Representative file
-
This is the entirety of a file named "deletebd.php" (Yes, they even misspelled db in the filename):
<?
require("../../cfg.php");
require("../../db.php");
require("../../aux.php");
$query= new connection();
$id = mysql_real_escape_string($_GET['id']);
$table = mysql_real_escape_string($_GET['table']);
$column = mysql_real_escape_string($_GET['column']);
$query->query("DELETE FROM $table WHERE $column = $id");
?>
I guess I'm glad the previous developer made sure the page wasn't vulnerable to SQL injection.
Edit: Because I'm sure there'll be someone who won't get it, it allows anyone to delete any row from any table in the DB the app uses. Oh, and the page is freely accessible from the internet, you don't have to be logged in to access it if you know the URL.
-
Time to run a GET request on
deletebd.php?table=users&column=1&id=1;+DROP+TABLE+insert_table_name_here
Fixed formatting -ShadowMod
-
@Husky said:
Yes, they even misspelled db in the filename
Well, that's just for
obscuritysecurity, isn't it?@Husky said:
Oh, and the page is freely accessible from the internet, you don't have to be logged in to access it if you know the URL.
No one will know the URL if it's misspelled!
-
-
oooh, i see... need to add single quotes around id...
$query->query("DELETE FROM $table WHERE $column = '$id'");
right?
-
@Ben L. said:
Time to run a GET request on
That's fixed formatting? I wish I had seen the original.deletebd.php?table=users&column=1&id=1;+DROP+TABLE+insert_table_name_here
Fixed formatting -ShadowMod
-
@Zecc said:
That's fixed formatting? I wish I had seen the original.
Trust me, you don't.
I also just realized that it doesn't needs to include the aux.php file, but let's be sincere, that's like dumping sand on the beach, if a beach was made of horrible code. And reeks of copy-paste.
-
@Ben L. said:
Time to run a GET request on
deletebd.php?table=users&column=1&id=1;+DROP+TABLE+insert_table_name_here
Fixed formatting -ShadowMod
That just proves that the security measeures work perfectly. Attacker would never guess that sql-injection isn't necessary when people don't believe it even after they see the code.