Adding 'download' column to existing 'visitors' table (as requested)

Nick the Gr33k nikos.gr33k at gmail.com
Wed Nov 6 03:28:52 EST 2013 

Στις 6/11/2013 9:38 πμ, ο/η Nick the Gr33k έγραψε:
> Ah great!!!
>
> I just examined my other MySQL database which just stored webpages and
> their corresponding visits and voila.
>
> Someone was able to pass values into my counters table:
>
> look:
>
> http://superhost.gr/?show=stats
>
> thats why it didn't had 1 or 2 or 3 as 'counterID' but more values were
> present.
>
> Someone successfully manipulated this part of my code:
>
> if cookieID != 'nikos' and ( os.path.exists( path + page ) or
> os.path.exists( cgi_path + page ) ) and re.search(
> r'(amazon|google|proxy|cloud|reverse|fetch|msn|who|spider|crawl|ping)',
> host ) is None:
>
>      try:
>          # if first time for webpage; create new record( primary key is
> automatic, hit is defaulted ), if page exists then update record
>          cur.execute('''INSERT INTO counters (url) VALUES (%s) ON
> DUPLICATE KEY UPDATE hits = hits + 1''', page )
> ......
> ......
>
> I see no way of messing with the above statement other that tweak with
> the 'page' variable but its not clear to me how.
>
> You as more experience can you tell how the aboev code of database insertio


Here is more insight on how i initiate the 'page' variable:

==========================================
# define how the .html or .python pages are called
path = '/home/nikos/public_html/'
cgi_path = '/home/nikos/public_html/cgi-bin/'

file = form.getfirst('file', 'forbidden')		# this value should come only 
from .htaccess and not as http://superhost.gr/~nikos/cgi-bin/metrites.py
page = form.getvalue('page')					# this value comes from 'index.html' or 
from within 'metrites.py'

if os.path.exists( file ) and not page:
	# it is an html template
	page = file.replace( path, '' )
==========================================


Any ideas please on how the hacker manages to pass arbitrary values into 
the 'page' var since i explicitly define it and before database 
insertion i check for:

if cookieID != 'nikos' and ( os.path.exists( path + page ) or 
os.path.exists( cgi_path + page ) )

?!?!

More information about the Python-list mailing list