Is this exploitable?

zMagenta

Posting Freak
Jul 15, 2011
1,414
682
Just wondering.

PHP:
<?php
if(isset($_POST['post_comment']))
  $posted_on = date("M j, Y g:i A");
if (! isset($_POST['comment'])) {
  $_POST['comment'] = '';  // nu bestaat de variabele ten minste
}
 
$comment = strip_tags ($_POST['comment']);
if($comment == NULL){
    $error_message = 'You have left a field empty.<br /><br />';
  }else{
if (LOGGED_IN)
{
    mysql_query("INSERT INTO site_news_comments (article, userid, comment, posted_on) VALUES ('".
 
$news_article_id."', '".$_SESSION['id']."', '".$comment."', '".$posted_on."');");
    $error_message = 'You have successfully posted a comment.<br /><br />';
  }
}
?>
 
<div class="habblet-container ">
  <div class="cbb clearfix notitle ">
    <div id="article-wrapper"><h2>Post a comment!</h2>
      <div class="article-meta"></div>
      <div class="article-body">
        <form action="" method="post">
        <textarea name="comment" maxlength="500"></textarea><br /><br />
        <input type="submit" name="post_comment" value="Post a comment!" />
        </form>
      </div>
    </div>
  </div>
</div>
<style type="text/css">
input[type="text"], input[type="password"] {
  background-color: #F1F1F1;
  border: 1px solid #999999;
  width: 175px;
  padding: 5px;
  font-family: verdana;
  font-size: 10px;
  color: #666666;
}
input[type="submit"] {
  background-color: #F1F1F1;
  border: 1px solid #999999;
  padding: 5px;
  font-family: verdana;
  font-size: 10px;
  color: #666666;
}
textarea {
  background-color: #F1F1F1;
  border: 1px solid #999999;
  padding: 5px;
  width: 517px;
  height: 70px;
  font-family: verdana;
  font-size: 10px;
  color: #666666;
}
select {
  background-color: #F1F1F1;
  border: 1px solid #999999;
  padding: 5px;
  font-family: verdana;
  font-size: 10px;
  color: #666666;
}
</style>
<?php
$getComments = mysql_query("SELECT * FROM site_news_comments WHERE article = '".$news_article_id."' ORDER by
 
id DESC");
?>
<div class="habblet-container ">
  <div class="cbb clearfix notitle ">
    <div id="article-wrapper"><h2>Comments (<?php echo mysql_num_rows($getComments); ?>)</h2>
      <div class="article-meta"></div>
      <div class="article-body">
        <?php
        if(mysql_num_rows($getComments) == 0){
          echo 'No comments yet, could yours be the first?';
        }else{
          echo '<table width="528px">';
          while($Comments = mysql_fetch_array($getComments)){
          $getUserInfo = mysql_query("SELECT * FROM users WHERE id = '".$Comments['userid']."'");
          $userInfo = mysql_fetch_array($getUserInfo);
                  echo '
                  <tr>
                    <td width="90px" valign="top">
                      <div style="float:left"><img src="http://www.habbo.fr/habbo-imaging/avatarimage?figure='.$userInfo['look'].'&size=b&direction=2&head_direction=3&gesture=sml&size=s"></div>
                      ';
                      if($userInfo['rank'] > 8){
                        echo '<div style="position: absolute; z-index:1"><img
 
src="http://%www%/r63/c_images/album1584/AD1.gif"></div>';
                    }
                echo '
                </td>
                    <td width="427px" valign="top">
                      <strong>RE: %news_article_title%</strong><br /><br />'.$Comments['comment'].'
                    </td>
                  </tr>
          <tr>
                    <td width="90px" valign="top">
                    </td>
            <td width="427px" align="right">
              <i>Posted by: <strong><a href="#">'.$userInfo['username'].'</a></strong>  On '.$Comments
 
['posted_on'].'</i><br /><br />
            </td>
          </tr>';
          }
          echo '</table>';
        }
        ?>
      </div>
    </div>
 
 
                <script type="text/javascript">if (!$(document.body).hasClassName('process-template')) {
 
Rounder.init(); }</script>
</div>
</div>
 

Sledmore

Chaturbate Livestreamer
Staff member
FindRetros Moderator
Jul 24, 2010
5,199
3,934
I wouldn't use strip_tags and I don't think it is the best for you, you could try this though.

PHP:
$comment = strip_tags ($_POST['comment']);
to
PHP:
$comment = mysql_real_escape_string(stripslashes(htmlspecialchars($_POST['comment'])));

Also, where is:

PHP:
$news_article_id

I cannot see it in your code, but make sure that's filtered.

Also:
 

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,398
962
no no no:

PHP:
$getUserInfo = mysql_query("SELECT * FROM users WHERE id = '".$Comments['userid']."'");

Learn to switch everything over using prepared statements and you won't be vulnerable to SQL injections.
 

Weasel

👄 I'd intercept me
Nov 25, 2011
4,135
2,461
no no no:

PHP:
$getUserInfo = mysql_query("SELECT * FROM users WHERE id = '".$Comments['userid']."'");

Learn to switch everything over using prepared statements and you won't be vulnerable to SQL injections.
It selects the user id, which is set on login... the hell are you talking about? The userid field isn't an input field in any way.
 

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,398
962
It selects the user id, which is set on login... the hell are you talking about? The userid field isn't an input field in any way.
...

Have you ever heard of second order attacks? Blind SQL injections? XSS? Session hijacking? There doesn't need to be user input for something to be exploited. This is why you filter output. If I wasn't at work (this place where I deal with hundreds of customers' SQL injected sites daily), I'd show you how this could be exploited.
 

Weasel

👄 I'd intercept me
Nov 25, 2011
4,135
2,461
...

Have you ever heard of second order attacks? Blind SQL injections? XSS? Session hijacking? There doesn't need to be user input for something to be exploited. This is why you filter output. If I wasn't at work (this place where I deal with hundreds of customers' SQL injected sites daily), I'd show you how this could be exploited.
You are talking big but you obviously don't know where you are talking about. First of all, the id is a integer, also XSS? SQL Injections? Good luck doing that when the output needs to be a integer. You obviously don't know where you are talking about. Good luck exploiting it when you are home.
 

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,398
962
You are talking big but you obviously don't know where you are talking about. First of all, the id is a integer, also XSS? SQL Injections? Good luck doing that when the output needs to be a integer. You obviously don't know where you are talking about. Good luck exploiting it when you are home.
The output needs too be an integer? What the hell are you smoking? The majority of XSS attacks are from search queries. I think you need to take a look at the examples here:


And for SQL injections:


As for exploiting it, did it at work before I clocked out:

autobots.biz/code/news.php - if u want to try yourself
 

Weasel

👄 I'd intercept me
Nov 25, 2011
4,135
2,461
The output needs too be an integer? What the hell are you smoking? The majority of XSS attacks are from search queries. I think you need to take a look at the examples here:


And for SQL injections:


As for exploiting it, did it at work before I clocked out:

autobots.biz/code/news.php - if u want to try yourself

403 forbidden, and it isn't the whole code.
 

Users who are viewing this thread

Top