Representative file



  • This is the entirety of a file named "deletebd.php" (Yes, they even misspelled db in the filename):




    <?

    require("../../cfg.php");

    require("../../db.php");

    require("../../aux.php");



    $query= new connection();

    $id = mysql_real_escape_string($_GET['id']);

    $table = mysql_real_escape_string($_GET['table']);

    $column = mysql_real_escape_string($_GET['column']);

    $query->query("DELETE FROM $table WHERE $column = $id");

    ?>



    I guess I'm glad the previous developer made sure the page wasn't vulnerable to SQL injection.



    Edit: Because I'm sure there'll be someone who won't get it, it allows anyone to delete any row from any table in the DB the app uses. Oh, and the page is freely accessible from the internet, you don't have to be logged in to access it if you know the URL.



  • Time to run a GET request on deletebd.php?table=users&column=1&id=1;+DROP+TABLE+insert_table_name_here

    Fixed formatting -ShadowMod



  • @Husky said:

    Yes, they even misspelled db in the filename

    Well, that's just for obscurity security, isn't it?

    @Husky said:

    Oh, and the page is freely accessible from the internet, you don't have to be logged in to access it if you know the URL.

    No one will know the URL if it's misspelled!



  • @Ben L. said:

    Fixed formatting -ShadowMod

    My God. It's happening again.



  •  oooh, i see... need to add single quotes around id...

    $query->query("DELETE FROM $table WHERE $column = '$id'");

     right?



  • @Ben L. said:

    Time to run a GET request on deletebd.php?table=users&column=1&id=1;+DROP+TABLE+insert_table_name_here

    Fixed formatting -ShadowMod

    That's fixed formatting? I wish I had seen the original.

     



  • @Zecc said:

    That's fixed formatting? I wish I had seen the original.

    Trust me, you don't.

    I also just realized that it doesn't needs to include the aux.php file, but let's be sincere, that's like dumping sand on the beach, if a beach was made of horrible code. And reeks of copy-paste.



  • @Ben L. said:

    Time to run a GET request on deletebd.php?table=users&column=1&id=1;+DROP+TABLE+insert_table_name_here

    Fixed formatting -ShadowMod

     

    That just proves that the security measeures work perfectly. Attacker would never guess that sql-injection isn't necessary when people don't believe it even after they see the code.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.