ezyauctionz.co.nz Posted December 29, 2008 Share Posted December 29, 2008 Hi All, Can you please test out my site for any issues I may have missed, it is a working site, so please do NOT do anything that may damage it. If anything is found, then please send me the details in a private message to keep it out of the public eye until I fix it, once I fix the issue, it can then be posted here for other people to learn from. http://www.ezyauctionz.co.nz As per rules, link to my profile is here: http://www.ezyauctionz.co.nz/phpfreaks.html Also, if you happen to know the solution to correct any issues found, please tell me too, in case I do not know how to resolve it. Link to comment Share on other sites More sharing options...
darkfreaks Posted December 29, 2008 Share Posted December 29, 2008 Failures: 85 Warnings: 0 Passes: 204595 SQL Injection String Test Results loginusername Submitted Form State: * loginpassword: ++ * loginpasswordtext: ++ * saveoptions: ++autologin * submit: ++ Login Results: Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31 Server Status Code: 302 Moved Temporarily Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE Server Status Code: 302 Moved Temporarily Tested value: 1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116 Server Status Code: 302 Moved Temporarily Tested value: ' OR username IS NOT NULL OR username = ' Server Status Code: 302 Moved Temporarily Tested value: 1' AND non_existant_table = '1 Server Status Code: 302 Moved Temporarily Tested value: 1'1 Server Status Code: 302 Moved Temporarily Tested value: '; DESC users; -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND USER_NAME() = 'dbo' Server Status Code: 302 Moved Temporarily Tested value: 1' AND 1=(SELECT COUNT(*) FROM tablenames); -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND 1=1 Server Status Code: 302 Moved Temporarily Tested value: 1 EXEC XP_ Server Status Code: 302 Moved Temporarily Tested value: 1'1 Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: 1 OR 1=1 This field passed 14603 tests. To see all the passed results, go to Tools->SQL Inject Me->Options and click 'Show passed results in final report' and rerun this test. loginpassword Submitted Form State: * loginusername: ++ * loginpasswordtext: ++ * saveoptions: ++autologin * submit: ++ Login Results: Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31 Server Status Code: 302 Moved Temporarily Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE Server Status Code: 302 Moved Temporarily Tested value: 1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116 Server Status Code: 302 Moved Temporarily Tested value: ' OR username IS NOT NULL OR username = ' Server Status Code: 302 Moved Temporarily Tested value: 1' AND non_existant_table = '1 Server Status Code: 302 Moved Temporarily Tested value: 1'1 Server Status Code: 302 Moved Temporarily Tested value: '; DESC users; -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND USER_NAME() = 'dbo' Server Status Code: 302 Moved Temporarily Tested value: 1' AND 1=(SELECT COUNT(*) FROM tablenames); -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND 1=1 Server Status Code: 302 Moved Temporarily Tested value: 1 EXEC XP_ Server Status Code: 302 Moved Temporarily Tested value: 1'1 Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: 1 OR 1=1 This field passed 14603 tests. To see all the passed results, go to Tools->SQL Inject Me->Options and click 'Show passed results in final report' and rerun this test. loginpasswordtext Submitted Form State: * loginusername: ++ * loginpassword: ++ * saveoptions: ++autologin * submit: ++ Login Results: Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31 Server Status Code: 302 Moved Temporarily Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE Server Status Code: 302 Moved Temporarily Tested value: 1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116 Server Status Code: 302 Moved Temporarily Tested value: ' OR username IS NOT NULL OR username = ' Server Status Code: 302 Moved Temporarily Tested value: 1' AND non_existant_table = '1 Server Status Code: 302 Moved Temporarily Tested value: 1'1 Server Status Code: 302 Moved Temporarily Tested value: '; DESC users; -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND USER_NAME() = 'dbo' Server Status Code: 302 Moved Temporarily Tested value: 1' AND 1=(SELECT COUNT(*) FROM tablenames); -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND 1=1 Server Status Code: 302 Moved Temporarily Tested value: 1 EXEC XP_ Server Status Code: 302 Moved Temporarily Tested value: 1'1 Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: 1 OR 1=1 This field passed 14603 tests. To see all the passed results, go to Tools->SQL Inject Me->Options and click 'Show passed results in final report' and rerun this test. saveoptions Submitted Form State: * loginusername: ++ * loginpassword: ++ * loginpasswordtext: ++ * submit: ++ Login Results: Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31 Server Status Code: 302 Moved Temporarily Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE