Username: 
Password: 
Restrict session to IP 
Questions  |  score: 3  |  4.63 6.02 6.29 |  Solved By 330 People  |  232221 views  |  since Aug 27, 2011 - 02:26:18

Stop us (Exploit, PHP)

You cannot stop us!
Noother has created a business to sell .xyz domains for some bucks.
Your job is to find a hole in the script that would allow purchases without paying for it.
You can test the script here.
To help you in debugging, you can take a look at the sourcecode, also as highlighted version.
There is a second file involved for the purchase table: noothtable.php, also as hightlighted version, but you probably don't need it.

Good luck!

Thanks go out to jjk and dloser for testing the challenge.
GeSHi`ed PHP code for noothtable.php
1
2
3
4
56
7
8
9
1011
12
13
14
1516
17
18
19
2021
22
23
24
2526
27
28
29
3031
32
33
34
3536
37
38
39
4041
42
43
44
4546
47
48
49
5051
52
53
54
5556
57
58
59
6061
62
63
64
6566
67
68
69
7071
72
73
74
7576
77
78
79
8081
82
83
84
8586
87
<?php
final class noothtable extends GDO
{
        public function getClassName() { return __CLASS__; }
        public function getTableName() { return GWF_TABLE_PREFIX.'wcc_stop_us'; }        public function getColumnDefines()
        {
                return array(
                        'sid' => array(GDO::UINT|GDO::PRIMARY_KEY),
                        'money' => array(GDO::INT, 0),                        'fundings' => array(GDO::INT, 0),
                        'domains' => array(GDO::UINT, 0),
                        'timestamp' => array(GDO::UINT, GDO::NOT_NULL),
                );
        }        
        public static function initNoothworks($sid)
        {
                if (false === self::table(__CLASS__)->selectVar('1', "sid={$sid}"))
                {                        return self::table(__CLASS__)->insertAssoc(array(
                                'sid' => $sid,
                                'money' => 0,
                                'fundings' => 0,
                                'domains' => 0,                                'timestamp' => 0,
                        ));
                }
                return true;
        }        
        public static function increaseMoney($sid, $money=10)
        {
                $sid = (int)$sid;
                $money = (int)$money;                $time = time();
                return self::table(__CLASS__)->update("money=money+{$money}, fundings=fundings+1", "sid={$sid}");
        }
        
        public static function getMoney($sid)        {
                $sid = (int)$sid;
                return self::table(__CLASS__)->selectVar('money', "sid={$sid}");
        }
         public static function getFundings($sid)
        {
                $sid = (int)$sid;
                return self::table(__CLASS__)->selectVar('fundings', "sid={$sid}");
        } 
        public static function getDomains($sid)
        {
                $sid = (int)$sid;
                return self::table(__CLASS__)->selectVar('domains', "sid={$sid}");        }
 
        public static function getTimestamp($sid)
        {
                $sid = (int)$sid;                return self::table(__CLASS__)->selectVar('timestamp', "sid={$sid}");
        }
        
        public static function checkTimeout($sid, $time)
        {                $elapsed = time() - self::getTimestamp($sid);
                self::table(__CLASS__)->update("timestamp=".time(), "sid={$sid}");
                return 45 - $elapsed;
        }
                public static function purchaseDomain($sid, $price=10)
        {
                $sid = (int)$sid;
                $price = (int)$price;
                $time = time();                return self::table(__CLASS__)->update("domains=domains+1", "sid={$sid} AND money>={$price}");
        }
 
        public static function reduceMoney($sid, $price=10)
        {                $sid = (int)$sid;
                $price = (int)$price;
                $time = time();
                return self::table(__CLASS__)->update("money=money-{$price}", "sid={$sid}");
        }}
?>
© 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 and 2024 by noother and Gizmore