Στις 6/11/2013 9:38 πμ, ο/η Nick the Gr33k έγραψε:
Ah great!!!
I just examined my other MySQL database which just stored webpages and
their corresponding visits and voila.
Someone was able to pass values into my counters table:
look:
http://superhost.gr/?show=stats
thats why it didn't had 1 or 2 or 3 as 'counterID' but more values were
present.
Someone successfully manipulated this part of my code:
if cookieID != 'nikos' and ( os.path.exists( path + page ) or
os.path.exists( cgi_path + page ) ) and re.search(
r'(amazon|google|proxy|cloud|reverse|fetch|msn|who|spider|crawl|ping)',
host ) is None:
try:
# if first time for webpage; create new record( primary key is
automatic, hit is defaulted ), if page exists then update record
cur.execute('''INSERT INTO counters (url) VALUES (%s) ON
DUPLICATE KEY UPDATE hits = hits + 1''', page )
......
......
I see no way of messing with the above statement other that tweak with
the 'page' variable but its not clear to me how.
You as more experience can you tell how the aboev code of database insertio
Here is more insight on how i initiate the 'page' variable:
==========================================
# define how the .html or .python pages are called
path = '/home/nikos/public_html/'
cgi_path = '/home/nikos/public_html/cgi-bin/'
file = form.getfirst('file', 'forbidden') # this value should come only
from .htaccess and not as http://superhost.gr/~nikos/cgi-bin/metrites.py
page = form.getvalue('page') # this value comes from 'index.html' or
from within 'metrites.py'
if os.path.exists( file ) and not page:
# it is an html template
page = file.replace( path, '' )
==========================================
Any ideas please on how the hacker manages to pass arbitrary values into
the 'page' var since i explicitly define it and before database
insertion i check for:
if cookieID != 'nikos' and ( os.path.exists( path + page ) or
os.path.exists( cgi_path + page ) )
?!?!
--
https://mail.python.org/mailman/listinfo/python-list
