Jump to content

Need some input

jonsjava

By jonsjava
in PHP Coding Help

Recommended Posts

jonsjava Member

jonsjava

Posted
Posted

Hey guys. My 3rd question ever.  Kinda feels weird asking questions here, but I know that if I ask, you'll answer.

I'm writing some security functions to check code.  I'm wanting to make sure that this function works as intended.  If there are other injections/GET variables I need to be aware of (that I haven't thought of, and I'm sure there is), I'd be grateful if you enlightened me to them:

 

The function (checkForAttack) takes any data passed to it, and checks it for known exploits, if they are there, then it sends me a message, telling me who they are, where they are from, what they attempted to pass, when they tried it, what page it was that they attacked, and if it's a get variable, then it will then redirects them to the site they attempted to inject code with.  If it's just a simple SQL injection, I let them pass (without telling them I know), because I scrub that stuff after it passes through this script.

 

Here's the function:

<?php
function checkForAttack($input, $is_get=false){
if ($is_get != false && strstr($input, "http")){
	$subject = "Hacking (GET) attempt on your website!";
	$to = "[email protected]";
	$their_ip = $_SERVER['REMOTE_ADDR'];
	$date = date("n/j/Y Hi s:u");
	$whois = shell_exec("/usr/bin/whois $their_ip");
	$page = $_SERVER['PHP_SELF'];
	$headers = "From: [email protected]";
	$message = "IP Address: $their_ip\r\n
	date Attempted: $date\r\n
	Page attacked: $page\r\n
	Data Passed: $input\r\n
	Who Is Info:\r\n\r\n
	$whois\r\n";
	mail($to, $subject, $message, $headers);
	session_unset();
	session_destroy();
	header("location:".$input);
	exit();
}
if (strstr($input, "SELECT *") || strstr($input, "INSERT INTO" || strstr($input, "DESCRIBE TABLE")) || strstr($input, "OR 1")){
	$subject = "Hacking attempt on your website!";
	$to = "[email protected]";
	$their_ip = $_SERVER['REMOTE_ADDR'];
	$date = date("n/j/Y Hi s:u");
	$whois = shell_exec("/usr/bin/whois $their_ip");
	$page = $_SERVER['PHP_SELF'].$_SERVER['QUERY_STRING'];
	$headers = "From: [email protected]";
	$message = "IP Address: $their_ip\r\n
	date Attempted: $date\r\n
	Page attacked: $page\r\n
	Data Passed: $input\r\n
	Who Is Info:\r\n\r\n
	$whois\r\n";
	mail($to, $subject, $message, $headers);
}
}

 

If I'm missing anything (and I'm sure I am), let me know. And yes, I know that I left my e-mail addresses in there. I have those things plastered all over the web, so what's one more place.

Link to comment
https://forums.phpfreaks.com/topic/111122-need-some-input/
Share on other sites
jonsjava Member

jonsjava

Posted
  • Author
Posted

question still stands, but I decided to post my full checker (still a work in progress) for anybody to use, or dissect.  If you know anything I can do to improve it, let me know.

 

<?php
/* cleanInput and checkForAttack. Usage:
add your db connection at the top of page, then run it as such:

Lets assume you have a form, and one of the text areas is named "subject"
Also, lets assume you have a get element, named "page"

<?php
include ("functions.inc.php"); //page that has the functions
$subject1 = cleanInput($_POST['subject']);
$page = cleanInput($_GET['page'], true); //set to true, if it's a $_GET variable
//now your data has been cleaned up.



Also, you can use it to clean up arrays:
<?php
$post_data = cleanInput($_POST);