Server Status Code: 302 Moved Temporarily Tested value: 1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116 Server Status Code: 302 Moved Temporarily Tested value: ' OR username IS NOT NULL OR username = ' Server Status Code: 302 Moved Temporarily Tested value: 1' AND non_existant_table = '1 Server Status Code: 302 Moved Temporarily Tested value: 1'1 Server Status Code: 302 Moved Temporarily Tested value: '; DESC users; -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND USER_NAME() = 'dbo' Server Status Code: 302 Moved Temporarily Tested value: 1' AND 1=(SELECT COUNT(*) FROM tablenames); -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND 1=1 Server Status Code: 302 Moved Temporarily Tested value: 1 EXEC XP_ Server Status Code: 302 Moved Temporarily Tested value: 1'1 Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: 1 OR 1=1 This field passed 14603 tests. To see all the passed results, go to Tools->SQL Inject Me->Options and click 'Show passed results in final report' and rerun this test. submit Submitted Form State: * loginusername: ++ * loginpassword: ++ * loginpasswordtext: ++ * saveoptions: ++autologin Results: Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31 Server Status Code: 302 Moved Temporarily Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE Server Status Code: 302 Moved Temporarily Tested value: 1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116 Server Status Code: 302 Moved Temporarily Tested value: ' OR username IS NOT NULL OR username = ' Server Status Code: 302 Moved Temporarily Tested value: 1' AND non_existant_table = '1 Server Status Code: 302 Moved Temporarily Tested value: 1'1 Server Status Code: 302 Moved Temporarily Tested value: '; DESC users; -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND USER_NAME() = 'dbo' Server Status Code: 302 Moved Temporarily Tested value: 1' AND 1=(SELECT COUNT(*) FROM tablenames); -- Server Status Code: 302 Moved Temporarily Tested value: 1 AND 1=1 Server Status Code: 302 Moved Temporarily Tested value: 1 EXEC XP_ Server Status Code: 302 Moved Temporarily Tested value: 1'1 Server Status Code: 302 Moved Temporarily Tested value: 1' OR '1'='1 Server Status Code: 302 Moved Temporarily Tested value: 1 OR 1=1 Link to comment Share on other sites More sharing options...
ezyauctionz.co.nz Posted December 29, 2008 Author Share Posted December 29, 2008 Thank you. Which page where they from ? I have downloaded the xss me and sql inject me tools as well. Link to comment Share on other sites More sharing options...
darkfreaks Posted December 29, 2008 Share Posted December 29, 2008 i just ran it on your main page but i think that is mainly your login Link to comment Share on other sites More sharing options...
ezyauctionz.co.nz Posted December 29, 2008 Author Share Posted December 29, 2008 It may be OK, as the login processing script does redirect to a second login page if login fails, as it would when it does not find a correct match, that seems to correspond with the report it generates. Please test whatever you can think of, I want to be sure (as much as is possible) that things are OK sitewide. Link to comment Share on other sites More sharing options...
darkfreaks Posted December 29, 2008 Share Posted December 29, 2008 is it being sanitized with strip_tags(), trim(), mysql_real_escape_string() ??? seems like it is not. :-X Link to comment Share on other sites More sharing options...
ezyauctionz.co.nz Posted December 29, 2008 Author Share Posted December 29, 2008 with striptags(), then htmlspecialchars() also nl2br() on certain fields, and int() for variables that are only going to be numbers. I will add trim(), I think it will be a good thing to ensure empty strings are not used. I tried mysql_real_escape_string() but it gave me errors for some reason, it may be because it was before the script opened a connection. Link to comment Share on other sites More sharing options...
darkfreaks Posted December 29, 2008 Share Posted December 29, 2008 can you paste the code i can tell you why it is erroring with mysql_real_escape_string ;) Link to comment Share on other sites More sharing options...
ezyauctionz.co.nz Posted December 30, 2008 Author Share Posted December 30, 2008 When I tested it is was when trying to resolve the xss exploit in the chatroom (from the old thread that was started by the guy trying to hack my site), I just inserted mysql_real_escape_string into another page and it seemed to be OK, so I will look into adding that instead of htmlspecialchars. I will look into this further first, in case I can get it working OK (looks like I might), so for now please keep looking for any other problems. Link to comment Share on other sites More sharing options...
darkfreaks Posted December 30, 2008 Share Posted December 30, 2008 functions are good try: [code]<?php funtion clean($var) { $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_NOQUOTES); return $var; }?> [/code] then just call that function on all your variables Link to comment Share on other sites More sharing options...
