pure boredom and actually got somewhere. Korean social securyity numbers have a pattern, consisting of 13 digits segmented into 2 parts of 6 and 7 digits. The first part is like this.

The second part is a bit complicated. It hold information on your gender and which region of Korea you were registered from. The gender codes are 9 for male 0 for female if you were born in the 1800s, 1 and 2 for the 1900s and 3 and 4 for the 2000s. The regional codes are complicated so I’ll pass on that.

The check number is generated by a pattern. The following PHP code calculates it.

function get_check_no($s_no){
　unset($total);
　　
　for($i=0; $i<13; $i++){
　　$s_no[$i] = intval($s_no[$i]); // convert to integer
　}
　
　// calculate social security number
　$total = $s_no[0]*2 + $s_no[1]*3 + $s_no[2]*4 + $s_no[3]*5 + $s_no[4]*6 + $s_no[5]*7 + $s_no[6]*8 + $s_no[7]*9 + $s_no[8]*2 + $s_no[9]*3 + $s_no[10]*4 + $s_no[11]*5;
　$total = $total%11;
　$check_no = 11-$total;
　
　// if the value of the check number exceeds 9, divide by 10 and return remainder
　if($check_no>9){
　　$check_no = $check_no % 10;
　}
　
　return $check_no; // return result
}

So I created the bruteforcer by simply letting someone enter a hash, birthdate, and gender to get a general idea of what the SSN will look like. Then I simply incremented the leftover digits and calcultated the check numbers. I then hashed them and checked them with the entered hash value.

<?php
$b_year = $_POST['b_year'];
$b_month = $_POST['b_month'];
$b_day = $_POST['b_day'];
$gender = $_POST['gender'];
$s_no_hash_str = $_POST['s_no_hash_str'];
$hash_type = $_POST['hash_type'];
// error messages
if(!$b_year){
　echo “* Enter birth year<br />”;
}
if(!$b_month){
　echo “* Enter birth month<br />”;
}
if(!$b_day){
　echo “* Enter birth day<br />”;
}
if(!$gender){
　echo “* Select gender<br />”;
}
if(!$s_no_hash_str){
　echo “* Enter hashed SSN.<br />”;
}
if(!$hash_type){
　echo “* Select hash type<br />”;
}
// if everything is entered, start processing.
if($b_year && $b_month && $b_day && $gender && $hash_type && $s_no_hash_str){
// pad valued with 0
$b_year = str_pad($b_year, 4, ‘19′, STR_PAD_LEFT);
$b_month = str_pad($b_month, 2, ‘0′, STR_PAD_LEFT);
$b_day = str_pad($b_day, 2, ‘0′, STR_PAD_LEFT);
$b_year_det = substr($b_year,0,2);
$b_year = substr($b_year,2,2);
if($b_year_det == “18″){
　if($gender == “1″){
　　$gender = “9″;
　}
　else{
　　$gender = “0″;
　}
}
else if($b_year_det == “19″){
　if($gender == “1″){
　　$gender = “1″;
　}
　else{
　　$gender = “2″;
　}
}
else if($b_year_det == “20″){
　if($gender == “1″){
　　$gender = “3″;
　}
　else{
　　$gender = “4″;
　}
}
// loop misc
for($misc=0;$misc<=99999;$misc++){
　// pad misc
　$misc = str_pad($misc, 5, ‘0′, STR_PAD_LEFT); // pad left with 0’s
　
　// merge valued to form actual s s no
　$s_no_1 = $b_year.$b_month.$b_day;
　$s_no_2 = $gender.$misc;
　
　// get full number including check number
　$s_no_string = $s_no_1.$s_no_2.get_check_no($s_no_1.$s_no_2);
　
　// select hash type and convert
　if($hash_type == “md5″){
　　$s_no_hash = md5($s_no_string);
　}
　else if($hash_type == “sha1″){
　　$s_no_hash = sha1($s_no_string);
　}
　// if the hash matches the processed, return the value and break loop
　if($s_no_hash == $s_no_hash_str){
　　echo ”
　　Done: “.$s_no_string.”(”.$s_no_hash.”)
　　<script type=\”text/javascript\”>
　
　　<!–
　　document.getElementById(’result’).innerHTML = ‘”.$s_no_string.”‘;
　　//–>
　　</script>
　　”;
　　break;
　}
　// if not… just print current value and continue
　else{
　　echo “Processing: “.$s_no_string.”(”.$s_no_hash.”)<br />”;
　}
}
}
?>

SQL injection is a fun thing to do when you’re bored. Just try submitting a typical injection query into a login form, it’ll work some of the time. I was aware if this, but I am still surprised by the stupidity of many institutions and organization that leave their security compromised by simply not escaping meta characters.

The screen-shot on the left is the login form of an administrator panel of a school. I’ve entered a typical SQL injection expression. Let’s see what happens. (Simple SQL injection is explained here)

It actually let me login as admin! I mean, I know programmers can make mistakes and school don’t always hire good programmers, but they should at least try to keep their students’ private data safe. Their whole school data could be erased by a malicious kid who just happened to try SQL injection on their site. A student of that school could even edit his or her own grades, change their own attendance, and lower the grades of someone they don’t like.

I’ve tried this with many other sites and a large portion of them failed to escape characters and allowed me to trick the script into logging me in, usually as an administrator. If you run a site with a custom-built script, you should check for this very simple but critical vulnerability. Who knows, maybe your own school’s administrator panel has this vulnerability.

Although this can turn out to be very chaotic, it actually takes less than a line of code to remedy it. In PHP, the addslashes() function can be used to escape all characters. One function, that’s all it takes to prevent people from viewing your administrative data and mess around with your site. Check some admin panel logins and try this method, a surprising number of them will fall for this trick and you’ll be granted administrator power and be granted to do whatever you want with that site (of course, if you’re caught you’d be sentenced to cyber crime and thus be screwed).

Go around and check. Tell your friend about a security hole in his site (or possible pull a prank first). Tell your school, organization, and just see their reaction. Just be careful not to bug the school administrator too much or you might get in trouble.

A related and funny comic strip (for those of you who know SQL)