SamiMukahhal Posted October 18, 2012 Share Posted October 18, 2012 (edited) I'm having problems with people upload shell hacking scripts on my replay uploader, they are hacking my website each and every time. Here is my script http://pastebin.com/JfhBFugN Or Here's the code <?php /****************************************************************************** Last revision: - Author: Seven - Email: zabkar@gmail.com (Subject DotaParser) - Date: 7.7.2009 ******************************************************************************/ ?> <!DOCTYPE html> <html> <head> <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-31574622-1']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? '[url="https://ssl"]https://ssl[/url]' : '[url="http://www"]http://www[/url]') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); </script> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Ranked Gaming Parser</title> <meta name='keywords' content="Defense of the Ancients, DotA, Replays, Parser, DotA Replays, DotA Parser, DotA Games, Icefrog, , Replay, Parse Dota, Top Dota Replays, DotA Replay Download, Dota Replay Upload, DotA replay uploads, DotA replay downloads, DotA replay parsing, DotA replay ranking" /> <meta name='description' content="'Ranked Gaming Parser' Is a DotA replay parsing service provided for Defense of the Ancients (DotA) players located throughout the world. Powered by rankedgaming.com; a DotA Ladder, Stat Tracking, and Gaming community." /> <center><img src="[url="http://www.rankedgamingparser.com/RGP.png"]http://www.rankedgam...er.com/RGP.png"[/url] alt="Logo"/> </center> <link href="style_x.css" rel="stylesheet" type="text/css" media="screen" /> </head> <center> <tr> <td style="height:40px"> <a class="menuButtons" href="index.php">Upload Replay</a> <a class="menuButtons" href="replaydb.php">Replay Database</a> <a class="menuButtons" href="[url="http://www.mymgn.com/board/forumdisplay.php?f=709%22>RGC"]http://www.mymgn.com....php?f=709">RGC[/url] Forums</a> <a class="menuButtons" href="[url="http://shop.rankedgaming.com/shop/%22>RGC"]http://shop.rankedga....com/shop/">RGC[/url] Shop</a> <a class="menuButtons" href="[url="http://stats.rankedgaming.com/stats/channel.php?c=19%22>RGC"]http://stats.rankedg...l.php?c=19">RGC[/url] Stats</a> </td> </tr> </table></center> <br> <body> <div id="fb-root"></div> <script>(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "//connect.facebook.net/en_US/all.js#xfbml=1"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));</script> <div class="wrapper"> <div class="replay"> <h2> DotA Replay Parser - Upload Replay</h2> <?php $print_info = false; define("MAX_UPLOAD_SIZE", 3000000); // Upload a file if(isset($_POST['uploadReplay'])) { if(!isset($_FILES['replay_file']) || !isset($_POST['replay_title']) || !isset($_POST['replay_winner']) || !isset($_POST['replay_text'])) { echo 'Error: Make sure you\'ve filled out all the fields.'; } else { $title = htmlspecialchars(trim($_POST['replay_title'])); $winner = htmlspecialchars(trim($_POST['replay_winner'])); $text = htmlspecialchars(trim($_POST['replay_text'])); // Check that we have a file $replayUploaded = false; $replayFile = ""; if(( !empty($title) && !empty($winner) && !empty($_FILES["replay_file"])) && ($_FILES['replay_file']['error'] == 0)) { //Check if the file is JPEG image and it's size is less than 350Kb $filename = basename($_FILES['replay_file']['name']); $ext = substr($filename, strrpos($filename, '.') + 1); $uniqueID = time(); if (($ext == "w3g") && $_FILES["replay_file"]["size"] < MAX_UPLOAD_SIZE) { //Determine the path to which we want to save this file $newname = dirname(__FILE__).'/replays/'.$uniqueID.'.'.$ext; //Check if the file with the same name is already exists on the server if (!file_exists($newname)) { //Attempt to move the uploaded file to it's new place if ((move_uploaded_file($_FILES['replay_file']['tmp_name'], $newname))) { $replayFile = $uniqueID.'.'.$ext; $replayUploaded = true; } else { print_message("Error: A problem occurred during file upload!"); } } else { print_message("Error: File ".$_FILES["replay_file"]["name"]." already exists"); } } else { print_message("Error: Only .w3g replays under 3 MB are accepted for upload"); } } else { print_message("Error: Make sure you've filled out all the fields"); } // If the replay was uploadead successfully, process it if( $replayUploaded ) { @require("reshine.php"); require('replay_saver.php'); $replay = new replay('replays/'.