!preg_match? Can you eliminate from script?

[Danestar]

I have not seen this in code before and wanted to get more info in how its used? I appears that the pregmatch "\057\155\144\x6a\157\x75\x72ne\171\x2ec\157\x6d\057\x69" is encoded and supposed to match the $_Server and if else it is set to fail all commands. Is this right? Are there other variables that I should look for?

 

Is there a way around this to eliminate from script? Curious what happens if I just eliminate from script?

 

$site_pr=true;$ext_val=true;if(!preg_match("\057\155\144\x6a\157\x75\x72ne\171\x2ec\157\x6d\057\x69", $_SERVER["\123\x45\x52V\105\x52\137\116\x41\x4dE"])) die("");

[de.monkeyz]

If you echo out the two strings, it shows you that is doing this:

 

if(!preg_match("/mdjourney.com/i", $_SERVER["SERVER_NAME"])) die("");

 

All it is doing is checking if the php is currently running on mdjourney.com, which is a pretty pointless check if I'm honest. If someone has managed to steal your PHP, then they can wipe it. And I'm not sure if using a remote include would cause this to return false.

[Danestar]

I have spent hours trying to figure that out. how are you echoing out the strings?

 

So basically I can eliminate it from the script and it will run without verifying right?

[de.monkeyz]

echo "\057\155\144\x6a\157\x75\x72ne\171\x2ec\157\x6d\057\x69";
echo '<br />', "\123\x45\x52V\105\x52\137\116\x41\x4dE";

 

That outputs what they mean, I'm pretty sure they were just encoded in ASCII/Unicode.

 

If you remove it, everything will work on the site. As I said, I think it's a pointless preg_match

[Danestar]

I see your point. But is it as pointless if its encoded or is this Elementary School php security? Sorry im new to php but getting there. Thanks for the info.

[de.monkeyz]

I just decoded what they meant in 10 seconds, so it's pointless to encode them. That security clause would ONLY be useful if someone stole your PHP and has no clue about PHP or any sort of programming knowledge. In my opinion that level of encode and security would be like having this code:

 

define('SUPER_SECRET_PASS', 'moc.etisbewym');
define('SUPER_SECRET_KEY', 'EMAN_REVRES');

if(!preg_match('/'.strrev(SUPER_SECRET_PASS).'/i', $_SERVER[strrev(SUPER_SECRET_KEY)])) die('');

[de.monkeyz]

I just decoded what they meant in 10 seconds, so it's pointless to encode them. That security clause would ONLY be useful if someone stole your PHP and has no clue about PHP or any sort of programming knowledge. In my opinion that level of encode and security would be like having this code:

 

//MAY AS WELL HAVE A MASSIVE COMMENT HERE SAYING THAT IF YOU DELETE THE NEXT 3 LINES OF CODE, THIS WEBSITE WILL WORK ANYWHERE - P.S THE SUPER SECRET STUFF IS IN REVERSE
define('SUPER_SECRET_PASS', 'moc.etisbewym');
define('SUPER_SECRET_KEY', 'EMAN_REVRES');

if(!preg_match('/'.strrev(SUPER_SECRET_PASS).'/i', $_SERVER[strrev(SUPER_SECRET_KEY)])) die('');

 

Oh, I forgot to mention that the code doesn't account for the fact that '.' means any character in regex. So if it checked mywebsite.com, it would work on mywebsiteacom.net or anything else in place of that a. (In both my and the version you found)

[Danestar]

Seriously thanks for the info. Ill clear it out then haha