Please test my site for problems I have missed

[ezyauctionz.co.nz]

OK will do, I have a test page up on the site, which I am using to test various strategies, once I have the code finalised I will add it to the test page and let you know.

[ezyauctionz.co.nz]

OK, here is a test page:

http://www.ezyauctionz.co.nz/sanitizingtest.php

 

Have a crack it, and see which "Version" works the best with your attempts to exploit it.

 

The input field allows you to use filtered output, or raw post data. You can also see what happens when you turn off database access to see what happens to mysql_real_escape_string().

[darkfreaks]

none of them really work to be honest. if it works correctly like it should i shouldnt be seeing shit like UNION SELECT 1,2,3,4,5 or UNION SELECT 12345. only difference is filter 4 and 5 are stripping out certain strings. :-\

[ezyauctionz.co.nz]

The test page is not using any tables, it does have a DB connection (to allow mysql_real_escape_string() to work.

 

The page is supposed to be stripping out and converting characters (if you view the page source it shows up a lot better), as you can see, it has different filters, which do slightly different things.

 

What strings are you using to test it ?

[ezyauctionz.co.nz]

Here is the full code for the test page, it is a bit messy, but at least you can see what each filter is doing:

<?php
// turn on output buffering, to speed up php processing
//ob_start();
ini_set('zlib.output_compression_level', 3);
ob_start("ob_gzhandler");

//prevents caching
header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);
session_cache_limiter("nocache");

session_start();


if ($_POST[allowdb] == "selected"){
echo"(DB accessed)<br><br>";

////////////
// BEGIN CODE make the connection to the no.1 database
$sqlcon = @mysql_connect($srvr, $sqluser, $sqlpass) or die("Unable to connect to database server, please try again.");
$sqldb2 = @mysql_select_db($sqldb,$sqlcon) or die("Unable to access database, please try again.");
// END CODE
////////////
}
?>

<html>
<head>
<TITLE>test</TITLE>
</head>
<BODY>

<?php
// added this to seperate each filter type to prevent clashes
foreach($_POST as $key => $value){
$t1[$key] = $value;
$t2[$key] = $value;
$t3[$key] = $value;
$t4[$key] = $value;
$t5[$key] = $value;
$t6[$key] = $value;
}


echo "Version 1:";
function stripslashes_deep($value){
if(is_array($var)){
	$var=array_map('stripslashes_deep',$var);
}
else{	
	$value = stripslashes($value);

	// decode any converted characters, to prevent things such as &amp; from happening !
	$value = htmlspecialchars_decode($value);
}	
return $value;
}

$t1=array_map('stripslashes_deep',$t1);
//$_GET=array_map('stripslashes_deep',$_GET);
//$_COOKIE=array_map('stripslashes_deep',$_COOKIE);
//$_REQUEST=array_map('stripslashes_deep',$_REQUEST);

function clean_post_var($var){
if(is_array($var)){
	$var=array_map('clean_post_var',$var);
}

if(get_magic_quotes_gpc()){
	$var=mysql_real_escape_string(trim(strip_tags($var)));
	$var=htmlspecialchars($var,ENT_QUOTES);

	return filter_var($var,FILTER_SANITIZE_STRING);//PHP5Version
}
elseif(!get_magic_quotes_gpc()){
	$var=mysql_real_escape_string(trim(strip_tags($var)));
	$var=htmlspecialchars($var,ENT_QUOTES);

	return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version
}
}

$t1=array_map('clean_post_var',$t1);
//$_GET=array_map('clean_post_var',$_GET);
//$_COOKIE=array_map('clean_post_var',$_COOKIE);
//$_REQUEST=array_map('clean_post_var',$_REQUEST);

echo "$t1[check] <br><br>\n";


///////////////////////////////
echo "Version 2: ";
function stripslashes_deep2($value){
if(is_array($var)){
	$var=array_map('stripslashes_deep2',$var);
}
else{
	$value = stripslashes($value);