Coreye Posted December 30, 2008 Share Posted December 30, 2008 Do you have a test account we could use for testing purposes? Link to comment Share on other sites More sharing options...
ezyauctionz.co.nz Posted December 30, 2008 Author Share Posted December 30, 2008 username: test pass: test2008 This will have normal abilities just like every other user, so please do not bid on any auctions etc. remember this is a live site. Link to comment Share on other sites More sharing options...
ezyauctionz.co.nz Posted December 30, 2008 Author Share Posted December 30, 2008 Recently I was trying to use this code, to replace my original code, which lists EACH variable passed, for GET and POST, only I could not get it to work the way I wanted for some reason, it will work, but not when using array_walk_recursive(): if(get_magic_quotes_gpc()){ //clean XSS/SQL injection function clean($var){ $var = mysql_real_escape_string(trim(strip_tags($var))); $var = htmlspecialchars($var,ENT_QUOTES); return $var; } //array_walk_recursive($_GET,'clean'); // wouldn't work //array_walk_recursive($_POST,'clean'); // wouldn't work $_POST[input] = clean($_POST[input]); // temporary for testing - works } But the array_walk_recursive was not actually working on the POST and GET arrays, calling it for each variable does work though. Link to comment Share on other sites More sharing options...
ezyauctionz.co.nz Posted December 30, 2008 Author Share Posted December 30, 2008 I have modified the original version, to make it a bit safer (not as tidy mind), now it checks mysql_real_escape_string to see if it is available before it tries to use it (it requires a db connection to be present first) also it always falls back, instead of not doing anything if get_magic_quotes_gpc is turned off. function clean($var){ $var = trim(strip_tags($var)); // remove extra spaces, and strip tags if(!get_magic_quotes_gpc()){ // check if get_magic_quotes_gpc is on, if not add slashes, (if on it is already slashed) $var = addslashes($var); } if (!mysql_real_escape_string($var)){ // check if mysql_real_escape_string is available // returns FALSE if not possible } else{ // mysql_real_escape_string available $var = stripslashes($var); // strip slashes before doing mysql_real_escape_string $var = mysql_real_escape_string($var); } $var = htmlspecialchars($var,ENT_QUOTES); return $var; } //array_walk_recursive($_GET,'clean'); // all GET items //array_walk_recursive($_POST,'clean'); // all POST items $_POST[item] = clean($_POST[item]); // single item Link to comment Share on other sites More sharing options...
darkfreaks Posted December 30, 2008 Share Posted December 30, 2008 that leaks injection majorly try: <?php if (get_magic_quotes_gpc()) { function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); } if (get_magic_quotes_gpc()) { function clean_post_var($var){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return $var; //PHP 4 Version return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } $_POST = array_map('clean_post_var', $_POST); $_GET = array_map('clean_post_var', $_GET); $_COOKIE = array_map('clean_post_var', $_COOKIE); $_REQUEST = array_map('clean_post_var', $_REQUEST); } ?> ?> Note: also be sure to call stripslashes_deep() & clean_post_var() on all variables just incase array_map,array_walk array_walk_recursive fail. worked for me Link to comment Share on other sites More sharing options...
ezyauctionz.co.nz Posted December 30, 2008 Author Share Posted December 30, 2008 Thanks for the code, I will have to study it to work out how it works. One point though, if get_magic_quotes_gpc is not turned on, then none of the code will run, which is the reason I modified the original, especially important for future compatibility as get_magic_quotes_gpc is turned off by default in php5 and removed from php6. I am trying to use code that will not require me to have to revisit it later to rewrite it when functions are known to be depreciated in later versions of php. Link to comment Share on other sites More sharing options...
