Jump to content

Help Required Immediately - Urgent

SamiMukahhal

By SamiMukahhal
in PHP Coding Help

 Share

Recommended Posts

SamiMukahhal Newbie

SamiMukahhal

Posted
Posted (edited)

I'm having problems with people upload shell hacking scripts on my replay uploader, they are hacking my website each and every time.

 

Here is my script

http://pastebin.com/JfhBFugN

 

Or Here's the code

 

<?php

/******************************************************************************

Last revision:

- Author: Seven

- Email: zabkar@gmail.com  (Subject DotaParser)

- Date: 7.7.2009

******************************************************************************/

?>

<!DOCTYPE html>

<html>

<head>

<script type="text/javascript">



 var _gaq = _gaq || [];

 _gaq.push(['_setAccount', 'UA-31574622-1']);

 _gaq.push(['_trackPageview']);



 (function() {

var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;

ga.src = ('https:' == document.location.protocol ? '[url="https://ssl"]https://ssl[/url]' : '[url="http://www"]http://www[/url]') + '.google-analytics.com/ga.js';

var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);

 })();



</script>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Ranked Gaming Parser</title>

<meta name='keywords' content="Defense of the Ancients, DotA, Replays, Parser, DotA Replays, DotA Parser, DotA Games, Icefrog, , Replay, Parse Dota, Top Dota Replays, DotA Replay Download, Dota Replay Upload, DotA replay uploads, DotA replay downloads, DotA replay parsing, DotA replay ranking" />

<meta name='description' content="'Ranked Gaming Parser' Is a DotA replay parsing service provided for Defense of the Ancients (DotA) players located throughout the world. Powered by rankedgaming.com; a DotA Ladder, Stat Tracking, and Gaming community." />

<center><img src="[url="http://www.rankedgamingparser.com/RGP.png"]http://www.rankedgam...er.com/RGP.png"[/url] alt="Logo"/>

</center>

<link href="style_x.css" rel="stylesheet" type="text/css" media="screen" />



</head>


<center>

  <tr>

	  <td style="height:40px">

 <a class="menuButtons" href="index.php">Upload Replay</a>

 

		  <a class="menuButtons" href="replaydb.php">Replay Database</a>  

							 

		  <a class="menuButtons" href="[url="http://www.mymgn.com/board/forumdisplay.php?f=709%22>RGC"]http://www.mymgn.com....php?f=709">RGC[/url] Forums</a>

 

		  <a class="menuButtons" href="[url="http://shop.rankedgaming.com/shop/%22>RGC"]http://shop.rankedga....com/shop/">RGC[/url] Shop</a>

 

		  <a class="menuButtons" href="[url="http://stats.rankedgaming.com/stats/channel.php?c=19%22>RGC"]http://stats.rankedg...l.php?c=19">RGC[/url] Stats</a>

 </td>

</tr>

 </table></center>

<br>

<body>

<div id="fb-root"></div>

<script>(function(d, s, id) {

 var js, fjs = d.getElementsByTagName(s)[0];

 if (d.getElementById(id)) return;

 js = d.createElement(s); js.id = id;

 js.src = "//connect.facebook.net/en_US/all.js#xfbml=1";

 fjs.parentNode.insertBefore(js, fjs);

}(document, 'script', 'facebook-jssdk'));</script>





<div class="wrapper">

<div class="replay">

<h2> DotA Replay Parser - Upload Replay</h2>

<?php

$print_info = false;

define("MAX_UPLOAD_SIZE", 3000000);



// Upload a file

if(isset($_POST['uploadReplay'])) {

if(!isset($_FILES['replay_file']) || !isset($_POST['replay_title']) || !isset($_POST['replay_winner']) || !isset($_POST['replay_text'])) {

	echo 'Error: Make sure you\'ve filled out all the fields.';

}

else {

   $title = htmlspecialchars(trim($_POST['replay_title']));

   $winner = htmlspecialchars(trim($_POST['replay_winner']));

   $text = htmlspecialchars(trim($_POST['replay_text']));



   // Check that we have a file

   $replayUploaded = false;

   $replayFile = "";



   if(( !empty($title) && !empty($winner) &&

		!empty($_FILES["replay_file"])) && ($_FILES['replay_file']['error'] == 0)) {

	  //Check if the file is JPEG image and it's size is less than 350Kb

	  $filename = basename($_FILES['replay_file']['name']);

	  $ext = substr($filename, strrpos($filename, '.') + 1);

	  $uniqueID = time();





	  if (($ext == "w3g") && $_FILES["replay_file"]["size"] < MAX_UPLOAD_SIZE) {

		 //Determine the path to which we want to save this file

		  $newname = dirname(__FILE__).'/replays/'.$uniqueID.'.'.$ext;

		  //Check if the file with the same name is already exists on the server

		  if (!file_exists($newname)) {

			//Attempt to move the uploaded file to it's new place

			if ((move_uploaded_file($_FILES['replay_file']['tmp_name'], $newname))) {

			   $replayFile = $uniqueID.'.'.$ext;

			   $replayUploaded = true;

