php object injection
5 January, 2015 - 15:25
Hi
Im struggling to get this to work and not sure what i am doing wrong or if im even going in the right direction.
Below is the code and this is what I have so far - data=o:4:"AUTH":1:{s:5:"query";s:4:"id=1";}
<?php
Class AUTH {
public $query;
function user($username, $password) {
$user = mysql_real_escape_string($username);
$pass = md5($password);
$this->query = "username='{$user}' AND password='{$pass}'";
}
function __toString() {
if (!$this->query) die ('Internal Error');
$result = mysql_query("SELECT username FROM `auth` WHERE ".$this->query);
if ($result == false OR mysql_num_rows($result) != 1) return "false";
$row = mysql_fetch_array($result);
$_SESSION['user'] = $row['username'];
return "true";
}
function remember_me($cookie) {
$rArray = @unserialize($cookie);
if (!is_array($rArray)) {
return false;
}
if (!isset($rArray['username']) || !isset($rArray['password'])) {
return false;
}
if (preg_match('/\W/', $rArray['username'])) {
return false;
}
$this->user($rArray['username'], $rArray['password']);
}
}
Class AUTH {
public $query;
function user($username, $password) {
$user = mysql_real_escape_string($username);
$pass = md5($password);
$this->query = "username='{$user}' AND password='{$pass}'";
}
function __toString() {
if (!$this->query) die ('Internal Error');
$result = mysql_query("SELECT username FROM `auth` WHERE ".$this->query);
if ($result == false OR mysql_num_rows($result) != 1) return "false";
$row = mysql_fetch_array($result);
$_SESSION['user'] = $row['username'];
return "true";
}
function remember_me($cookie) {
$rArray = @unserialize($cookie);
if (!is_array($rArray)) {
return false;
}
if (!isset($rArray['username']) || !isset($rArray['password'])) {
return false;
}
if (preg_match('/\W/', $rArray['username'])) {
return false;
}
$this->user($rArray['username'], $rArray['password']);
}
}
<?php
Class DB extends CONFIG{
public $con = false;
public $debug = false;
public $error = false;
function __construct() {
$this->con = mysql_connect($this->dbhost, $this->dbuser, $this->dbpass);
if (!$this->con) die('Could not connect: ' . mysql_error());
mysql_select_db($this->db, $this->con);
$cookieHash = md5($this->SITE_HASH . $_SERVER['HTTP_HOST']);
$sessionHash = md5($this->SITE_HASH . $_SERVER['REMOTE_ADDR']);
session_name($sessionHash);
session_start();
if (isset($_COOKIE[$cookieHash]['remember_me'])) {
$auth = new AUTH;
$auth->remember_me($_COOKIE[$cookieHash]['remember_me']);
}
$user = isset($_SESSION['user']) ? $_SESSION['user'] : '';
$debug = isset($_COOKIE[$cookieHash]['debug']) ? $_COOKIE[$cookieHash]['debug'] : false;
if ($user == 'admin' && $debug) {
$code = $this->Query('SELECT `key` FROM debug');
if ($debug == $code[]) {
$this->debug = true;
echo 'debug on';
}
}
}
function __destruct() {
if ($this->con) mysql_close($this->con);
if ($this->debug && $this->error) die($this->error);
}
function Query($str) {
$result = mysql_query($str) or $this->Error('Error in query : ['.$str.'] ', mysql_error());
if (!$result) return false;
$data = array();
while ($array = mysql_fetch_row($result)) {
$data[] = $array[];
}
return ($data);
}
function Error($str, $msg) {
$this->error = $this->debug ? $str.$msg : false;
return false;
}
function getSecret() {
$overkill = "(select(@)from(select(@:=0x00),(select(@)from(information_schema.columns)where(table_schema=database())and(table_name='secret')and(@)in(@:=column_name)))x)";
$result = $this->Query($overkill);
$column_name = $result[];
$result = $this->Query("SELECT {$column_name} FROM secret");
return (string) $result[];
}
}
Class DB extends CONFIG{
public $con = false;
public $debug = false;
public $error = false;
function __construct() {
$this->con = mysql_connect($this->dbhost, $this->dbuser, $this->dbpass);
if (!$this->con) die('Could not connect: ' . mysql_error());
mysql_select_db($this->db, $this->con);
$cookieHash = md5($this->SITE_HASH . $_SERVER['HTTP_HOST']);
$sessionHash = md5($this->SITE_HASH . $_SERVER['REMOTE_ADDR']);
session_name($sessionHash);
session_start();
if (isset($_COOKIE[$cookieHash]['remember_me'])) {
$auth = new AUTH;
$auth->remember_me($_COOKIE[$cookieHash]['remember_me']);
}
$user = isset($_SESSION['user']) ? $_SESSION['user'] : '';
$debug = isset($_COOKIE[$cookieHash]['debug']) ? $_COOKIE[$cookieHash]['debug'] : false;
if ($user == 'admin' && $debug) {
$code = $this->Query('SELECT `key` FROM debug');
if ($debug == $code[]) {
$this->debug = true;
echo 'debug on';
}
}
}
function __destruct() {
if ($this->con) mysql_close($this->con);
if ($this->debug && $this->error) die($this->error);
}
function Query($str) {
$result = mysql_query($str) or $this->Error('Error in query : ['.$str.'] ', mysql_error());
if (!$result) return false;
$data = array();
while ($array = mysql_fetch_row($result)) {
$data[] = $array[];
}
return ($data);
}
function Error($str, $msg) {
$this->error = $this->debug ? $str.$msg : false;
return false;
}
function getSecret() {
$overkill = "(select(@)from(select(@:=0x00),(select(@)from(information_schema.columns)where(table_schema=database())and(table_name='secret')and(@)in(@:=column_name)))x)";
$result = $this->Query($overkill);
$column_name = $result[];
$result = $this->Query("SELECT {$column_name} FROM secret");
return (string) $result[];
}
}