Adding 'download' column to existing 'visitors' table (as requested)
Nick the Gr33k
nikos.gr33k at gmail.com
Wed Nov 6 03:28:52 EST 2013
Στις 6/11/2013 9:38 πμ, ο/η Nick the Gr33k έγραψε:
> Ah great!!!
>
> I just examined my other MySQL database which just stored webpages and
> their corresponding visits and voila.
>
> Someone was able to pass values into my counters table:
>
> look:
>
> http://superhost.gr/?show=stats
>
> thats why it didn't had 1 or 2 or 3 as 'counterID' but more values were
> present.
>
> Someone successfully manipulated this part of my code:
>
> if cookieID != 'nikos' and ( os.path.exists( path + page ) or
> os.path.exists( cgi_path + page ) ) and re.search(
> r'(amazon|google|proxy|cloud|reverse|fetch|msn|who|spider|crawl|ping)',
> host ) is None:
>
> try:
> # if first time for webpage; create new record( primary key is
> automatic, hit is defaulted ), if page exists then update record
> cur.execute('''INSERT INTO counters (url) VALUES (%s) ON
> DUPLICATE KEY UPDATE hits = hits + 1''', page )
> ......
> ......
>
> I see no way of messing with the above statement other that tweak with
> the 'page' variable but its not clear to me how.
>
> You as more experience can you tell how the aboev code of database insertio
Here is more insight on how i initiate the 'page' variable:
==========================================
# define how the .html or .python pages are called
path = '/home/nikos/public_html/'
cgi_path = '/home/nikos/public_html/cgi-bin/'
file = form.getfirst('file', 'forbidden') # this value should come only
from .htaccess and not as http://superhost.gr/~nikos/cgi-bin/metrites.py
page = form.getvalue('page') # this value comes from 'index.html' or
from within 'metrites.py'
if os.path.exists( file ) and not page:
# it is an html template
page = file.replace( path, '' )
==========================================
Any ideas please on how the hacker manages to pass arbitrary values into
the 'page' var since i explicitly define it and before database
insertion i check for:
if cookieID != 'nikos' and ( os.path.exists( path + page ) or
os.path.exists( cgi_path + page ) )
?!?!
More information about the Python-list
mailing list