			}

			else {

			   print_message("Error: A problem occurred during file upload!");

			}

		  }

		  else {

			 print_message("Error: File ".$_FILES["replay_file"]["name"]." already exists");

		  }

	  }

	  else {

		 print_message("Error: Only .w3g replays under 3 MB are accepted for upload");

	  }

	}

	else {

		print_message("Error: Make sure you've filled out all the fields");

	}



	// If the replay was uploadead successfully, process it

	if( $replayUploaded ) {

		@require("reshine.php");

require('replay_saver.php');  



		$replay = new replay('replays/'.$replayFile);



		$replay->extra['title'] = $title;



		/* Determine the winner

		 * If the uploader chose "Automatic" then check if the parser was able to determine a winner,

		 * otherwise the winner is set to "Unknown"

		 * Alternatively the uploader can set the winner manually

		 */

		if("Automatic" != $winner) {

			$replay->extra['winner'] = ( $winner == "Sentinel" ? "Sentinel" : "Scourge" );

		}

		else if(isset($replay->extra['parsed_winner'])) {

			$replay->extra['winner'] = $replay->extra['parsed_winner'];

		}

		else {

			$replay->extra['winner'] = "Unknown";

		}



		$replay->extra['text'] = $text;

		$replay->extra['original_filename'] = $filename;





		$txt_file = fopen('replays/'.$replayFile.'.txt', 'a');



		flock($txt_file, 2);

		fputs($txt_file, serialize($replay));

		flock($txt_file, 3);

		fclose($txt_file);



		if ( $replay->extra['parsed'] == false ) {

			// Replay not parsed

		}

		else {

			// Replay saved, display the link.

//Create replay saver object

$replaysaver=new replaysaver($title,$text,$replayFile);

//Call save methode

$replaysaver->saveData();  

			print_message('Replay uploaded successfully. <a href="view_replay.php?file='.$replayFile.'" alt="View replay" > View details </a>');

			$print_info = true;	

		}





	}





}

}



function print_message($msg) {

echo '<div style="padding-left: 10px; padding-bottom: 10px;" >';

echo $msg;

echo '</div>';

}	

?>



<div class="content" style="width: 99%;">



	<form enctype="multipart/form-data" action="index.php" method="post">

	<fieldset>

	  <label for="replay_title" >Title*:       </label><input name="replay_title" id="replay_title" type="input" />

	  <br />

	  <label for="replay_winner" >Winner:     </label>

		<select name="replay_winner" id="replay_winner"  />

			<option value="Automatic">Automatic </option>

			<option value="Sentinel">Sentinel </option>

			<option value="Scourge">Scourge </option>

		</select>

	  <br />

	  <label for="replay_text" style="vertical-align: top;" >Description: </label>

	  <textarea name="replay_text" id="replay_text" cols="65"></textarea>

	  <br />

	  <input type="hidden" name="MAX_FILE_SIZE" id="'.MAX_UPLOAD_SIZE.'" value="3000000" />

	  <label for="replay_file" >File*: </label><input name="replay_file" id="replay_file" type="file" />

	  <input type="submit" value="Upload" name="uploadReplay" />

	</fieldset>

  </form>	



<br>

<br>

<center>

<font size="3" color="red">DotA 6.75 is now fully supported !</font>

<br><br>

<font size="3">

There are currently

<font color="#E34000">

<?

$directory = "/home/rgc123/public_html/replays/";

if (glob($directory . "*.w3g") != false)

{

$filecount = count(glob($directory . "*.w3g"));

echo $filecount;

}

else

{

echo 0;

}

?>

</font>

DotA replays in our database and counting!

<br>

<br>

<div class="fb-like" data-href="[url="http://www.facebook.com/ExtremelyAwesomeLeague"]http://www.facebook....yAwesomeLeague"[/url] data-send="false" data-width="450" data-show-faces="true" data-font="verdana"></div>

<br>

<br>





</center>







</div>



</div>



</div>





<div class="wrapper"><div class="replay"><h2>

<center>© 2012 Made by <a href="">BitchGotRaped</h2></div></div>

<br />

</html>



</body>

</html>

 

 

Currently my website is down until I resolve this issue.

 

My webhost said : "Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.w3g. "

 

I don't know how, please fix my script only to allow the upload of ".w3g" with no way for someone to bypassing it.

 

Thank you alot !

Edited by gizmola
Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

A) The pastebin you used is private and doesn't do us any good. Just post your code here inside of [ code ][ /code ] bbcode tags.

 

B) The simplest way of preventing problems with uploaded files is to upload them into a folder that has no http access, either by putting that folder outside your document root folder, or if that option is not available, to put a .htaccess file in the folder that prevents all http requests for the files.

 

C) You can also do B), but use a .htaccess file to disable the execution of any server-side scripting languages for the files inside that folder.

 

D) Once you do B), you will need to use a .php script to dynamically output/download the files.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Also, there's a well known Apache exploit when php is running as an apache module, that any occurrence of .php in the file name will cause php to be invoked for that file.

 

The solution for this exploit is for the server to be configured to only invoke php when the .php occurs on the end of the requested filename.

 

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.