JayDz Posted September 1, 2015 Share Posted September 1, 2015 Hallo Iedereen! Mijn redirect bestand is vulnerable voor GET. Het 1e bestand met een id 'bestand.php?id=184' word geredirect naar redirect.php via een button: <form class="LoginForm" action="redirect1.php?id=<?php echo $_GET['id']; ?>" method="post" autocomplete="off"> Het redirect.php bestand ziet er zo uit: http://pastebin.com/V794s9rU Via het programma: SQLMap kwam ik erachter dat mijn form hier vulnerable voor is. Hiermee kon ik zo'n beetje mijn hele database uitlezen en dit is niet mijn bedoeling! Ik ben zelf niet een held in SQL maar ziet iemand een oplossing? Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted September 1, 2015 Share Posted September 1, 2015 Hello everyone! My redirect file is vulnerable to GET . ? Bestand.php id = 184 ' 1st row with an identifier is redirected to redirect.php via a button : <form class="LoginForm" action="redirect1.php?id=<?php echo $_GET['id']; ?>" method="post" autocomplete="off"> The redirect.php file looks like this : http://pastebin.com/V794s9rU <?php error_reporting(0); $servername = "localhost"; $username = "test_usern"; $password = "test_passwd"; $dbname = "test_db"; date_default_timezone_set("Europe/Amsterdam"); $ip = 'unknown'; if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; } elseif(!empty($_SERVER['REMOTE_ADDR'])) { $ip = $_SERVER['REMOTE_ADDR']; } else { user_error("Uh-oh! Neither IP variable was set."); } $fname = $_REQUEST['fname']; $fname1 = $_REQUEST['fname1']; $fname2 = $ip; $fname3 = $_GET['id']; $fname4 = date('Y/m/d H:i:s'); try { $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password); // set the PDO error mode to exception $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $sql = "INSERT INTO logs (test, test1, test2, test3, test4) VALUES ('$fname', '$fname1', '$fname2', '$fname3', '$fname4')"; // use exec() because no results are returned $conn->exec($sql); header("Location: index.php"); } catch(PDOException $e) { header("Location: index.php"); } $conn = null; ?> Through the program : sqlmap I found out that my form is vulnerable here for . With this , I could pretty much my entire database read and this is not my intention! I 'm not a hero in SQL but does anyone have a solution ? pdo prepared statements You should checking if the request methods are even set and not empty, plus the data you expect. It's also better to use it's actual method and not $_REQUEST redirect1.php?id=<?php echo $_GET['id']; ?> How are you protecting the redirect1.php script? Quote Link to comment Share on other sites More sharing options...
JayDz Posted September 1, 2015 Author Share Posted September 1, 2015 (edited) pdo prepared statements You should checking if the request methods are even set and not empty, plus the data you expect. It's also better to use it's actual method and not $_REQUEST redirect1.php?id=<?php echo $_GET['id']; ?> How are you protecting the redirect1.php script? Im not really thats why I want to make/get a new script, i tried to make another script but it gave an error: Error: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined <?php error_reporting(0); date_default_timezone_set("Europe/Amsterdam"); $ip = 'unknown'; if(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { $ip = $_SERVER['HTTP_X_FORWARDED_FOR']; } elseif(!empty($_SERVER['REMOTE_ADDR'])) { $ip = $_SERVER['REMOTE_ADDR']; } else { user_error("Uh-oh! Neither IP variable was set."); } try { $fname = $_REQUEST['fname']; $fname1 = $_REQUEST['fname1']; $fname2 = $ip; $fname3 = $_GET['id']; $fname4 = date('Y/m/d H:i:s'); $db = new PDO('mysql:host=localhost;dbname=test_db','test_usern','test_passwd'); $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); $sql = " INSERT INTO auth (test, test1, test2, test3, test4) VALUES (:fname,:fname1,:fname2,:fname3,:fname4) "; $stmt = $db->prepare($sql); $stmt->bindParam(':test', $fname, PDO::PARAM_STR); $stmt->bindParam(':test1', $fname1, PDO::PARAM_STR); $stmt->bindParam(':test2', $fname2, PDO::PARAM_STR); $stmt->bindParam(':test3', $fname3, PDO::PARAM_STR); $stmt->bindParam(':test4', $fname4, PDO::PARAM_STR); $stmt->execute(); } catch(PDOException $e) { header('Location: index.php'); } ?> Edited September 1, 2015 by JayDz Quote Link to comment Share on other sites More sharing options...
QuickOldCar Posted September 1, 2015 Share Posted September 1, 2015 (edited) You bind the values not the columns. $stmt->bindParam(':fname', $fname, PDO::PARAM_STR); $stmt->bindParam(':fname1', $fname1, PDO::PARAM_STR); $stmt->bindParam(':fname2', $fname2, PDO::PARAM_STR); $stmt->bindParam(':fname3', $fname3, PDO::PARAM_STR); $stmt->bindParam(':fname4', $fname4, PDO::PARAM_STR); also there could be multiple ips returned, I explode them and use the first one if (strstr($ip, ', ')) { $ip_array = explode(', ', $ip); $ip = $ip_array[0]; } Edited September 1, 2015 by QuickOldCar Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.