Las Venturas Roleplay Website

[R4nk3d]

Hey guys, I just reached the 70% mark for my website for a gameserver. I would like you guys to just test it out. I want to make sure everything sorts out alright, everything shows correctly, and all of the commands work, not just for me, but for everyone else. I'll possibly be releasing this script so I'd like it to work as well as it can. Now the site is www.lvroleplay.com. The front page is [supposed to be] showing the 5 latest announcement posts from my forums(At the time there is only 1). The links are on the side. Please, if you are not going to register, or you want to use the admin panel that I've built, please use the login credentials:

user - test

pass - test

to login as an administrator. Attempt to hack the site, do whatever you'd like to it. I have it backed up on my computer, so whatever breaks, I can replace it. I hope you enjoy. Please report any bugs. The RCON page is for the GTA server that i run. The Rcon password is 123. You will be asked that when you open the rcon page. Happy testing.

 

P.S. For the time being, I am running this on a business server that is hosted in my home, I turn this server off at night so here are the hours the site will be accessible: Weekends: Noon-12:30PM/2:30AM. Weekdays: 6:30AM-11:30PM. Thanks for understanding.

[Coreye]

Nevermind .

[R4nk3d]

Server is up right now and will be for the next 12 hours or so Id say. Sorry for this dilemma. I'm taking it into my work after I get it all configured.

[darkfreaks]

you have injection try using something like

 

<?php
function clean($text) {
$text=trim(mysql_real_escape_string(strip_tags($text)));

return $text;
}
$variable= clean($_POST['variable']);
?>

 

on register.php and login.php 

[R4nk3d]

^ Fixed. I had it on the username for the login, but nothing else.

[darkfreaks]

the login nor register is fixed can we see code ???

[Coreye]

Cross Site Scripting (XSS):

You can submit ">code when editing your profile and it will execute on the edit profile page and the user list.

[R4nk3d]

Ok, now its fixed. I only did it for the username and password, forgot the email. Now i tested it again, its straight

[darkfreaks]

guess i have to wait till the morning to test ???

[R4nk3d]

guess i have to wait till the morning to test ???

up again, sorry, =/ went to a party last night and slept in through an hour of work lol

[darkfreaks]

once AGAIN thew problem still exists can you show me the code you use to get rid of the injection ???

 

 

[R4nk3d]

how does that code still exist? theres nothing wrong with it.

[darkfreaks]

before you go any further please read the rule thread so we know you own the code and not just somebody trying to exploit the site thanks.

[R4nk3d]

i can assure you that i own the site. the bottom of the webpage will now say: This site is owned by R4nk3d.

 

but here is the code anyways for the register:

<?php
require_once("./sources/config.inc.php");
include("sources/template_start.php");
?>
      <td width="625" class="contents"><?php
  		  $user = clean($_POST["user"]);
		  $pass = md5(clean($_POST["pass"]));
		  $email = clean($_POST["email"]);
		  $result = mysql_query("SELECT * FROM `users` WHERE username='".$user."'",$connection);
		  if(mysql_num_rows($result) != 0)
		  {
			  ob_start();
			  header("Location: register.php?error=1");
			  ob_end_flush();
		  }
		  else
		  {
			  $sql = "INSERT INTO users (username,password,email) VALUES ('$user','$pass','$email')";
			  $result = mysql_query($sql,$connection);
			  if($result)
			  {
				  echo("<h1>Successful Registration</h1> You have successfully registered ".clean($user).". Welcome to Las Venturas.");
				  $_SESSION["Username"] = $user;
				  $_SESSION["LoggedIn"] = 1;
				  $_SESSION["AdminLevel"] = 0;
			  }
			  else echo("<h1>Oops... Error!</h1> There was a server error. Please try again.");
		  }
        	?>
	</td>
    </tr>
  </table>
</div>
<?php echo footer; ?>
</body>
</html>

This is the action page.

[darkfreaks]

Try:

<?php
   require_once("./sources/config.inc.php");
   include("sources/template_start.php");
?>
      <td width="625" class="contents"><?php
             $user = clean($_POST["user"]);
           $pass = md5(clean($_POST["pass"]));
           $email = clean($_POST["email"]);
           $result = mysql_query("SELECT * FROM `users` WHERE username='".$user."'",$connection);
           if(mysql_num_rows($result) != 0)
           {
              ob_start();
              header("Location: register.php?error=1");
              ob_end_flush();
           }
           else
           {
              $sql = "INSERT INTO users (username,password,email) VALUES ('$user','$pass','$email')";
              $result = mysql_query($sql,$connection);
              if($result)
              {
                 echo("<h1>Successful Registration</h1> You have successfully registered '".htmlentities($user)."'. Welcome to Las Venturas.");
                 $_SESSION["Username"] = clean($user);
                 $_SESSION["LoggedIn"] = 1;
                 $_SESSION["AdminLevel"] = 0;
              }
              else echo("<h1>Oops... Error!</h1> There was a server error. Please try again.");
           }
           ?>
      </td>
    </tr>
  </table>
</div>
<?php echo footer; ?>
</body>
</html>

[R4nk3d]

That doesnt change a thing, im already trimming and formatting the $_POST["user"] so if u write clean($user) its just cleaning it again.

