PHP Exploit BUT HOW?

[110%Nutter]

Hi, I went to look at my website last night and found that my homepage had been replaced by something created by some muslim albanian / kosovo hackers.

 

I would be interested in hearing from any of you who could pin point the weak spot in my code, I'm pretty new to php so its likely there are some newbie errors in it that let them in!!

 

Hope to hear from someone soon!!

 

[attachment deleted by admin]

[bundyxc]

I'll take a closer look in the morning, but for now, I'll assume that they got in using the unsanitized $_GET["page"] variable...

[110%Nutter]

Thanks I'll look forward to hearing from you!!

[bundyxc]

Until the morning, check out regex, and other ways of validating/sanitizing user input. Can't trust your users.

[110%Nutter]

Did you find anything stupid in what I'd done?

 

Hope to hear from you soon!!

[sford999]

Its like bundyxc said, its most likely the unsanitized $_GET['']; input.

 

As you could probably do something like:

index.php?page=<script>alert('I can see this popup')</script>

 

You could use something like

 

<?php
function make_safe($unsafe)
{
mysql_connect($server, $user, $pwd);
$safe = mysql_real_escape_string(strip_tags(trim($unsafe)));
return $safe;
}
?>

 

Then do

 

<?php

make_safe($_GET['something']);

?>

[110%Nutter]

I'm not using a mysql database but i think i can see what your getting at. Any chance you could modify that so its more suited to the way i'm using my page variable?

[sford999]

Try this

 

<?php

function make_safe($unsafe)
{
   $safe = add_slashes(strip_tags(trim($unsafe)));
   return $safe;
}
?>

 

you will need to use the strip_slashes() function on anything which has single or double quotes and backslashes passed though.

[110%Nutter]

Where would that go in my source file?

[SetToLoki]

is your site genera

Hi, I went to look at my website last night and found that my homepage had been replaced by something created by some muslim albanian / kosovo hackers.

 

I would be interested in hearing from any of you who could pin point the weak spot in my code, I'm pretty new to php so its likely there are some newbie errors in it that let them in!!

 

Hope to hear from someone soon!!

is your homepage generated by a cms, I have an issue with a clients website they used sql injection. the guys have been round hacking many a site recently word of warning they seem to upload malicious code to some sites so if you goolge for these guys and find other sites they have hacked don't click on them.

 

mysql_escape_strings and real_mysql_escape_strings is a way to stop sql injection. if they have hacked database content.

[110%Nutter]

No its not generated by a cms nor does it have a database running in the background. I found out who it was by looking in the server log. They had decided to post the hack on their own forum and link to it....