Username: 
Password: 
Restrict session to IP 
Questions  |  score: 3  |  3.99 5.48 5.43 |  Solved By 2181 People  |  489745 views  |  since Aug 27, 2010 - 21:54:29

No Escape (Exploit, PHP, MySQL)

No Escape
The small gizmore software company is expanding, and got contracted to create the new online votings for presidential election in 2012.
The current script is in alpha phase, and we`d like to know if it`s safe.
To prove me wrong you have to set the votecount for at least one of the candidates to 111. There is a reset at 100.
Again you are given the sourcecode, also as highlighted version.

Good Luck!
GeSHi`ed php code for code.include
1
2
3
4
56
7
8
9
1011
12
13
14
1516
17
18
19
2021
22
23
24
2526
27
28
29
3031
32
33
34
3536
37
38
39
4041
42
43
44
4546
47
48
49
5051
52
53
54
5556
57
58
59
6061
62
63
64
6566
67
68
69
7071
72
73
74
7576
77
78
79
8081
82
83
84
8586
87
88
89
9091
92
93
94
9596
97
98
99
100101
102
103
104
105106
107
108
109
110111
112
113
114
115116
117
118
119
120121
122
123
124
125126
127
128
129
130131
132
133
134
135136
137
138
139
140141
142
143
144
145146
147
148
149
150151
152
153
154
155156
157
158
159
160161
162
<?php
//
// Trigger Moved to index.php
//if (false !== ($who = Common::getGet('vote_for'))) {
//      noesc_voteup($who);//}
//
/**
 * Get the database link
 * @return GDO_Database */
function noesc_db()
{
        static $noescdb = true;
        if ($noescdb === true)        {
                $noescdb = gdo_db_instance('localhost', NO_ESCAPE_USER, NO_ESCAPE_PW, NO_ESCAPE_DB);
                $noescdb->setLogging(false);
                $noescdb->setEMailOnError(false);
        }        return $noescdb;
}
 
/**
 * Create table (called by install-script) * The table layout is crappy, there is only 1 row in the table Oo.
 * @return boolean
 */
function noesc_createTable()
{        $db = noesc_db();
        $query =
                "CREATE TABLE IF NOT EXISTS noescvotes ( ".
                "id     INT(11) UNSIGNED PRIMARY KEY, ". # I could have one row per candidate, but currently there is only one global row(id:1). I know it`s a bit unrealistic, but at least it is safe, isn`t it?
                "bill   INT(11) UNSIGNED NOT NULL DEFAULT 0, ". # bill column                "barack INT(11) UNSIGNED NOT NULL DEFAULT 0, ". # barack column
                "george INT(11) UNSIGNED NOT NULL DEFAULT 0 )"; # george columb
        
        if (false === $db->queryWrite($query)) {
                return false;        }
        return noesc_resetVotes();
}
 
/** * Reset the votes.
 * @return void
 */
function noesc_resetVotes()
{        noesc_db()->queryWrite("REPLACE INTO noescvotes VALUES (1, 0, 0, 0)");
        echo GWF_HTML::message('No Escape', 'All votes have been reset', false);
}
 
/** * Count a vote.
 * Reset votes when we hit 100 or 111.
 * TODO: Implement multi language
 * @param string $who
 * @return void */
function noesc_voteup($who)
{
        if ( (stripos($who, 'id') !== false) || (strpos($who, '/') !== false) ) {
                echo GWF_HTML::error('No Escape', 'Please do not mess with the id. It would break the challenge for others', false);                return;
        }
 
 
        $db = noesc_db();        $who = GDO::escape($who);
        $query = "UPDATE noescvotes SET `$who`=`$who`+1 WHERE id=1";
        if (false !== $db->queryWrite($query)) {
                echo GWF_HTML::message('No Escape', 'Vote counted for '.GWF_HTML::display($who), false);
        }        
        noesc_stop100();
}
 
/** * Get all votes.
 * @return array
 */
function noesc_getVotes()
{        return noesc_db()->queryFirst("SELECT * FROM noescvotes WHERE id=1");
}
 
/**
 * Reset when we hit 100. Or call challenge solved on 111. * @return void
 */
function noesc_stop100()
{
        $votes = noesc_getVotes();        foreach ($votes as $who => $count)
        {
                if ($count == 111) {
                        noesc_solved();
                        noesc_resetVotes();                        break;
                }
                
                if ($count >= 100) {
                        noesc_resetVotes();                        break;
                }
        }
}
 /**
 * Display fancy votes table.
 * New: it is multi language now.
 * @return unknown_type
 */function noesc_displayVotes(WC_Challenge $chall)
{
        $votes = noesc_getVotes();
        echo '<table>';
        echo sprintf('<tr><th>%s</th><th>%s</th><th>%s!</th></tr>', $chall->lang('th_name'), $chall->lang('th_count'), $chall->lang('th_vote'));        $maxwho = '';
        $max = 0;
        $maxcount = 0;
        // Print Candidate rows
        foreach ($votes as $who => $count)        {
                if ($who !== 'id') // Skip ID
                {
                        $count = (int) $count;
                        if ($count > $max) {                                $max = $count;
                                $maxwho = $who;
                                $maxcount = 1;
                        }
                        elseif ($count === $max) {                                $maxcount++;
                        }
                        $button = GWF_Button::generic($chall->lang('btn_vote', array($who)), "index.php?vote_for=$who");
                        echo sprintf('<tr><td>%s</td><td class="gwf_num">%s</td><td>%s</td></tr>', $who, $count, $button);
                }        } 
        echo '</table>';
 
        // Print best candidate.        
        if ($maxcount === 1) {                echo GWF_Box::box($chall->lang('info_best', array(htmlspecialchars($maxwho))));
        }
}
 
/** * Try to get here :)
 */
function noesc_solved()
{
        if (false === ($chall = WC_Challenge::getByTitle('No Escape'))) {                $chall = WC_Challenge::dummyChallenge('No Escape', 2, '/challenge/no_escape/index.php', false);
        }
        $chall->onChallengeSolved(GWF_Session::getUserID());
}
 ?>
 
CandidateVotecountVote!!
bill0Vote for bill
barack0Vote for barack
george0Vote for george
© 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018 and 2019 by Gizmore