scuarplex

Hey, i was reading some code and i find this: if(stristr($_SESSION["s"]["user"]["asdasd"]),$someString) How the double/triple [] in $_SESSION works ? PS: I tryied to google it but it was kinda hard to search :X Thanks.

It didn't work either Now the request are exactly the same as the browser request but i still got 400 on my script. I don't know wtf is going on. Anyone could do a simple socket connection script with google to see if anyone can make it? PS: sorry i didn't answer earlier, and thanks btherl for all your help

Solved, i just had to use $_GET instead of $_POST >.<

Hi, in a include i put this: include.php function printIndex() { print ' ... <a href="mypage.php?add=1"><p class="auto-style2"><img alt="" align="middle" height="43" src="images/add.png" width="200"></a></p> <a href="mypage.php?remove=1"><p class="auto-style2"><img alt="" align="middle" height="33" src="images/remove.png" width="340"></a></p> ... '; } And in mypage.php i got: <?php session_start(); include 'include.php'; if(isset($_SESSION["h_user"])) { if(!isset($_POST["remove"]) && !isset($_POST["add"])) {printIndex();} } ?> My problem is that when i click on "mypage.php?add=1" it still uses the function printIndex(), so it's not sending the POST params. ¿What do i have to do to send the params by URL?

Aaa ok, thanks for the tip Oops, i missed that one. I just tried with the \r\n at the end of the line but i'm still getting 400. I just changed the headers to Get,Host,and jump line like you said but i still got squat. The only strange thing that i notice was when i change the protocol with this headers to HTTP/1.0. I still got the 400 error but this time i got the google Bad request web source instead of a php error. I'll attach the expanded capture, but it's a bit tedious. One more thing: I checked the packet when i was sending the GET trough google website and the headers are exactly the same that i write the second time (with the \r\n near Accept-Language ) (I'm using wamp and i aready make sure that the extension is enable on every php.ini there is on my computer). Greets [attachment deleted by admin]

One more thing, update your phpBB3 forum! It's pretty old, and there's already a few XSS in the wild that affects it.

This looks like an automated attack of some russian spammer. Check your apache logs in the time that your files were modified and you'll know exactly how they do it. Also check your upload folder to see if you find any strange file. Uploaders can be bypassed depending on how you code it.

Hi mate, i've been trying to connect to www.google.com on port 80 to keep it simple for now, and i do what you've told me and i've found that i'm getting "400 Bad Request" as response. Also, look this picture: http://s2.postimage.org/n5vk1quoy/bacdchk.jpg As you can notice there's some kind of bad checksum error from my ip to google's IP, maybe that it's provoking the bad request? In the attachment is the capture between my pc and google, and this is the code: function googlear($search,$filtro,$safe) { $search = str_replace(" ","+",$search); //Abrimos el socket $socket = fsockopen( "64.233.163.104", 80, $errno,$errdesc,30); if (!$socket) {print "$errstr ($errno)<br/>\n";die;}; $busqueda = "/search?q=".$search; if($safe = true) { $busqueda = $busqueda . "&safe=active"; } if($filtro != true) { $busqueda = $busqueda . "&filter=0"; } $request = "GET $busqueda HTTP/1.1\r\n"; $request .= "Host: www.google.com/\r\n"; $request .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1\r\n"; $request .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; $request .= "Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3"; $request .= "Accept-Encoding: gzip, deflate\r\n"; $request .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; $request .= "Keep-Alive: 115\r\n"; $request .= "DNT: 1\r\n"; $request .= "Connection: keep-alive\r\n\r\n"; $get = array(); fputs($socket, $request); //stream_set_blocking($socket, 0); while(!feof($socket)) { $get[] = fgets($socket, 1024); } //Cerramos fclose($socket); return count($get); } Greets, and thanks for your answers [attachment deleted by admin]

Check your apache log. Are you using any kind of premade CMS or something like that?

btherl: I did what you told me, and i put the "/" in search and i got exactly the same headers but still i'm getting: "Fatal error: Maximum execution time of 30 seconds exceeded in ..." I've been using wireshark (a sniffer) while i was using this function to see if i was connecting, and this is what i get: It seems like the socket it's connecting, but i still got that error... PS: changed the socket to run on ssl with ssl://encrypted.google.com and 443 as port from the original.

My bad it wasn't solved, but i think i have discovered the problem, it's just that i don't know how to solve it. I think that my problem is that my script is running on windows and the google server it's not. So the end of the line/file will be different and it won't be recognized. Anyone know how to solve this?

It was that, thanks!

Hi, i'm developing an app in wampp, i'm usually use cUrl but this time i wanted to try sockets for a change and more portability. I have followed the basic socket structure but i can't connect. So this is my code: function googlear($search,$filtro,$safe) { //Abrimos el socket $socket = fsockopen( "www.google.com", 80, $errno,$errdesc); if (!$socket) {print "$errstr ($errno)<br/>\n";die;}; $busqueda = "search?q=".$search."&num=100";//Solo me va a tirar 100 resultados por ahora, para ir pasando de pagina arranco de start=0 y voy sumando de a 100 para pasar de pagina. if($safe = true) { $busqueda = $busqueda . "&safe=active"; } if($filtro != true) { $busqueda = $busqueda . "&filter=0"; } $request = "GET $busqueda HTTP/1.1\r\n"; $request .= "Host: www.google.com\r\n"; $request .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1\r\n"; $request .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"; $request .= "Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3"; $request .= "Accept-Encoding: gzip, deflate\r\n"; $request .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"; $request .= "Connection: keep-alive\r\n"; //Mando las cabeceras con el socket como resource fputs($socket, $request); while(!feof($socket)) { $busqueda[] = fgets($socket, 1024); } //Cerramos fclose($socket); return count($busqueda); } As you can see i'm doing a GET and waiting for the count of lines of the array as result (just to test), but i'm getting "Fatal error: Maximum execution time of 30 seconds exceeded in [...]". It can't take that long to make a GET Request... Any clues?

Hi, im posting here because i'm not sure what function should i use or how to do it. My idea is to search strings such as: ',",%27,SELECT,INSERT,script, and a few other dangerous inputs. If i find any of these in a string then i return true to do a few other things. I'm aware of mysql_real_escape_string, but i don't want to just filter the input. I also been checking out functions such as strstr, but the needle takes only one string to find. Are you guys aware of any functions that i can use to search a few words from one input string? Otherwise i'll just use strstr with a while or something like that. Thanks in advance. (Sorry if this topic don't belong here, i'm not sure.)