darkfreaks Posted December 30, 2008 Share Posted December 30, 2008 unfortunately PHP functions get deprecated whether or not we want them to as a good coder you have to keep up with PHP software updates learn new functions and how to apply them. also i am modifying code to work if get_magic_quotes_gpc() are off Using it in PHP5 with magic quotes gpc off or on: <?php if (get_magic_quotes_gpc()) { function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); } elseif(!get_magic_quotes_gpc()){ function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); } if (get_magic_quotes_gpc()) { function clean_post_var($var){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } $_POST = array_map('clean_post_var', $_POST); $_GET = array_map('clean_post_var', $_GET); $_COOKIE = array_map('clean_post_var', $_COOKIE); $_REQUEST = array_map('clean_post_var', $_REQUEST); } elseif(!get_magic_quotes_gpc()){ function clean_post_var($var){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } $_POST = array_map('clean_post_var', $_POST); $_GET = array_map('clean_post_var', $_GET); $_COOKIE = array_map('clean_post_var', $_COOKIE); $_REQUEST = array_map('clean_post_var', $_REQUEST); } ?> Note: also be sure to call stripslashes_deep() & clean_post_var() on all variables just incase array_map,array_walk array_walk_recursive fail. worked for me Link to comment Share on other sites More sharing options...
ezyauctionz.co.nz Posted December 30, 2008 Author Share Posted December 30, 2008 I think you could reduce some repetitions in your new code, like so: <?php function stripslashes_deep($value){ $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); if (get_magic_quotes_gpc()) { function clean_post_var($var){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } } elseif(!get_magic_quotes_gpc()){ function clean_post_var($var){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } } $_POST = array_map('clean_post_var', $_POST); $_GET = array_map('clean_post_var', $_GET); $_COOKIE = array_map('clean_post_var', $_COOKIE); $_REQUEST = array_map('clean_post_var', $_REQUEST); ?> Link to comment Share on other sites More sharing options...
darkfreaks Posted December 30, 2008 Share Posted December 30, 2008 i dont really see what you did besides clean it up abit removing whitespace but yes it should work. Link to comment Share on other sites More sharing options...
ezyauctionz.co.nz Posted December 30, 2008 Author Share Posted December 30, 2008 Or maybe even this way: <?php function stripslashes_deep($value){ $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); function clean_post_var($var){ if (get_magic_quotes_gpc()) { $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } elseif(!get_magic_quotes_gpc()){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } } $_POST = array_map('clean_post_var', $_POST); $_GET = array_map('clean_post_var', $_GET); $_COOKIE = array_map('clean_post_var', $_COOKIE); $_REQUEST = array_map('clean_post_var', $_REQUEST); ?> Link to comment Share on other sites More sharing options...
ezyauctionz.co.nz Posted December 30, 2008 Author Share Posted December 30, 2008 I moved some bits of code which were run no matter what the outcome of the if statements, this allowed me to remove some duplicated code Link to comment Share on other sites More sharing options...
darkfreaks Posted December 30, 2008 Share Posted December 30, 2008 oh ok i see now let me know when they are applied i will retest it Link to comment Share on other sites More sharing options...
ezyauctionz.co.nz Posted December 30, 2008 Author Share Posted December 30, 2008 In fact, looking at this, the last section doesn't need an if statement as both are the same... Link to comment Share on other sites More sharing options...
ezyauctionz.co.nz Posted December 30, 2008 Author Share Posted December 30, 2008 I think this may be slightly better, as it will check for nested arrays: <?php function stripslashes_deep($value){ $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } $_POST = array_map('stripslashes_deep', $_POST); $_GET = array_map('stripslashes_deep', $_GET); $_COOKIE = array_map('stripslashes_deep', $_COOKIE); $_REQUEST = array_map('stripslashes_deep', $_REQUEST); function clean_post_var($var){ if (is_array($var)){ $var = array_map('clean_post_var', $var); } if (get_magic_quotes_gpc()) { $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } elseif(!get_magic_quotes_gpc()){ $var=mysql_real_escape_string(trim(strip_tags($var))); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version } } $_POST = array_map('clean_post_var', $_POST); $_GET = array_map('clean_post_var', $_GET); $_COOKIE = array_map('clean_post_var', $_COOKIE); $_REQUEST = array_map('clean_post_var', $_REQUEST); ?> Link to comment Share on other sites More sharing options...
darkfreaks Posted December 30, 2008 Share Posted December 30, 2008 okay just let me know when to test Link to comment Share on other sites More sharing options...
Recommended Posts