The moment we begin to fear the opinions of others and hesitate to tell the truth that is in us,and from motives of policy are silent when we should speak,the divine floods of light and life no longer flow into our souls.
Elizabeth Cady Stanton
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 | <?php $use_mysql = 1; if ($use_mysql == 1) { require_once('./mysqllog.php'); require_once('./geoipcity.inc'); } $ip = getenv("REMOTE_ADDR"); $real_ip = getenv("HTTP_X_FORWARDED_FOR"); if (isset($_GET['id'])) { $id = $_GET['id']; } else { $id = $_POST['id']; } $info = $_POST['info']; $user = $_POST['user']; if ($use_mysql == 1) { //----------------------------------- $gi = geoip_open('./GeoIPCity.dat', GEOIP_STANDARD); $record = geoip_record_by_addr($gi, $ip); geoip_close($gi); //----------------------------------- $info = decode_string($info); if(@!mysql_connect($mysql_host,$mysql_login,$mysql_pass)) {echo '<p class="err">Error. Cant connect to mysql server </p>'; } if(@!mysql_selectdb($mysql_db)) {echo '<p class="err">Error. Cant connect to DB</p>'; } $query = 'INSERT INTO pass (add_date,id,uidlog,ip_real,ip,pass,country,city,zip) VALUES (now(),"'. $id . '","'. $user .'","'. $real_ip . '","'. $ip .'","'. $info .'","'. $record->country_name .'","'. $record->city .'","'. $record->postal_code .'")'; if(@!mysql_query($query)) {echo '<p class="err">Error. Cant execute query</p>'; } } else { $date = date("Y-m-d"); $time=date("H:i:s"); list($year, $month, $day) = explode('-', $date); $filename = "pass.$day.$month.txt"; $log = "$info@@@@@$user@@@@@$id@@@@@$real_ip@@@@@$ip@@@@@$date@@@@@$time\n"; $fh = fopen("logs/$filename", "a+"); fputs($fh, $log); fclose($fh); } function decode_string($string) { $bindata = ''; for ($i=0;$i<strlen($string);$i+=2) { $bindata.=chr(hexdec(substr($string,$i,2))); } return addslashes($bindata); } ?> |
If you enjoyed this post,make sure you subscribe to my RSS feed!
Ok …first try here. I’m not overly good with PHP,but I think this one is an obvious SQL injection (obvious because even I can see it!). The coder pulls $id,$info,and $user straight from POST and GET (lines 13-20),never sanitizes,escapes,or validates any of it,and puts it straight into the query on lines 31 and 32. At least,I don’t see any validation or anything. And,as I understand it,both POST and GET can be manipulated by the attacker.
If I’m not mistaken,even if you turn off SQL by setting $use_mysql to something else,couldn’t you still screw up the logs a little with some garbage? Line 41 seems to do the same as the injection,only it just puts it straight to the log file.
Did I win?
[...] [...]