Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
dvomaks2015-10-18 02:54:01
PHP
dvomaks, 2015-10-18 02:54:01

Is it possible to hack through POST?

Recently I saw this code from a friend:

$url = 'http://blabla.com/?id='.(array_key_exists('id', $_POST) ? $_POST["id"] : '').';
    $otvet = json_decode(file_get_contents($url), true);
    if($otvet['error'] == 'no'){
      ...
    }

It immediately caught my eye that there is no processing of incoming post data. Having pointed out this error in security, I received the answer "everything is normal there, give an example of hacking."
Is hacking possible? Or at least not a hack, but a url substitution, or other options for violating the script.
Nothing came to my mind.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
A
Alexander Latyshev, 2015-10-18
@magalex

You should not look at this piece of code, because here, the id parameter is simply passed to the request called by the file_get_contents function.
And you need to look where the $url request is processed on the blabla.com resource: is there or is there no processing of incoming data.
In general, see what is SQL injection
exploits_of_a_mom.png

Report
N
neol, 2015-10-18
@neol

Specifically, in this example, it is quite likely to get a denial of service on the first student who decides to crawl the site using nessus. But even if it doesn’t come to that (in the sense of a denial of service, schoolchildren will not keep themselves waiting long), then it will be a waste of resources for processing connections from both this application and blabla.com. This can hardly be called a terrible vulnerability, but the code clearly smacks of something unpleasant.

Report
D
dvomaks, 2015-10-18
@dvomaks

Once my programming teacher asked me to write a program that would display the result of adding two numbers 3 and 2. So no one coped with the task normally, everyone wrote like
x=2
y=3
z=x+y
print z
Everyone got no, but the solution was simple print 5. I remember it for the rest of my life.
It's about the same here. I asked a question, and in response a lot of unnecessary information, 80% of which does not relate to the essence of the question.

Similar questions
I
ITpie2021-03-25 20:16:06
How to make docker to test python code with certain libraries? 3Reply
M
MarEeeeeee2021-04-07 17:49:27
Do I get an error when using useState? 3Reply
I
Ivan Zhuravlev2019-10-07 20:13:32
How to set up routing on Raspberry Pi? 2Reply
E
Evgeny Yakushov2019-10-09 19:41:27
How to download a dynamically generated file and make the location of this page? 3Reply
L
leviathan2017-05-10 17:06:01
How to display a specific widget in wordpress? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question