PHP Include Hijacked?

[imperium2335]

Hi,

 

My site uses a PHP include for the navigation, where a single page contains all my buttons etc and that's included on every page of the site.

 

Somehow someone was able to add their own link without my permission or knowledge.

 

How is this possible and how do I stop it from happening again??

[PFMaBiSmAd]

Define: was able to add their own link?

 

That could mean a half-dozen different things depending on what your code is and what exactly got changed.

 

Details?

 

 

[atrum]

Well the first thing that comes to mind, are you sanitizing all the input?

[Pikachu2000]

That's kind of like asking, "someone stole my car. How is that possible, and how do stop it from happening again?" Without seeing the car, and maybe a video surveillance recording, there are just too many variables to answer that with any degree of certainty. A lot of cars however, are stolen with the keys that were left in the ignition by the owner . . .

[imperium2335]

I have a comment system and an image submission system. My includes are kept in a directory called includes.

Is it possible to edit the file if they manipulate my comment/submission systems? Wouldn't they have to know what the name of the files/directories are tho?

[imperium2335]

Only I know the ftp password and I change it often.

[kenrbnsn]

Please show us your code. Without seeing what you're doing, we're only guessing at the cause.

 

Ken

[myrddinwylt]

Here is some help with potential flaws that you should look into to see if any apply:

 

First: The all too famous "Include" statement

 

Include Vulnerability - Wikipedia - This topic just touches on the problem with using Include in a brief sensible manner

 

Code Injection Vulnerabilities - This article goes into a bit more detail on how an Include could cause a security issue on your server, and briefly discusses some alternatives.

 

SQL Injections - Article outlining how SQL injections work. If your queries are not sanitized, then, you leave yourself open to problems with your data in your database. If that data also happens to be output to a web page, and/or the web page has exec capabilities on that code, then pretty much anything can happen.

 

Again, as stated in the above posts by other members of this site, without analysing your code (which could be intensive), the server / php / and libraries loaded, ports open, etc, there is no real way to determine 100% how your site got hijacked. The above links should at least point you in the right direction for the type of research you must do if you wish to resolve the problem yourself.

[imperium2335]

System for leaving a comment:

<?PHP
session_start() ;
$_SESSION['sortpref'] ;
$_SESSION['perpage'] ;
$_SESSION['currentpage'] ;
$_SESSION['source'] ;
$lastpage = $_SESSION['currentpage'] ;

$name    = $_POST['name'] 		   ;
$comment = $_POST['commentfield']  ;
$date    = date("Y-m-d H:i:s") ;

$userip = $_SERVER['REMOTE_ADDR'] ;

$imgid = $_GET['src'] ;

if($name == NULL)
$name = "Anonymous" ;

$comment2 = str_replace(" ", "", $comment) ;

if($comment2 == NULL) {
header("Location: http://www.moundsofvenus.com$lastpage") ;
exit() ;
}

if(stristr($comment, "http") || stristr($comment, "h t t p") || stristr($comment, ".com") || stristr($comment, ". c o m") || eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", $comment) || stristr($comment, "h x x p") || stristr($comment, "viagra") || stristr($comment, ".ru")) {
echo "Oops, looks like you tried to put bad things in your comment, that's not allowed. Use your back button." ;
exit() ;
}

$connect = mysql_connect("???????????",????????????,??????????????) ;
$db		 = "?????????????" ;
$select  = mysql_select_db($db) ;

if(!$connect)
{
die('Connection Error: ' . mysql_error()) ;
}

if(!$select)
{
die('Database not found: ' . mysql_error()) ;
}

$query = "SELECT comment, comauthor, comdate FROM mound_images WHERE image_id = $imgid" ;

$result = mysql_query($query) ;

$row = mysql_fetch_assoc($result) ;

$currentcoms = $row['comment']   ;
$comauthor   = $row['comauthor'] ;
$comdate     = $row['comdate']   ;