	// decode any converted characters, to prevent things such as &amp; from happening !
	$value = htmlspecialchars_decode($value);
}

return $value;
}

$t2=array_map('stripslashes_deep2',$t2);
//$_GET=array_map('stripslashes_deep2',$_GET);
//$_COOKIE=array_map('stripslashes_deep2',$_COOKIE);
//$_REQUEST=array_map('stripslashes_deep2',$_REQUEST);

function clean_post_var2($var){
if(is_array($var)){
	$var=array_map('clean_post_var2',$var);
}	

if (!mysql_real_escape_string($var)){ // check if mysql_real_escape_string is available
	$var = addslashes($var); // strip slashes before doing mysql_real_escape_string
	// returns FALSE if not possible
}
else{ // mysql_real_escape_string available
	$var = mysql_real_escape_string($var);
}

$var=htmlspecialchars($var,ENT_QUOTES);
return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version
}

$t2=array_map('clean_post_var2',$t2);
//$_GET=array_map('clean_post_var2',$_GET);
//$_COOKIE=array_map('clean_post_var2',$_COOKIE);
//$_REQUEST=array_map('clean_post_var2',$_REQUEST);

echo "$t2[check] <br><br>\n";
///////////////////////////////////////



// test 3
//********** loops all $_POST variables and cleans them automatically *************///

//clean XSS/SQL injection
function clean($var){
// decode any converted characters, to prevent things such as &amp; from happening !
$var = htmlspecialchars_decode($var);

$var = trim(strip_tags($var)); // remove extra spaces, and strip tags

if(!get_magic_quotes_gpc()){ // check if get_magic_quotes_gpc is on, if not add slashes, (if on it is already slashed)
	$var = addslashes($var);
}

if (!mysql_real_escape_string($var)){ // check if mysql_real_escape_string is available
	// returns FALSE if not possible
}
else{ // mysql_real_escape_string available
	$var = stripslashes($var); // strip slashes before doing mysql_real_escape_string
	$var = mysql_real_escape_string($var);
}
$var = htmlspecialchars($var,ENT_QUOTES);
return $var;
}

$t3checkresult = clean($t3[check]); // temporary for testing

echo "Version 3 clean(): $t3checkresult <br><br>\n";



// test 4
//-----------------------------------------------------ANTI-XSSFUNCTION------------------------------
function RemXSS($val){
$val = strip_tags($val);
//remove all non-printable characters. CR(0a) and LF(0b) andTAB(9) are allowed
//this prevents some character re-spacing such as <java\0script>
//note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
$val=preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/','',$val);

//straight replacements, the user should never need these since they're normal characters
//this prevents like <IMG SRC=&#38; #X40 & #38; #X61 & #38; #X76 & #38; #X61 & #38; #X73 & #38; #X63 & #38; #X72 & #38; #X69 & #38; #X70 & #38; #X74 & #38; #X3A & #38; #X61 & #38; #X6C & #38; #X65 & #38; #X72 & #38; #X74 & #38; #X28 & #38; #X27 & #38; #X58 & #38; #X53 & #38; #X53 & #38; #X27 & #38; #X29>
$search='abcdefghijklmnopqrstuvwxyz';
$search.='ABCDEFGHIJKLMNOPQRSTUVWXYZ';
$search.='1234567890!@#$%^&*()';
$search.='~`";:?+/={}[]-_|\'\\';
for($i=0;$i<strlen($search);$i++){
	//;? matches the; ,which is optional
	//0{0,7} matches any padded zeros, which are optional and go up to 8 chars

	//&#38;#x0040@ search for the hex values
	$val=preg_replace('/(&#38;#[xX]0{0,8}'.dechex(ord($search[$i])).';?)/i',$search[$i],$val);//witha;
	//&#38;#00064@0{0,7} matches '0' zero to seven times
	$val=preg_replace('/(&#38;#0{0,8}'.ord($search[$i]).';?)/',$search[$i],$val);//witha;
}

//now the only remaining whitespace attacks are \t,\n, and \r
$ra1=Array('javascript','vbscript','expression','applet','meta','xml','blink','link','style','script','embed','object','iframe','frame','frameset','ilayer','layer','bgsound','title','base');
$ra2=Array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate','onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange','onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick','ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate','onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete','onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel','onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart','onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop','onsubmit','onunload');
$ra=array_merge($ra1,$ra2);

