Title: [Proof] Coindice by johny1976 Post by: d3vnull on November 20, 2017, 07:53:59 PM Hi everyone,
I'm fresh member, register on this forum less than 24 hours ago. I took the job of someone here regarding the CoinDice script sell by johny1976 (https://bitcointalk.org/index.php?topic=507515.0) The member who bought this script was seeking help to install and make it run on his server. After several hours, it appear that the script provided is a total scam. I will on this topic, expose a technical review of it, I invite any developer PHP to participate and/or confirm my saying. As the script sold by johny1976 is not legitimate and, for everyone can check it, I will provide the source. Source code http://s000.tinyupload.com/index.php?file_id=86885185801916457991 Security The script have multiples critical security issue, I found a lot and I'm sure we can still find more... Here some : Quote content/requestAccess.php Line 13 : SQL Injection Code: if (empty($_GET['_unique']) || mysql_num_rows(mysql_query("SELECT `id` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1"))==0) exit(); Line 14 : SQL Injection Code: $player=mysql_fetch_array(mysql_query("SELECT `password` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1")); Quote inc/start.php Line 35 : SQL Injection Code: if (mysql_num_rows(mysql_query("SELECT `id` FROM `players` WHERE `hash`='".prot($_GET['unique'])."' LIMIT 1"))!=0) { Line 36 : SQL Injection Code: $player=mysql_fetch_array(mysql_query("SELECT * FROM `players` WHERE `hash`='".prot($_GET['unique'])."' LIMIT 1")); Quote content/ajax/withdraw.php Line 22 : SQL Injection Code: if (empty($_GET['amount']) || empty($_GET['valid_addr']) || empty($_GET['_unique']) || mysql_num_rows(mysql_query("SELECT `id` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1"))==0) exit(); ... (There is more injection SQL) ... Incorrect code I found multiple error in the code thats made the script simply useless. A lot of misuse, misunderstand of the PHP basic can easily be found in almost every file. After several hours of debug / rewrite the CoinDice script, I just understand that was a waste of time since this script has never worked at the first place. I'm not talking about some coding error that every developer can made, this script is a giant mess, it is unlikely to stay a not working script even with the best motivation in the world. Quote content/ajax/place.php Line 98-115 : Error : PHP Notice: Undefined variable: cas_percprofit in /data/www/default/www/content/ajax/place.php on line 114 Code: if ($settings['inv_enable']==1) { Quote content/ajax/divest.php Line 20 : Wtf ? Code: if (empty($_GET['_unique']) || mysql_num_rows(mysql_query("SELECT `id` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1"))==0) exit(); Line 26-28 : Wtf ? Code: if (mysql_num_rows(mysql_query("SELECT `id` FROM `investors` WHERE `player_id`=$player[id] LIMIT 1"))==0) { Quote content/ajax/_stats_load.php Whole file : Wtf ? There is much more to say about it that it could take me my next 6 hours, (use of mysql, over deprecated, instead of mysqli or even better, stmt mysql), the include of external code that is clearly not made by you, the entire file located in js/includer.php or 0 sanitizing of the user input on the side server... I invite any PHP dev to check the provided source on this topic, it is the original one given by johny1976. I burn my day on this job for nothing, I decided not to take any money from the member who recruiting me for his job, he lost already his money buying a unusable script. I hope this member will get banned to avoid other people to fall into his scam, the only way to stop it was to do what I did, expose the source code. I see many other topics regarding this scam... To johny1976 : If you want to defend yourself from this, what about to offer a online working demo ? I can see on each files of your script : Quote /* * © CoinDice * Demo: http://www.btcircle.com/dice * Please do not copy or redistribute. * More licences we sell, more products we develop in the future. */ Why did you remove the Demo ? Waiting for your reply... And in this topic not in PM. Edit : I just found several Path Traversal vulnerabilities and a potential CSRF... I'm done with this script, I see enough Title: Re: [Proof] Coindice by johny1976 Post by: flippy on November 23, 2017, 11:24:46 AM I'm no expert on php, but I can't see how a SQL injection would bypass the prot function in any of those examples.
Title: Re: [Proof] Coindice by johny1976 Post by: d3vnull on November 24, 2017, 03:42:17 AM It is pretty clear, the $_GET method is not sanitize before to be included in the SQL request...
https://www.w3schools.com/sql/sql_injection.asp Basic rules of the security, never trust the client. Edit : I see what you mean, the mysql_real_escape_string is far to be enough to avoid the SQL Injection, many advanced SQL injection will by pass it : - https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string - http://php.net/manual/en/function.mysql-real-escape-string.php Try the given script with sqlmap. Using the prepared statement is the only way to go if your SQL request will contain the single input from the client mysqli_query (mysql_query is deprecated) can be used if the request do not rely on any input from the client Example of mysql query ok : Code: "UPDATE `system` SET `deposits_last_round`=NOW() WHERE `id`=1 LIMIT 1"; Example of mysql query where you can expect hell : Code: "SELECT `id` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1" Except the SQL injection, there is other critical vuln on this script (path traversal, remote include...) Title: Re: [Proof] Coindice by johny1976 Post by: cdtc on November 24, 2017, 01:13:01 PM Scam for sure.
Title: Re: [Proof] Coindice by johny1976 Post by: RHavar on November 24, 2017, 06:25:28 PM It is pretty clear, the $_GET method is not sanitize before to be included in the SQL request... Yes it is. That's what the prot function in your 1 line snippet is showing. Do you seriously not know how function application works? Code: prot($_GET['_unique']) Where prot is defined Code: function prot($hodnota,$max_delka=0) { Quote Edit : I see what you mean, the mysql_real_escape_string is far to be enough to avoid the SQL Injection, many advanced SQL injection will by pass it : - https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string - http://php.net/manual/en/function.mysql-real-escape-string.php You should probably read your own links. The way he's using it seems perfectly safe (although definitely not the way I'd do it), assuming you don't intentionally shoot yourself in the foot by changing the db's character set. -- I couldn't be bothered to read the rest of your accusation, as I feel quite embarrassed to just trying to read PHP. But frankly this looks very poorly on you. I suspect you don't have his permission to be sharing the source, and there were no quality guarantees offered. And it's rather clear you are struggling to understand some pretty straight forward things... |