$currentcoms .= $comment . ":::;;;farkthis;;;:::" ;
$comauthor   .= $name    . ":::;;;farkthis;;;:::" ;
$comdate     .= $date    . "<sep>" ;


$query2 = "UPDATE mound_images SET comment = '$currentcoms', comauthor = '$comauthor', comdate = '$comdate' WHERE image_id = $imgid" ;

mysql_query($query2) ;

mysql_close() ;

mail("[email protected]", "Comment on MoV", "Users name: $name \n\nUsers comment: $comment \n\nDate: $date \n\nImage ID: $imgid \n\nUsers IP: $userip") ;

header("Location: http://www.moundsofvenus.com$lastpage") ;



?>

 

File submission system:

 

<?PHP
// Upload user file, add to database, make thumbnail and enlergment jpgs.
session_start() ;

$_SESSION['state'] ;

$valid    = $_SESSION['number'] ;

$name     = strip_tags($_POST['name'])        ;
$cat      = strip_tags($_POST['category'])    ;
$tags     = strip_tags($_POST['tags'])        ;
$desc     = strip_tags($_POST['description']) ;
$security = strip_tags($_POST['varify'])      ;

$validformats = array("jpg", "bmp", "gif", "tga", "jpeg") ;

$userip = $_SERVER['REMOTE_ADDR'] ;

if($valid != $security){
$_SESSION['state'] = "Invalid anti-spam number, please try again." ;
header("Location: http://www.moundsofvenus.com/submit-pussy.html") ;
exit() ;
}

if($name == NULL)
$name = "Anonymous" ;
if($cat == NULL) {
$_SESSION['state'] = "Please pick a category word you think this picture would fall into, e.g. asian or blondes etc." ;
header("Location: http://www.moundsofvenus.com/submit-pussy.html") ;
exit() ;
}
if($tags == NULL) {
$_SESSION['state'] = "Please enter a few words that would describe this image, e.g. shaved young hairy etc." ;
header("Location: http://www.moundsofvenus.com/submit-pussy.html") ;
exit() ;
}
if($desc == NULL)
$desc = "No description entered." ;

$updir = "../temp/" ;
$updir = $updir . basename($_FILES['fileup']['name']) ;

if(move_uploaded_file($_FILES['fileup']['tmp_name'], $updir))
    $_SESSION['state'] = "The file " . basename($_FILES['fileup']['name']) . " has been uploaded. Feel free to submit another!" ;
else {
$_SESSION['state'] = "You didn't select a file to upload!" ;
header("Location: http://www.moundsofvenus.com/submit-pussy.html") ;
exit() ;
}

$ext = substr($updir, strrpos($updir, '.') + 1);
$ext = strtolower($ext) ;
$filesize = round((filesize($updir)/1000000),3) . "MB" ;
if(in_array($ext, $validformats)) {
$dimensions = getimagesize($updir);
}
else {
$_SESSION['state'] = "Invalid image format." ;
unlink($updir) ; // Delete file.
header("Location: http://www.moundsofvenus.com/submit-pussy.html") ;
exit() ;
}

if(@filesize($updir) > 5000000) {
$_SESSION['state'] = "Image file size is too large, please submit an image that is less than 5MB." ;
unlink($updir) ; // Delete file.
header("Location: http://www.moundsofvenus.com/submit-pussy.html") ;
exit() ;
}

if($dimensions[0] < 300 || $dimensions[1] < 300) {
$_SESSION['state'] = "The image size is too small, it must be atleast 300 by 300 pixels." ;
unlink($updir) ; // Delete file.
header("Location: http://www.moundsofvenus.com/submit-pussy.html") ;
exit() ;
}

$thumbs = "../pubic-mounds/pubic-thumbs/" ;
$imgdir = "../pubic-mounds/" ;

$width = $height = 150 ; // Set cropped image dimensions.

$ewidth = 600 ; // The maximum width our enlargment images can be.

