magebash Posted July 10, 2008 Author Share Posted July 10, 2008 ya i set it up Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 still there but it says it affects index.php and / and support/admin/details.php Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 i was going to get rid of the /support folder anyways Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 ok lemme know when done Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 all done with the support folder Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 that fixes one exploit but you still got / and /index.php Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 hmm... how would i fix that? Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 whats your code for index.php? Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 It is <? if(isset($_POST['postsubmit'])) { function RemoveXSS($val) { // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <java\0script> // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs $val = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/', '', $val); // straight replacements, the user should never need these since they're normal characters // this prevents like <IMG SRC=@avascript:alert('XSS')> $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // @ @ search for the hex values $val = preg_replace('/(&#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // @ @ 0{0,7} matches '0' zero to seven times $val = preg_replace('/(�{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ; } // now the only remaining whitespace attacks are \t, \n, and \r $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $val_before = $val; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[xX]0{0,8}([9ab])'; $pattern .= '|'; $pattern .= '|(�{0,8}([9|10|13])'; $pattern .= ')*'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags if ($val_before == $val) { // no replacements were made, so exit the loop $found = false; } } } return $val; } $title=$_POST["title"]; $price=$_POST["price"]; $message=$_POST["message"]; $user=$_SESSION["username"]; $num=$_POST["category"]; $state=$_POST["state"]; $ip=@$REMOTE_ADDR; $title=strip_tags(RemoveXSS(mysql_real_escape_string($_POST['title']))); $email=strip_tags(RemoveXSS(mysql_real_escape_string($_POST['email']))); $price=strip_tags(RemoveXSS(mysql_real_escape_string($_POST['price']))); if (!$_POST['title'] | !$_POST['message']) { die('You did not fill in a required field. <a href=javascript:history.back()>Re-try</a>'); } $rand2 = rand(1, 2000000000); $rand3 = rand(1, 2000000000); $state=strip_tags(RemoveXSS(mysql_real_escape_string($_POST['state']))); $_POST[message]=strip_tags(RemoveXSS(mysql_real_escape_string($_POST['message']))); $num=strip_tags(RemoveXSS(mysql_real_escape_string($_POST['category']))); if($_SESSION[username]=="" && $email=="")die("Enter an email address."); function edit_words($STRING,$bannedwords) { foreach($bannedwords as $key => $v) { $STRING = eregi_replace($v,"<p>",$STRING); } return $STRING; } $words = array(' '); // call it like this $uneditedString = "$_POST[message]"; $mfinal=edit_words($uneditedString,$words); if($userfile_name!=""){ if ($userfile_size >400000){die("File too large. Try to reduce the size.");} if ($userfile_type=="image/jpeg"||$userfile_type=="image/gif" ||$userfile_type=="image/png") { } else { die("Invalid File Type Used."); } $userfile_name="$rand2+$userfile_name"; $add="upload/$userfile_name"; if(move_uploaded_file ($userfile, $add)){ }else{ echo "Failed to upload file. Please try again. If problem persists, contact administrator by logging in and using the Personal Message System.";} } if($userfile2_name!=""){ if ($userfile2_size >400000){die("File too large. Try to reduce the size.");} if ($userfile2_type=="image/jpeg"||$userfile2_type=="image/gif" ||$userfile2_type=="image/png") { } else { die("Invalid File Type Used."); } if($userfile2_name!=""){ $userfile2_name="$rand3+$userfile2_name"; } $add2="upload/$userfile2_name"; if(move_uploaded_file ($userfile2, $add2)){ }else{echo "Failed to upload file. Please try again. If problem persists, contact administrator by logging in and using the Personal Message System.";} } $result = mysql_query("SELECT * FROM upload"); $start = mysql_num_rows($result); $start2 = rand(1,200); $start3 = mysql_num_rows($result)+7; $rand=$start+1+$start2+$start3; $query = "INSERT INTO upload (title, email, price, city, state, message, ip, usersubmit, rand, category, filename, filename2, rand2, rand3) "."VALUES ('$title', '$email', '$price', '$county', '$state','$mfinal', '$ip', '$user', '$rand', '$num', '$userfile_name', '$userfile2_name', '$rand2', '$rand3')"; mysql_query($query); echo "<br><b>Posted! Location: <a href='download.php?r=$rand'>http://possal.100webspace.net/download.php?r=$rand</a><p>Quick Find Code<p>$rand</b><br>"; } ?> Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 i see one thing i left out at the end of code. It should be http://possal.freehostia.com/download.php?r=$rand instead of http://possal.100webspace.net/download.php?r=$rand Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 <?php $title=strip_tags(RemoveXSS(mysql_real_escape_string($_POST["title"]))); $price=strip_tags(RemoveXSS(mysql_real_escape_string($_POST["price"]))); $message=strip_tags(RemoveXSS(mysql_real_escape_string($_POST["message"]))); $user=$_SESSION["username"]; $num=strip_tags(RemoveXSS(mysql_real_escape_string($_POST["category"]))); $state=strip_tags(RemoveXSS(mysql_real_escape_string($_POST["state"]))); $ip=$REMOTE_ADDR; $title=strip_tags(RemoveXSS(mysql_real_escape_string($_POST['title']))); $email=strip_tags(RemoveXSS(mysql_real_escape_string($_POST['email']))); $price=strip_tags(RemoveXSS(mysql_real_escape_string($_POST['price']))); ?> Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 so get rid of the $title=$_POST[title] stuff? Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 no use that code i posted Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 k i changed it. Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 still there try reading upload files on the PHP security guide http://php.robm.me.uk/#toc-HowcanIpreventXSSattacks Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 should i use the array they show for it? Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 i would Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 k ill try. Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 use the second example the first is just shown to show you the exploit Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 im still working on it... Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 k all done. Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 well i g2g. I'll try to PM you later today. Thanks for all your help. Link to comment Share on other sites More sharing options...
magebash Posted July 10, 2008 Author Share Posted July 10, 2008 but is that code working? Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 nope dont worry about it, its a minor exploit compared to cross site scripting(XSS) or SQL injection Link to comment Share on other sites More sharing options...
darkfreaks Posted July 10, 2008 Share Posted July 10, 2008 if you really want try this: http://www.zymic.com/tutorials/php/creating-a-file-upload-form-with-php/ Link to comment Share on other sites More sharing options...
Recommended Posts