Stop us (Exploit, PHP)
You cannot stop us!
Noother has created a business to sell .xyz domains for some bucks.
Your job is to find a hole in the script that would allow purchases without paying for it.
You can test the script here.
To help you in debugging, you can take a look at the sourcecode, also as highlighted version.
There is a second file involved for the purchase table: noothtable.php, also as hightlighted version, but you probably don't need it.
Good luck!
Thanks go out to jjk and dloser for testing the challenge.
Your job is to find a hole in the script that would allow purchases without paying for it.
You can test the script here.
To help you in debugging, you can take a look at the sourcecode, also as highlighted version.
There is a second file involved for the purchase table: noothtable.php, also as hightlighted version, but you probably don't need it.
Good luck!
Thanks go out to jjk and dloser for testing the challenge.
GeSHi`ed PHP code for noothtable.php
1 2 3 4 56 7 8 9 1011 12 13 14 1516 17 18 19 2021 22 23 24 2526 27 28 29 3031 32 33 34 3536 37 38 39 4041 42 43 44 4546 47 48 49 5051 52 53 54 5556 57 58 59 6061 62 63 64 6566 67 68 69 7071 72 73 74 7576 77 78 79 8081 82 83 84 8586 87 | <?php final class noothtable extends GDO { public function getClassName() { return __CLASS__; } public function getTableName() { return GWF_TABLE_PREFIX.'wcc_stop_us'; } public function getColumnDefines() { return array( 'sid' => array(GDO::UINT|GDO::PRIMARY_KEY), 'money' => array(GDO::INT, 0), 'fundings' => array(GDO::INT, 0), 'domains' => array(GDO::UINT, 0), 'timestamp' => array(GDO::UINT, GDO::NOT_NULL), ); } public static function initNoothworks($sid) { if (false === self::table(__CLASS__)->selectVar('1', "sid={$sid}")) { return self::table(__CLASS__)->insertAssoc(array( 'sid' => $sid, 'money' => 0, 'fundings' => 0, 'domains' => 0, 'timestamp' => 0, )); } return true; } public static function increaseMoney($sid, $money=10) { $sid = (int)$sid; $money = (int)$money; $time = time(); return self::table(__CLASS__)->update("money=money+{$money}, fundings=fundings+1", "sid={$sid}"); } public static function getMoney($sid) { $sid = (int)$sid; return self::table(__CLASS__)->selectVar('money', "sid={$sid}"); } public static function getFundings($sid) { $sid = (int)$sid; return self::table(__CLASS__)->selectVar('fundings', "sid={$sid}"); } public static function getDomains($sid) { $sid = (int)$sid; return self::table(__CLASS__)->selectVar('domains', "sid={$sid}"); } public static function getTimestamp($sid) { $sid = (int)$sid; return self::table(__CLASS__)->selectVar('timestamp', "sid={$sid}"); } public static function checkTimeout($sid, $time) { $elapsed = time() - self::getTimestamp($sid); self::table(__CLASS__)->update("timestamp=".time(), "sid={$sid}"); return 45 - $elapsed; } public static function purchaseDomain($sid, $price=10) { $sid = (int)$sid; $price = (int)$price; $time = time(); return self::table(__CLASS__)->update("domains=domains+1", "sid={$sid} AND money>={$price}"); } public static function reduceMoney($sid, $price=10) { $sid = (int)$sid; $price = (int)$price; $time = time(); return self::table(__CLASS__)->update("money=money-{$price}", "sid={$sid}"); }} ?> |