$found=true;//keep replacing as long as the previous round replaced something
while($found==true){
	$val_before=$val;
	for($i=0;$i<sizeof($ra);$i++){
		$pattern='/';
		for($j=0;$j<strlen($ra[$i]);$j++){
			if($j>0){
				$pattern.='(';
				$pattern.='(&#38;#[xX]0{0,8}([9ab])';
				$pattern.='|';
				$pattern.='|(&#38;#0{0,8}([9|10|13])';
				$pattern.=')*';
			}
			$pattern.=$ra[$i][$j];
		}
		$pattern.='/i';
		$replacement=substr($ra[$i],0,2).'<x>'.substr($ra[$i],2);//add in <> to nerf the tag
		$val=preg_replace($pattern,$replacement,$val);//filter out the hex tags
		if($val_before==$val){
			//no replacements were made,so exit the loop
			$found=false;
		}
	}
}
return $val;
}

$t4checkresult = RemXSS($t4[check]); // temporary for testing
echo "Version 4 remXSS(): $t4checkresult <br><br>\n";



$var = preg_replace('/([\x00-\x08,\x0b-\x0c,\x0e-\x19])/','',$t5[check]);
// decode any converted characters, to prevent things such as &amp; from happening !
$var = htmlspecialchars_decode($var);
$t5checkresult = preg_replace('/[^a-zA-Z0-9\.\s@\-&]/','',$var);
echo "Version 5 preg_replace(): $t5checkresult <br><br>\n";




// this is called to remove arrays from user inputs, when there should not be any arrays (hack attempts)
function dropInputArrays($var){
if (is_array($var)){ // if input is an array, then empty it.
	$var = "";
}
}

$t6checkresult = dropInputArrays($_POST[check]);
echo "Version 6 drop arrays: $t6checkresult (not working at the moment)<br><br>\n";


// filed input auto refill options
if ($_POST[fieldfilter] == "1"){
$selected1 = "selected";
$checkvalue = $t1[check];
}
if ($_POST[fieldfilter] == "2"){
$selected2 = "selected";
$checkvalue = $t2[check];
}
if ($_POST[fieldfilter] == "3"){
$selected3 = "selected";
$checkvalue = $t4checkresult;
}
if ($_POST[fieldfilter] == "4"){
$selected4 = "selected";
$checkvalue = $t4checkresult;
}
if ($_POST[fieldfilter] == "5"){
$selected5 = "selected";
$checkvalue = $t5checkresult;
}
if ($_POST[fieldfilter] == "6"){
$selected6 = "selected";
$checkvalue = $t6checkresult;
}
if ($_POST[fieldfilter] == "post"){
$selectedpost = "selected";
$checkvalue = $_POST[check];
}


//$checkvalue=htmlspecialchars($checkvalue,ENT_QUOTES);
$checkvalue=str_replace("\\","",$checkvalue);
$_POST[check2]=str_replace("\\","",$_POST[check2]);

?>


<FORM METHOD="POST" ACTION="<?php echo($PHP_SELF); ?>">
<P>

Input string to test<br><br>
<INPUT TYPE="text" NAME="check" SIZE=70 VALUE="<?php echo($checkvalue); ?>"> Use filter:<SELECT name="fieldfilter" id="fieldfilter"><option value="1" <?php echo ($selected1); ?>>1</option><option value="2" <?php echo ($selected2); ?>>2</option><option value="3" <?php echo ($selected3); ?>>3</option><option value="4" <?php echo ($selected4); ?>>4</option><option value="5" <?php echo ($selected5); ?>>5</option><option value="6" <?php echo ($selected6); ?>>6</option><option value="post" <?php echo ($selectedpost); ?>>POST</option></select><br>
<INPUT TYPE="text" NAME="check2" SIZE=70 VALUE="<?php echo($_POST[check2]); ?>"> (raw unfiltered post output (slashes stripped only)<br>
Allow DB connection <SELECT name="allowdb" id="allowdb"><option value="selected">Yes</option><option value="">No</option><option value="selected"<?php echo ($_POST[allowdb]); ?>>Last Choice (<?php echo ($_POST[allowdb]); ?>)</option></select>
<BR>
<BR>


<INPUT TYPE="submit" NAME="submit" VALUE="test" style="font-family: Tahoma">
</P>
</FORM>

</body>
</html>

 

I also added htmlspecialchars_decode() early on, to prevent things like & from happening.

 

[darkfreaks]

get rid of the following they do not work array_map,array_walk,array_walk_recursive.

 

 

just do what i said before and call the functions instead of trying to loop everything :-\

 

Also please quit modifying my code its Annoying!!! it works i have tested it there are ZERO holes with it.