This little article will be only for study purposes. At the beginning of the week we received a  new web based “tool” (common thingy with php+mysql+js+jquery+smarty) to play around, build the feedback culture and the synergy between different techie groups in the company. You can collect points and achievements for feedbacks, solving puzzles/quizzes, etc. When I have to use such a tool I always try some common attacks (sqli, lfi, rfi, directory traversal, etc.) but I failed to do anything nasty..for a while. But soon I figured out that the ‘feedback’ system can be triggered to send a _lot_ of empty feedbacks (well i don’t think “asdf” and “yolo” is a valid feedback :) ) and receive a bunch of points. So let’s fire up CURL and do some nasty mass feedback:

$ curl -v -D cookiejar –request POST http://example.com/system/login.php –data “id=userid&password=secret” && curl -v -b cookiejar “http://exapmle.com/system/message.php?action=send_feedback” -d “id=12&level=4&text=asdf”

The first command authenticates us, after that we can use the valid session cookie to send the feedback. The above example sends one feedback, but if we put it in a loop:
$ for i in `seq 1 50`; do curl -v -b cookiejar “http://exapmle.com/system/message.php?action=send_feedback” -d “id=12&level=1&text=asdf”; done

So after a while my colleague received 10.000.000 points for the first day. Obviously my points got reverted back to the original (as I received points for giving feedback also).

After this a 5 feedback/user limit got introduced, so what if we send 5 feedback to everyone? We’ll receive another bunch of points!

Here it goes:

//the ‘ids’ file contains the previously extracted user ids
$ for j in `seq 1 5`; do for i in `cat ids`; do curl -v -b cookiejar “http://exapmle.com/system/message.php?action=send_feedback” -d “id=$i&level=4&text=free points for everyone!!!!1”; done; done;

And after this my user got banned and the coder went furious (well at least me and my team had a great time). So he deleted my user…but he forget to remove my session :). The session cookie was still valid, thus I became the Ghost in the Shell. I was able to send feedbacks and send private messages without name…until my manager asked me to not to continue :)

regards,
m@x