We decided to enumerate all pages we could access without authentication using a grep search and used the results as a starting point for our analysis.
1
grep -rnw /var/www/html/ATutor -e "^.*user_location.*public.*" --color
If at the beginning of the php script the public word means that this resource can be reacher without authentication.
1
$_user_location = 'public';
Any time we see variable names such as query or qry, or function names that contain the string search, our first instinct should be to follow the path and see where the code takes us. It may lead us to nothing or it may lead to code that properly handles user-controlled data, leaving us nothing to work with. Nevertheless, even in a worst case scenario, we could learn how the application handles user input, which can save us time later on when we encounter similar situations.
If the name of a variable starts with
$it is not a global variable being initialized, instead it might be a function saved on a variable, this sometimes leads us to find a pontential vulnerability due to developer’s bad practices.
1
An important item to note here is that the called function name is stored in a variable called $addslashes and that we are not calling the native PHP addslashes function
As it turns out, we can use inline comments in MySQL as a valid space! For example, the following SQL query is, in fact, completely valid in MySQL.
1
2
3
4
5
6
7
mysql> select/**/1;
+---+
| 1 |
+---+
| 1 |
+---+
1 row in set (0.01 sec)
Session tokens are always an interesting item to keep track of as they are used in unexpected ways at times. We’ll make a note of that.