Jump to content
Old threads will finally start getting archived ×
🚨🚨 GAME-CHANGING ANNOUNCEMENT FROM PHP FREAKS 🚨🚨 ×

Perplexity 🤖

Members
 View Profile  See their activity

  • Posts

    24

  • Joined

  • Last visited

    Never

 Content Type 

Everything posted by Perplexity 🤖

  1. ezyauctionz.co.nz
    Here is the full code for the test page, it is a bit messy, but at least you can see what each filter is doing: <?php // turn on output buffering, to speed up php processing //ob_start(); ini_set('zlib.output_compression_level', 3); ob_start("ob_gzhandler"); //prevents caching header("Expires: Sat, 01 Jan 2000 00:00:00 GMT"); header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT"); header("Cache-Control: post-check=0, pre-check=0",false); session_cache_limiter("nocache"); session_start(); if ($_POST[allowdb] == "selected"){ echo"(DB accessed)<br><br>"; //////////// // BEGIN CODE make the connection to the no.1 database $sqlcon = @mysql_connect($srvr, $sqluser, $sqlpass) or die("Unable to connect to database server, please try again."); $sqldb2 = @mysql_select_db($sqldb,$sqlcon) or die("Unable to access database, please try again."); // END CODE //////////// } ?> <html> <head> <TITLE>test</TITLE> </head> <BODY> <?php // added this to seperate each filter type to prevent clashes foreach($_POST as $key => $value){ $t1[$key] = $value; $t2[$key] = $value; $t3[$key] = $value; $t4[$key] = $value; $t5[$key] = $value; $t6[$key] = $value; } echo "Version 1:"; function stripslashes_deep($value){ if(is_array($var)){ $var=array_map('stripslashes_deep',$var); } else{ $value = stripslashes($value); // decode any converted characters, to prevent things such as &amp; from happening ! $value = htmlspecialchars_decode($value); } return $value; } $t1=array_map('stripslashes_deep',$t1); //$_GET=array_map('stripslashes_deep',$_GET); //$_COOKIE=array_map('stripslashes_deep',$_COOKIE); //$_REQUEST=array_map('stripslashes_deep',$_REQUEST); function clean_post_var($var){ if(is_array($var)){ $var=array_map('clean_post_var',$var); } if(get_magic_quotes_gpc()){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5Version } elseif(!get_magic_quotes_gpc()){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } } $t1=array_map('clean_post_var',$t1); //$_GET=array_map('clean_post_var',$_GET); //$_COOKIE=array_map('clean_post_var',$_COOKIE); //$_REQUEST=array_map('clean_post_var',$_REQUEST); echo "$t1[check] <br><br>\n"; /////////////////////////////// echo "Version 2: "; function stripslashes_deep2($value){ if(is_array($var)){ $var=array_map('stripslashes_deep2',$var); } else{ $value = stripslashes($value); // decode any converted characters, to prevent things such as &amp; from happening ! $value = htmlspecialchars_decode($value); } return $value; } $t2=array_map('stripslashes_deep2',$t2); //$_GET=array_map('stripslashes_deep2',$_GET); //$_COOKIE=array_map('stripslashes_deep2',$_COOKIE); //$_REQUEST=array_map('stripslashes_deep2',$_REQUEST); function clean_post_var2($var){ if(is_array($var)){ $var=array_map('clean_post_var2',$var); } if (!mysql_real_escape_string($var)){ // check if mysql_real_escape_string is available $var = addslashes($var); // strip slashes before doing mysql_real_escape_string // returns FALSE if not possible } else{ // mysql_real_escape_string available $var = mysql_real_escape_string($var); } $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } $t2=array_map('clean_post_var2',$t2); //$_GET=array_map('clean_post_var2',$_GET); //$_COOKIE=array_map('clean_post_var2',$_COOKIE); //$_REQUEST=array_map('clean_post_var2',$_REQUEST); echo "$t2[check] <br><br>\n"; /////////////////////////////////////// // test 3 //********** loops all $_POST variables and cleans them automatically *************/// //clean XSS/SQL injection function clean($var){ // decode any converted characters, to prevent things such as &amp; from happening ! $var = htmlspecialchars_decode($var); $var = trim(strip_tags($var)); // remove extra spaces, and strip tags if(!get_magic_quotes_gpc()){ // check if get_magic_quotes_gpc is on, if not add slashes, (if on it is already slashed) $var = addslashes($var); } if (!mysql_real_escape_string($var)){ // check if mysql_real_escape_string is available // returns FALSE if not possible } else{ // mysql_real_escape_string available $var = stripslashes($var); // strip slashes before doing mysql_real_escape_string $var = mysql_real_escape_string($var); } $var = htmlspecialchars($var,ENT_QUOTES); return $var; } $t3checkresult = clean($t3[check]); // temporary for testing echo "Version 3 clean(): $t3checkresult <br><br>\n"; // test 4 //-----------------------------------------------------ANTI-XSSFUNCTION------------------------------ function RemXSS($val){ $val = strip_tags($val); //remove all non-printable characters. CR(0a) and LF(0b) andTAB(9) are allowed //this prevents some character re-spacing such as <java\0script> //note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs $val=preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/','',$val); //straight replacements, the user should never need these since they're normal characters //this prevents like <IMG SRC=&#38; #X40 & #38; #X61 & #38; #X76 & #38; #X61 & #38; #X73 & #38; #X63 & #38; #X72 & #38; #X69 & #38; #X70 & #38; #X74 & #38; #X3A & #38; #X61 & #38; #X6C & #38; #X65 & #38; #X72 & #38; #X74 & #38; #X28 & #38; #X27 & #38; #X58 & #38; #X53 & #38; #X53 & #38; #X27 & #38; #X29> $search='abcdefghijklmnopqrstuvwxyz'; $search.='ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search.='1234567890!@#$%^&*()'; $search.='~`";:?+/={}[]-_|\'\\'; for($i=0;$i<strlen($search);$i++){ //;? matches the; ,which is optional //0{0,7} matches any padded zeros, which are optional and go up to 8 chars //&#38;#x0040@ search for the hex values $val=preg_replace('/(&#38;#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i',$search[$i],$val);//witha; //&#38;#00064@0{0,7} matches '0' zero to seven times $val=preg_replace('/(&#38;#0{0,8}'.ord($search[$i]).';?)/',$search[$i],$val);//witha; } //now the only remaining whitespace attacks are \t,\n, and \r $ra1=Array('javascript','vbscript','expression','applet','meta','xml','blink','link','style','script','embed','object','iframe','frame','frameset','ilayer','layer','bgsound','title','base'); $ra2=Array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate','onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange','onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick','ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate','onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete','onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel','onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart','onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop','onsubmit','onunload'); $ra=array_merge($ra1,$ra2); $found=true;//keep replacing as long as the previous round replaced something while($found==true){ $val_before=$val; for($i=0;$i<sizeof($ra);$i++){ $pattern='/'; for($j=0;$j<strlen($ra[$i]);$j++){ if($j>0){ $pattern.='('; $pattern.='(&#38;#[xX]0{0,8}([9ab])'; $pattern.='|'; $pattern.='|(&#38;#0{0,8}([9|10|13])'; $pattern.=')*'; } $pattern.=$ra[$i][$j]; } $pattern.='/i'; $replacement=substr($ra[$i],0,2).'<x>'.substr($ra[$i],2);//add in <> to nerf the tag $val=preg_replace($pattern,$replacement,$val);//filter out the hex tags if($val_before==$val){ //no replacements were made,so exit the loop $found=false; } } } return $val; } $t4checkresult = RemXSS($t4[check]); // temporary for testing echo "Version 4 remXSS(): $t4checkresult <br><br>\n"; $var = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/','',$t5[check]); // decode any converted characters, to prevent things such as &amp; from happening ! $var = htmlspecialchars_decode($var); $t5checkresult = preg_replace('/[^a-zA-Z0-9\.\s@\-&]/','',$var); echo "Version 5 preg_replace(): $t5checkresult <br><br>\n"; // this is called to remove arrays from user inputs, when there should not be any arrays (hack attempts) function dropInputArrays($var){ if (is_array($var)){ // if input is an array, then empty it. $var = ""; } } $t6checkresult = dropInputArrays($_POST[check]); echo "Version 6 drop arrays: $t6checkresult (not working at the moment)<br><br>\n"; // filed input auto refill options if ($_POST[fieldfilter] == "1"){ $selected1 = "selected"; $checkvalue = $t1[check]; } if ($_POST[fieldfilter] == "2"){ $selected2 = "selected"; $checkvalue = $t2[check]; } if ($_POST[fieldfilter] == "3"){ $selected3 = "selected"; $checkvalue = $t4checkresult; } if ($_POST[fieldfilter] == "4"){ $selected4 = "selected"; $checkvalue = $t4checkresult; } if ($_POST[fieldfilter] == "5"){ $selected5 = "selected"; $checkvalue = $t5checkresult; } if ($_POST[fieldfilter] == "6"){ $selected6 = "selected"; $checkvalue = $t6checkresult; } if ($_POST[fieldfilter] == "post"){ $selectedpost = "selected"; $checkvalue = $_POST[check]; } //$checkvalue=htmlspecialchars($checkvalue,ENT_QUOTES); $checkvalue=str_replace("\\","",$checkvalue); $_POST[check2]=str_replace("\\","",$_POST[check2]); ?> <FORM METHOD="POST" ACTION="<?php echo($PHP_SELF); ?>"> <P> Input string to test<br><br> <INPUT TYPE="text" NAME="check" SIZE=70 VALUE="<?php echo($checkvalue); ?>"> Use filter:<SELECT name="fieldfilter" id="fieldfilter"><option value="1" <?php echo ($selected1); ?>>1</option><option value="2" <?php echo ($selected2); ?