[darkfreaks]

i always clean all my variables specially if i pass post data to sessions regardless if it has been cleaned or not

[R4nk3d]

ok, well either way, i do not see it being able to change the things. i think its ok now and cant get any xss in there

[darkfreaks]

Cross Site Scripting(XSS): none

MYSQL injection:40

[R4nk3d]

lol, try and edit it once more. but this is my clean function so idk why it wont escape the string:

function clean($text) {
$ntext=trim(mysql_real_escape_string(strip_tags($text)));
return $ntext;
}

[darkfreaks]

Editing:

<?php
if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

        return $value;
    }
// combining stripslashes into $_POST $_GET, $_REQUEST, $_CO0KIE 
    $_POST = array_map('stripslashes_deep', $_POST);
    $_GET = array_map('stripslashes_deep', $_GET);
    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);
    $_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
if (get_magic_quotes_gpc()) {
function clean_post_var($var){
      $var=mysql_real_escape_string(trim(strip_tags($var)));
      $var=htmlspecialchars($var,ENT_QUOTES);
      return htmlspecialchars($var); //PHP 4 Version
                 return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version
               
}
// combining sclean function into $_POST $_GET, $_REQUEST, $_CO0KIE 
$_POST = array_map('clean_post_var', $_POST);
    $_GET = array_map('clean_post_var', $_GET);
    $_COOKIE = array_map('clean_post_var', $_COOKIE);
    $_REQUEST = array_map('clean_post_var', $_REQUEST);
}
?>

[R4nk3d]

ok, i think its doin the trick now.

[darkfreaks]

Not Really better example of array map:

<?php
if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

        return $value;
    }
//strip slashes//
    $user = $_POST["user"];
    $user= array_map('stripslashes_deep',$user);
    $pass = md5($_POST["pass"]);
    $pass= array_map('stripslashes_deep',$pass);
    $email = $_POST["email"];
    $email= array_map('stripslashes_deep',$email);
//--------end----------------------//   
}
}


if(!get_magic_quotes_gpc()){

    function stripslashes_deep($value)
    {
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :
                    stripslashes($value);

        return $value;
    }
//strip slashes//
    $user = $_POST["user"];
    $user= array_map('stripslashes_deep',$user);
    $pass = md5($_POST["pass"]);
    $pass= array_map('stripslashes_deep',$pass);
    $email = $_POST["email"];
    $email= array_map('stripslashes_deep',$email);
//--------end----------------------//   
}
if (get_magic_quotes_gpc()) {
function clean_post_var($var){
      $var=mysql_real_escape_string(trim(strip_tags($var)));
      $var=htmlspecialchars($var,ENT_QUOTES);
      return htmlspecialchars($var); //PHP 4 Version
                 return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version
               
}
//clean function//
    $user = $_POST["user"];
    $user= array_map('clean_post_var',$user);
    $pass = md5($_POST["pass"]);
    $pass= array_map('clean_post_var',$pass);
    $email = $_POST["email"];
    $email= array_map('clean_post_var',$email);
//--------end----------------------//   
  
}
if(!get_magic_quotes_gpc()) {
function clean_post_var($var){
      $var=mysql_real_escape_string(trim(strip_tags($var)));
      $var=htmlspecialchars($var,ENT_QUOTES);
      return htmlspecialchars($var); //PHP 4 Version
                 return filter_var($var,FILTER_SANITIZE_STRING);//PHP5 Version
               
}
// combining sclean function into $_POST $_GET, $_REQUEST, $_CO0KIE 
//clean function//
    $user = $_POST["user"];
    $user= array_map('clean_post_var',$user);
    $pass = md5($_POST["pass"]);
    $pass= array_map('clean_post_var',$pass);
    $email = $_POST["email"];
    $email= array_map('clean_post_var',$email);
//--------end----------------------//   
}
?>

[R4nk3d]

Im not exactly sure what this is doing, can u explain this to me a bit more? I see that its stripping the tags and trimming the white space. But it's kinda confusing me,

[darkfreaks]

it strips slashes so if you enter // \\ it will remove those.

 

filter_var($string,filter_santitize_string) = strips tags and unwanted known injection characters also encodes