Jump to content

any one experienced PHP.C99Shell

ident

By ident
in Miscellaneous

 Share

Recommended Posts

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

My sites been coded to stop anything bad happening like this...

Post your upload form processing code if you want someone on the forum to help with what it might or might not be doing.

 

Edit: Also post other relevant details such as .htaccess files that are in place to either prevent the execution of .php files or browsing to files in the upload destination folder.

Link to comment
Share on other sites
ident Member

ident

Posted
  • Author
Posted

u will have to forgive me i didnt build the site. it's mine but a mate did.

 

the handle script is

 


<?php

require_once('../inc/config.inc.php');

function rand_str($length = 14, $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890')
{
    // Length of character list
    $chars_length = (strlen($chars) - 1);

    // Start our string
    $string = $chars{rand(0, $chars_length)};
   
    // Generate random string
    for ($i = 1; $i < $length; $i = strlen($string))
    {
        // Grab a random character from our list
        $r = $chars{rand(0, $chars_length)};
       
        // Make sure the same two characters don't appear next to each other
        if ($r != $string{$i - 1}) $string .=  $r;
    }
   
    // Return the string
    return $string;
}

if( (!$_FILES) || ( !is_uploaded_file($_FILES['upfile']['tmp_name']) ) ) {
# nothing given to upload
header('Location: Upload.htm');
}

require_once('../inc/mysql.inc.php');

# check the given file extension is valid
$allowed_exts = array('jpeg', 'jpg', 'gif', 'tiff', 'png', 'tif');
$infile_bits = explode('.', $_FILES['upfile']['name']);
$infile_ext = strtolower( $infile_bits[count($infile_bits)-1] );

# quit if an invalid extension is given
if( !in_array($infile_ext, $allowed_exts) ) {
include('header.php');

   echo '<div style="text-align: center;"><img src="homer.gif" width="290" height="267" /></center>';
    

echo '<div style="text-align: center;">'.htmlentities($infile_ext, ENT_QUOTES).' is not supported</div>';
die;
}

# create a random filename that isn't yet taken in the database
$nametries = 0;
$nameok = 0;
while($nametries < 4) {
$filename = rand_str();
$check_query = 'SELECT `id` FROM `images` WHERE `storedname` = \''.$filename.'.'.$infile_ext.'\'';
$check_result = mysql_query($check_query);
@$check_row = mysql_fetch_object($check_result);
if(!$check_row->id) {
	# this filename isn't taken yet
	$nameok = 1;
	break;
}

$nametries++;
}

if(!$nameok) {
print 'error: failed to find usable filename (this is probably a bug)';
die;
}

# copy the file to the storage folder
if( !move_uploaded_file($_FILES['upfile']['tmp_name'], $config['uploadpath'].$filename.'.'.$infile_ext) ) {
print 'error: failed to move the uploaded file';
die;
}

# input the new file in the database
$newup_query = 'INSERT INTO `images` (`upname`, `storedname`, `fileext`, `uploaded`) VALUES (\''.addslashes($_FILES['upfile']['name']).'\', \''.$filename.'\', \''.$infile_ext.'\', NOW())';
mysql_query($newup_query);


header('Location: viewpic.php?file='.$filename);

?>

 

 

i dont know what htaccess file is :(

Link to comment
Share on other sites
keldorn Member

keldorn

Posted
Posted

Check for just the file .ext is not secure way to handle image uploads.

 

This is how I would handle image uploads:

 

1. Check for extension  - If fails stop processing, give message of invalid file type.

2. Check Mime Type  - If fails stop processing, give message of invalid mime type.

2. Size check it  getimagesize()  -- If fail then stop processing, give message that supposes image was not a image.

3. Recrop/Resize then save.  -- Last check if fails will throw warning, but you can use @ to suppress it. If it truly is not an image it will fail on trying to resize it.  -- stop processing and give message to gtfo.

 

 

Link to comment
Share on other sites
keldorn Member

keldorn

Posted
Posted

is there something i can read to help my impliment this? im extreamly new to php, but willing to learn

 

I cant say of any tutorials that show to offer secure image upload. I've looked myself before when I was less experienced, but I just figured it out myself. Of all the things, I would say resizing the image and saving a copy of it and discarded the original is the safest, you can even do this without losing any quality in the image, say the image is 500 x 500 Pixels, Jpeg, you can resave it as a 500 x 500 jpeg again, making the image safe. Becuase script kiddies will hide PHP or javascript inside the jpeg, you ever heard of those hacks, not sure how succesfull any attack vector like that would be, but resaving the image would remove any such non-safe data from the image.

 

 

In the meantime while your figure it out,  stop any PHP code from running in upload directory. if your running Apache, put this in your .htaccess for starters,

 

php_flag engine off

 

There is also this nice class you can plug into your script that will handle the nitty gritty of image manipulations,

http://asido.info  But requires some OOP knowledge to use. But there are quite a few examples available that come with it, so just look threw it.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Where on your web server did you find the c99 scripts? Where they only in the folder you are putting uploaded files in? What exact file names did they have?

 

Here is another recent thread on the c99 script - http://www.phpfreaks.com/forums/index.php/topic,270592.0.html

 

It was discovered that some combinations of operating system/web server (I suspect primarily when php is running as an Apache module, not enough specific information was posted in that thread to definitively identify which) cause file names such as c99.php.ext, where ext is an extension that your upload script allows, to be parsed as php code when requested.

 

The best protection is to disable the php engine for the upload destination folder.

Link to comment
Share on other sites
Daniel0 Advanced Member

Daniel0

Posted
Posted

It was discovered that some combinations of operating system/web server (I suspect primarily when php is running as an Apache module, not enough specific information was posted in that thread to definitively identify which) cause file names such as c99.php.ext, where ext is an extension that your upload script allows, to be parsed as php code when requested.

 

I saw someone posting a configuration snippet yesterday (not here) where he made .php* parseable by PHP. I assume it was to get things like .php4, .php5 and such. This could open up for that.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.