$eheight = round(($dimensions[1] * $ewidth) / $dimensions[0]);

$canvas     = imagecreatetruecolor($width, $height)   ; // For our cropped thumbnail.
$enlarge    = imagecreatetruecolor($ewidth, $eheight) ;
$piece      = imagecreatefromjpeg($updir)             ;

$newwidth   = $dimensions[0] / 2               ;
$newheight  = $dimensions[1] / 2               ;
$cropLeft   = ($newwidth / 2) - ($width / 2)   ;
$cropHeight = ($newheight / 2) - ($height / 2) ;

imagecopyresampled($canvas, $piece, 0, 0, $cropLeft, $cropHeight, $width, $height, $newwidth, $newheight) ;
imagecopyresampled($enlarge, $piece, 0, 0, 0, 0, $ewidth, $eheight, $dimensions[0], $dimensions[1]) ;

$time = time()        ;

$efilename = $name . "-" . $cat . "-" . $time ; // Build file names.
$thumbname = $thumbs . $efilename . "-thumb" . "." . $ext ;
$efilename = $imgdir . $efilename . "." . $ext ;

imagejpeg($canvas, $thumbname , 95) ;// Create the new thumb jpg and save it at the given quality 80.
imagejpeg($enlarge, $efilename, 90) ;// Enlargement.

$connect = mysql_connect("?????????", ???????????, ?????????????) ;
$db		 = "?????????" ;
$select  = mysql_select_db($db) ;

if(!$connect)
{
die('Connection Error: ' . mysql_error()) ;
}

if(!$select)
{
die('Database not found: ' . mysql_error()) ;
}

$date = date("Y-m-d") ;

$query = "INSERT INTO mound_images (sourceurl, thumburl, ratings, dateadded, description, submitedby, category, keywords) VALUES ('$efilename', '$thumbname', '0', '$date', '$desc', '$name', '$cat', '$tags')" ;

mysql_query($query) ;

mysql_close() ;

mail("[email protected]", "MoundsofVenus Picture Submision", "An image has been uploaded, it is located at $efilename \n\nSubmited from $userip") ;

header("Location: http://www.moundsofvenus.com/submit-pussy.html") ; 

?>

 

Thanks for your help so far!

[PFMaBiSmAd]

You haven't told us what was changed, so it will be a little hard to pin down exactly which one of the problems in your code was used.

 

Given that you have not escaped or validated ALL of the external variables being put into your queries, I will guess that someone injected a UNION query and dumped all your tables.

[Pikachu2000]

Looks like the keys to the car were in the ignition the whole time. There is nothing in that code to prevent SQL injection at all.

[imperium2335]

They just added a line of code to the file that contains all my navigation.

 

Thanks for the advice, I will make it so that the input is stripped of tags etc. This was one of my first projects when I was learning php. BTW its an adult site so not work safe.

[Pikachu2000]

Too late; I just got fired for opening it on a company computer. Thanks a lot.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

[Just kidding]

[imperium2335]

haha!

[.josh]

Looks like the keys to the car were in the ignition the whole time. There is nothing in that code to prevent SQL injection at all.

 

I see an $imageid in there that just gets assigned an unsanitized/unvalidated $_GET['src'] and then used in both select and update queries...

 

I also see  $name and $comment vars being assigned posted values and the only validation I see done on it is checking if they are empty and for a couple of spam type strings.....

 

I don't even see mysql_real_escape_string being used...

 

And for the file uploads...I see nothing that prevents someone from overwriting existing files

 

 

PFM pretty much summed it up: You need to validate all your user input.

[imperium2335]

I've added in the strip_tags for all the input. Where should I use mysql_real_escape_string?

[PFMaBiSmAd]

After you fix the sql problems, if one of your files was altered, I would check the server access log to find out the computer-user/account name that wrote to it (web server files are normally only read.) That will at least pin down if it was through FTP, your web hosting control panel, a php script, one of the other accounts on the server...