now, instead of using the $_POST array, you use the $post_data array


*/

function cleanInput($input, $is_get=false){
if (is_array($input)){
	$new_array22 = array();
	foreach ($input as $value){
		$value = checkForAttack($value, $is_get);
		$new_array22[] = mysql_real_escape_string($value);
	}
	$input = array();
	foreach ($new_array22 as $value){
		$input[] = $value;
	}
}
else{
	$$input = checkForAttack($input, $is_get);
	$input = mysql_real_escape_string($input);
}
return $input;
}
function checkForAttack($input, $is_get=false){
if ($is_get != false && strstr($input, "http")){
	$subject = "Hacking (GET) attempt on your website!";
	$to = "[email protected]";
	$their_ip = $_SERVER['REMOTE_ADDR'];
	$date = date("n/j/Y Hi s:u");
	$whois = shell_exec("/usr/bin/whois $their_ip");
	$page = $_SERVER['PHP_SELF'];
	$headers = "From: [email protected]";
	$message = "IP Address: $their_ip\r\n
	date Attempted: $date\r\n
	Page attacked: $page\r\n
	Data Passed: $input\r\n
	Who Is Info:\r\n\r\n
	$whois\r\n";
	mail($to, $subject, $message, $headers);
	session_unset();
	session_destroy();
	header("location:".$input);
	exit();
}
if (strstr($input, "SELECT *") || strstr($input, "INSERT INTO" || strstr($input, "DESCRIBE TABLE")) || strstr($input, "OR 1")){
	$subject = "Hacking attempt on your website!";
	$to = "[email protected]";
	$their_ip = $_SERVER['REMOTE_ADDR'];
	$date = date("n/j/Y Hi s:u");
	$whois = shell_exec("/usr/bin/whois $their_ip");
	$page = $_SERVER['PHP_SELF'].$_SERVER['QUERY_STRING'];
	$headers = "From: [email protected]";
	$message = "IP Address: $their_ip\r\n
	date Attempted: $date\r\n
	Page attacked: $page\r\n
	Data Passed: $input\r\n
	Who Is Info:\r\n\r\n
	$whois\r\n";
	mail($to, $subject, $message, $headers);
	return $input;
}
}

Link to comment
https://forums.phpfreaks.com/topic/111122-need-some-input/#findComment-570547
Share on other sites
jonsjava Member

jonsjava

Posted
  • Author
Posted

It won't let me modify the last post. Here's a better version of that script:

<?php
function cleanInput($input, $is_get=false){
if (is_array($input)){
	$new_array22 = array();
	foreach ($input as $key => $value){
		$value = checkForAttack($value, $is_get);
		$new_array22[$key] = mysql_real_escape_string($value);
	}
	$input = array();
	foreach ($new_array22 as $key=>$value){
		$input[$key] = $value;
	}
}
else{
	$$input = checkForAttack($input, $is_get);
	$input = mysql_real_escape_string($input);
}
return $input;
}
function checkForAttack($input, $is_get=false){
if ($is_get != false && strstr($input, "http")){
	$subject = "Hacking (GET) attempt on your website!";
	$to = "[email protected]";
	$their_ip = $_SERVER['REMOTE_ADDR'];
	$date = date("n/j/Y Hi s:u");
	$whois = shell_exec("/usr/bin/whois $their_ip");
	$page = $_SERVER['PHP_SELF'];
	$headers = "From: [email protected]";
	$message = "IP Address: $their_ip\r\n
	date Attempted: $date\r\n
	Page attacked: $page\r\n
	Data Passed: $input\r\n
	Who Is Info:\r\n\r\n
	$whois\r\n";
	mail($to, $subject, $message, $headers);
	session_unset();
	session_destroy();
	header("location:".$input);
	exit();
}
elseif (strstr($input, "SELECT *") || strstr($input, "INSERT INTO" || strstr($input, "DESCRIBE TABLE")) || strstr($input, "OR 1")){
	$subject = "Hacking attempt on your website!";
	$to = "[email protected]";
	$their_ip = $_SERVER['REMOTE_ADDR'];
	$date = date("n/j/Y Hi s:u");
	$whois = shell_exec("/usr/bin/whois $their_ip");
	$page = $_SERVER['PHP_SELF'].$_SERVER['QUERY_STRING'];
	$headers = "From: [email protected]";
	$message = "IP Address: $their_ip\r\n
	date Attempted: $date\r\n
	Page attacked: $page\r\n
	Data Passed: $input\r\n
	Who Is Info:\r\n\r\n
	$whois\r\n";
	mail($to, $subject, $message, $headers);
}
return $input;
}

please, if you see something I can add to this to minimize the risk of an exploit by way of data being inputed, let me know.

Link to comment
https://forums.phpfreaks.com/topic/111122-need-some-input/#findComment-570569
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.