0

I am using Flask for a web login page. I am trying to exploit sha256 password encryption, but I have no idea why line sha256_crypt.verify(password,pass_data) is throwing with the error in title.

Is there anything I am missing? If I can give more details please ask, maybe providing some instructions on how to debug. Thank you.

@app.route("/login", methods=["GET","POST"])
def login():
   if request.method == "POST":
      username= str(request.form['username'])
      password = request.form.get('password')
      cursor = mydb.cursor(MySQLdb.cursors.DictCursor)
      cursor.execute("SELECT * FROM user WHERE username ='"+ username +"'")
      userdata = cursor.fetchone()
      usernamedata = userdata['username']
      passworddata = userdata['password']
      if usernamedata is None:
        flash("Incorrect username","danger")
        return render_template("login.html")
     else:
        for pass_data in passworddata:
            if sha256_crypt.verify(password,pass_data):
                flash("You are now login","success")
                return redirect(url_for('profile'))
            else:
                flash("Incorrect password!")
                return render_template("login.html")
   return render_template("login.html")
Fabio Veronese
  • 7,726
  • 2
  • 18
  • 27
Tawhid
  • 1
  • 3
  • I think it would be very handy for everyone to see the actual error message so that you don't have to guess which line throws the exception. – NotAName Oct 31 '19 at 09:36
  • Welcome to Stack Overflow! I edited the title of your question to include the name of the function you're calling, so more people with knowledge of the subject will see it. Please see the editing help for more information on formatting. Please edit in the specific error-message you're encountering in case that's necessary to identify the specific problem. Good luck! – Fabio Veronese Oct 31 '19 at 13:59

1 Answers1

0

Assuming passworddata is a string, doing for pass_data in passworddata will just loop over the letters of string. I think changing this:

for pass_data in passworddata:
    if sha256_crypt.verify(password,pass_data):
        flash("You are now login","success")
        return redirect(url_for('profile'))
    else:
        flash("Incorrect password!")
        return render_template("login.html")

to this:

if sha256_crypt.verify(password, passworddata):
    flash("You are now login","success")
    return redirect(url_for('profile'))
else:
    flash("Incorrect password!")
    return render_template("login.html")

should fix it.

Also, don't execute SQL like this!

cursor.execute("SELECT * FROM user WHERE username ='"+ username +"'")

It's very prone to SQL injection.

Joost
  • 3,609
  • 2
  • 12
  • 29
  • Thank you for your comment. I set your code but still it gives error. Now the error shows it - ValueError: expected sha256_crypt hash, got sha256_crypt config string instead – Tawhid Oct 31 '19 at 10:38
  • How are you storing passwords in the db? – Joost Oct 31 '19 at 10:43
  • Here is the register section: if request.method=="POST": username = str(request.form["username"]) email = str(request.form["email"]) password = str(request.form["password"]) pwd_hash = sha256_crypt.encrypt(password) conpassword =str(request.form["conpassword"]) if password == conpassword: cursor = mydb.cursor() cursor.execute("INSERT INTO user(,username,email,password) VALUES(%s,%s,%s)",(username,email,pwd_hash)) mydb.commit() – Tawhid Nov 02 '19 at 04:21