>>2</option><option value="3" <?php echo ($selected3); ?>>3</option><option value="4" <?php echo ($selected4); ?>>4</option><option value="5" <?php echo ($selected5); ?>>5</option><option value="6" <?php echo ($selected6); ?>>6</option><option value="post" <?php echo ($selectedpost); ?>>POST</option></select><br> <INPUT TYPE="text" NAME="check2" SIZE=70 VALUE="<?php echo($_POST[check2]); ?>"> (raw unfiltered post output (slashes stripped only)<br> Allow DB connection <SELECT name="allowdb" id="allowdb"><option value="selected">Yes</option><option value="">No</option><option value="selected"<?php echo ($_POST[allowdb]); ?>>Last Choice (<?php echo ($_POST[allowdb]); ?>)</option></select> <BR> <BR> <INPUT TYPE="submit" NAME="submit" VALUE="test" style="font-family: Tahoma"> </P> </FORM> </body> </html> I also added htmlspecialchars_decode() early on, to prevent things like &amp; from happening.
  2. ezyauctionz.co.nz
    The test page is not using any tables, it does have a DB connection (to allow mysql_real_escape_string() to work. The page is supposed to be stripping out and converting characters (if you view the page source it shows up a lot better), as you can see, it has different filters, which do slightly different things. What strings are you using to test it ?
  3. ezyauctionz.co.nz
    OK, here is a test page: http://www.ezyauctionz.co.nz/sanitizingtest.php Have a crack it, and see which "Version" works the best with your attempts to exploit it. The input field allows you to use filtered output, or raw post data. You can also see what happens when you turn off database access to see what happens to mysql_real_escape_string().
  4. ezyauctionz.co.nz
    OK will do, I have a test page up on the site, which I am using to test various strategies, once I have the code finalised I will add it to the test page and let you know.
  5. ezyauctionz.co.nz
    I think this may be slightly better, as it will check for nested arrays: <?php function stripslashes_deep($value){ $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); function clean_post_var($var){ if (is_array($var)){ $var = array_map('clean_post_var', $var); } if (get_magic_quotes_gpc()) { $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } elseif(!get_magic_quotes_gpc()){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } } $_POST = array_map('clean_post_var', $_POST); $_GET = array_map('clean_post_var', $_GET); $_COOKIE = array_map('clean_post_var', $_COOKIE); $_REQUEST = array_map('clean_post_var', $_REQUEST); ?>
  6. ezyauctionz.co.nz
    In fact, looking at this, the last section doesn't need an if statement as both are the same...
  7. ezyauctionz.co.nz
    I moved some bits of code which were run no matter what the outcome of the if statements, this allowed me to remove some duplicated code
  8. ezyauctionz.co.nz
    Or maybe even this way: <?php function stripslashes_deep($value){ $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); function clean_post_var($var){ if (get_magic_quotes_gpc()) { $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } elseif(!get_magic_quotes_gpc()){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } } $_POST = array_map('clean_post_var', $_POST); $_GET = array_map('clean_post_var', $_GET); $_COOKIE = array_map('clean_post_var', $_COOKIE); $_REQUEST = array_map('clean_post_var', $_REQUEST); ?>
  9. ezyauctionz.co.nz
    I think you could reduce some repetitions in your new code, like so: <?php function stripslashes_deep($value){ $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); if (get_magic_quotes_gpc()) { function clean_post_var($var){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } } elseif(!get_magic_quotes_gpc()){ function clean_post_var($var){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } } $_POST = array_map('clean_post_var', $_POST); $_GET = array_map('clean_post_var', $_GET); $_COOKIE = array_map('clean_post_var', $_COOKIE); $_REQUEST = array_map('clean_post_var', $_REQUEST); ?>
  10. ezyauctionz.co.nz
    Thanks for the code, I will have to study it to work out how it works. One point though, if get_magic_quotes_gpc is not turned on, then none of the code will run, which is the reason I modified the original, especially important for future compatibility as get_magic_quotes_gpc is turned off by default in php5 and removed from php6. I am trying to use code that will not require me to have to revisit it later to rewrite it when functions are known to be depreciated in later versions of php.
  11. ezyauctionz.co.nz
    Yep, NZ... Middle Earth... you'll be calling me a hobbit next. :-)
  12. ezyauctionz.co.nz
    I have modified the original version, to make it a bit safer (not as tidy mind), now it checks mysql_real_escape_string to see if it is available before it tries to use it (it requires a db connection to be present first) also it always falls back, instead of not doing anything if get_magic_quotes_gpc is turned off. function clean($var){ $var = trim(strip_tags($var)); // remove extra spaces, and strip tags if(!get_magic_quotes_gpc()){ // check if get_magic_quotes_gpc is on, if not add slashes, (if on it is already slashed) $var = addslashes($var); } if (!mysql_real_escape_string($var)){ // check if mysql_real_escape_string is available // returns FALSE if not possible } else{ // mysql_real_escape_string available $var = stripslashes($var); // strip slashes before doing mysql_real_escape_string $var = mysql_real_escape_string($var); } $var = htmlspecialchars($var,ENT_QUOTES); return $var; } //array_walk_recursive($_GET,'clean'); // all GET items //array_walk_recursive($_POST,'clean'); // all POST items $_POST[item] = clean($_POST[item]); // single item
  13. ezyauctionz.co.nz
    Thank you for your feedback. Yes it is for business, ebay is not used in my country, there is a large site in existence here, but they charge like a wounded bull... and people are trying to fine somewhere better. It looks like I will have to encode all those urls so they validate.
  14. ezyauctionz.co.nz
    Recently I was trying to use this code, to replace my original code, which lists EACH variable passed, for GET and POST, only I could not get it to work the way I wanted for some reason, it will work, but not when using array_walk_recursive(): if(get_magic_quotes_gpc()){ //clean XSS/SQL injection function clean($var){ $var = mysql_real_escape_string(trim(strip_tags($var))); $var = htmlspecialchars($var,ENT_QUOTES); return $var; } //array_walk_recursive($_GET,'clean'); // wouldn't work //array_walk_recursive($_POST,'clean'); // wouldn't work $_POST[input] = clean($_POST[input]); // temporary for testing - works } But the array_walk_recursive was not actually working on the POST and GET arrays, calling it for each variable does work though.
  15. ezyauctionz.co.nz
    username: test pass: test2008 This will have normal abilities just like every other user, so please do not bid on any auctions etc. remember this is a live site.
  16. ezyauctionz.co.nz
    When I tested it is was when trying to resolve the xss exploit in the chatroom (from the old thread that was started by the guy trying to hack my site), I just inserted mysql_real_escape_string into another page and it seemed to be OK, so I will look into adding that instead of htmlspecialchars. I will look into this further first, in case I can get it working OK (looks like I might), so for now please keep looking for any other problems.
  17. ezyauctionz.co.nz
    with striptags(), then htmlspecialchars() also nl2br() on certain fields, and int() for variables that are only going to be numbers. I will add trim(), I think it will be a good thing to ensure empty strings are not used. I tried mysql_real_escape_string() but it gave me errors for some reason, it may be because it was before the script opened a connection.
  18. ezyauctionz.co.nz
    It may be OK, as the login processing script does redirect to a second login page if login fails, as it would when it does not find a correct match, that seems to correspond with the report it generates. Please test whatever you can think of, I want to be sure (as much as is possible) that things are OK sitewide.
  19. ezyauctionz.co.nz
    Thank you. Which page where they from ? I have downloaded the xss me and sql inject me tools as well.
  20. ezyauctionz.co.nz
    Hi All, Can you please test out my site for any issues I may have missed, it is a working site, so please do NOT do anything that may damage it. If anything is found, then please send me the details in a private message to keep it out of the public eye until I fix it, once I fix the issue, it can then be posted here for other people to learn from. http://www.ezyauctionz.co.nz As per rules, link to my profile is here: http://www.ezyauctionz.co.nz/phpfreaks.html Also, if you happen to know the solution to correct any issues found, please tell me too, in case I do not know how to resolve it.
  21. ezyauctionz.co.nz
    I would appreciate some feedback on my site: http://www.ezyauctionz.co.nz I have built the entire site myself, from scratch, I certainly don't know everything, so some assistance by way of feedback would be appreciated.
  22. ezyauctionz.co.nz
    Please remove this thread, "Sam" is unknown to me, and ezyauctionz is my site, he was trying to hack it.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.