Advertisement
Guest User

Untitled

a guest
Mar 13th, 2020
241
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 2.29 KB | None | 0 0
  1. <?php
  2. //Change these based on what user ids your registered users have.
  3. $user_1_id = 1;
  4. $user_2_id = 2;
  5.  
  6. /**
  7.  * When we create an user, let's assume we attach a secret access key to his user ID, under the meta_key 'access_key'.
  8.  *
  9.  * We ask the user for this key every time he wants to do something.
  10.  */
  11. update_user_meta( $user_1_id, 'access_key', 'eiZurewj$ez24pP' );
  12. update_user_meta( $user_2_id, 'access_key', 'xcrpsokfoipu35oE' );
  13.  
  14. /**
  15.  * This is the key that he provides us.
  16.  */
  17. $secret_key_from_frontend = 'eiZurewj$ez24pP';
  18.  
  19. $all_users_ids = get_users([
  20.     'fields' => 'id',
  21.     'meta_key' => 'access_key',
  22.     'meta_compare' => '=',
  23.     'meta_value' => $secret_key_from_frontend
  24. ]);
  25.  
  26. /**
  27.  * We loop through a supposedly safe & accurate list of users that match both the meta_key/value pair.
  28.  * It should be only give us '1'.
  29.  */
  30. echo "User ids that correspond to the correct secret key:";
  31. //Should only return 1.
  32. foreach( $all_users_ids as $user_id ) {
  33.     echo $user_id;
  34.     echo " ";
  35.  
  36.     //Do some sensitive stuff with this, since we "know" the user has the secret key for a specific user id.
  37. }
  38.  
  39. echo "<br>";
  40.  
  41. /**
  42.  * So, let's go ahead and mess with it by making the meta_value empty.
  43.  */
  44.  
  45. $evil_key = '';
  46.  
  47. $evil_user_ids = get_users([
  48.     'fields' => 'id',
  49.     'meta_key' => 'access_key',
  50.     'meta_compare' => '=',
  51.     'meta_value' => $evil_key
  52. ]);
  53.  
  54. echo "User ids that correspond to the evil, empty-space key:";
  55. //Returns 1,2...
  56. foreach( $evil_user_ids as $evil_user_id ) {
  57.     echo $evil_user_id;
  58.     echo " ";
  59.  
  60.     //Do some sensitive stuff with this, only this time, we got tricked, we're doing the same operation for all users.
  61. }
  62.  
  63.  
  64. echo "However, let us see what happens when False is provided for the meta value.";
  65. $proper_user_ids = get_users([
  66.     'fields' => 'id',
  67.     'meta_key' => 'access_key',
  68.     'meta_compare' => '=',
  69.     'meta_value' => False
  70. ]);
  71.  
  72. echo "User ids that correspond to the evil, empty-space key:";
  73. //Returns nothing.
  74. foreach( $proper_user_ids as $proper_user_id ) {
  75.     echo $proper_user_id;
  76.     echo " ";
  77.  
  78.     //Do some sensitive stuff with this, only this time, we got tricked, we're doing the same operation for all users.
  79. }
  80.  
  81. echo "Well, nothing, as it should, but, we are expecting that '' would achieve the same thing.";
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement