Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
H
H
HellWalk2017-02-09 14:53:28
PHP
HellWalk, 2017-02-09 14:53:28

How to find a vulnerability in a custom bike?

In my free time from my main work (SEO-optimizer) I study the back-end and saw a self-made bicycle: walkweb.ru/cms (so far only for educational purposes, this scooter does not pretend to be anything serious) I
posted links on php-forums, and today found that one visitor was able to:
1) post as a user that cannot be logged in (I won't go into details why);
2) place posts in such a way that his account does not receive experience and gold, although in the code this functionality is on adjacent lines (adding a post -> checking for a successful response -> adding gold and experience to the account).
One gets the feeling that direct access to the MySQL database was obtained, but: 1) how? 2) why not just delete the database?
What has been done on the site in terms of security:
1) signs < > are escaped
2) all requests to the database go through prepare
It would be great if someone can do a similar "feint with their ears" and tell how he did it.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
Y
Yuri Chudnovsky, 2017-02-09
@Frankenstine

One gets the feeling that direct access to the MySQL database was obtained, but: 1) how?

Obviously, somewhere you have sql injection possible .

Report
U
Uno, 2017-02-09
@Noizefan

No, no and NO.
You need to filter everything, absolutely all the data that can come from the user. Imagine that your website visitors are exclusively hackers. Write code exclusively with this condition.

Report
O
Oleg, 2017-02-09
@politon

See request logs

Report
E
Evgeny Bukharev, 2017-02-09
@evgenybuckharev

1) post on behalf of a user who cannot be logged in (I will not go into details why);
The author id field in the form of adding an article does not tell you about the possibility of manually putting down the author's id?

Report
G
grisbi, 2017-02-09
@grisbi

Of the non-critical errors, you have insufficient filtering of incoming data, for example:
http://walkweb.ru/cms/post.php?p[]
http://walkweb.ru/cms/profile.php?user[]
http: //walkweb.ru/cms/profile.php?list[]
and so on

Report
E
Eugene, 2017-02-09
@hokop

Look here

Similar questions
A
Arman2016-06-20 12:13:23
How to convert degrees to coordinates? 5Reply
L
Lecturer2020-09-26 22:38:29
How to display search results for sections in wordpress? 5Reply
S
sl02020-09-28 23:18:33
Is it possible to make a background like this with pure css? 3Reply
A
Artem Gvozdev2018-11-28 11:53:31
Using the weather API? 3Reply
T
thehighhomie2018-11-30 12:28:13
Plugin to generate PDF from JavaScript? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question