$replayFile); $replay->extra['title'] = $title; /* Determine the winner * If the uploader chose "Automatic" then check if the parser was able to determine a winner, * otherwise the winner is set to "Unknown" * Alternatively the uploader can set the winner manually */ if("Automatic" != $winner) { $replay->extra['winner'] = ( $winner == "Sentinel" ? "Sentinel" : "Scourge" ); } else if(isset($replay->extra['parsed_winner'])) { $replay->extra['winner'] = $replay->extra['parsed_winner']; } else { $replay->extra['winner'] = "Unknown"; } $replay->extra['text'] = $text; $replay->extra['original_filename'] = $filename; $txt_file = fopen('replays/'.$replayFile.'.txt', 'a'); flock($txt_file, 2); fputs($txt_file, serialize($replay)); flock($txt_file, 3); fclose($txt_file); if ( $replay->extra['parsed'] == false ) { // Replay not parsed } else { // Replay saved, display the link. //Create replay saver object $replaysaver=new replaysaver($title,$text,$replayFile); //Call save methode $replaysaver->saveData(); print_message('Replay uploaded successfully. <a href="view_replay.php?file='.$replayFile.'" alt="View replay" > View details </a>'); $print_info = true; } } } } function print_message($msg) { echo '<div style="padding-left: 10px; padding-bottom: 10px;" >'; echo $msg; echo '</div>'; } ?> <div class="content" style="width: 99%;"> <form enctype="multipart/form-data" action="index.php" method="post"> <fieldset> <label for="replay_title" >Title*: </label><input name="replay_title" id="replay_title" type="input" /> <br /> <label for="replay_winner" >Winner: </label> <select name="replay_winner" id="replay_winner" /> <option value="Automatic">Automatic </option> <option value="Sentinel">Sentinel </option> <option value="Scourge">Scourge </option> </select> <br /> <label for="replay_text" style="vertical-align: top;" >Description: </label> <textarea name="replay_text" id="replay_text" cols="65"></textarea> <br /> <input type="hidden" name="MAX_FILE_SIZE" id="'.MAX_UPLOAD_SIZE.'" value="3000000" /> <label for="replay_file" >File*: </label><input name="replay_file" id="replay_file" type="file" /> <input type="submit" value="Upload" name="uploadReplay" /> </fieldset> </form> <br> <br> <center> <font size="3" color="red">DotA 6.75 is now fully supported !</font> <br><br> <font size="3"> There are currently <font color="#E34000"> <? $directory = "/home/rgc123/public_html/replays/"; if (glob($directory . "*.w3g") != false) { $filecount = count(glob($directory . "*.w3g")); echo $filecount; } else { echo 0; } ?> </font> DotA replays in our database and counting! <br> <br> <div class="fb-like" data-href="[url="http://www.facebook.com/ExtremelyAwesomeLeague"]http://www.facebook....yAwesomeLeague"[/url] data-send="false" data-width="450" data-show-faces="true" data-font="verdana"></div> <br> <br> </center> </div> </div> </div> <div class="wrapper"><div class="replay"><h2> <center>© 2012 Made by <a href="">BitchGotRaped</h2></div></div> <br /> </html> </body> </html> Currently my website is down until I resolve this issue. My webhost said : "Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.w3g. " I don't know how, please fix my script only to allow the upload of ".w3g" with no way for someone to bypassing it. Thank you alot ! Edited October 18, 2012 by gizmola Quote Link to comment https://forums.phpfreaks.com/topic/269603-help-required-immediately-urgent/ Share on other sites More sharing options...
PFMaBiSmAd Posted October 18, 2012 Share Posted October 18, 2012 A) The pastebin you used is private and doesn't do us any good. Just post your code here inside of [ code ][ /code ] bbcode tags. B) The simplest way of preventing problems with uploaded files is to upload them into a folder that has no http access, either by putting that folder outside your document root folder, or if that option is not available, to put a .htaccess file in the folder that prevents all http requests for the files. C) You can also do B), but use a .htaccess file to disable the execution of any server-side scripting languages for the files inside that folder. D) Once you do B), you will need to use a .php script to dynamically output/download the files. Quote Link to comment https://forums.phpfreaks.com/topic/269603-help-required-immediately-urgent/#findComment-1385899 Share on other sites More sharing options...
PFMaBiSmAd Posted October 18, 2012 Share Posted October 18, 2012 E) Why on this earth did you use the QUOTE tag for posting your code? F) If you are in a hurry to solve this and it is beyond your programming skills to implement the suggestions yourself, I recommend posting in the freelancing forum section. Quote Link to comment https://forums.phpfreaks.com/topic/269603-help-required-immediately-urgent/#findComment-1385900 Share on other sites More sharing options...
PFMaBiSmAd Posted October 18, 2012 Share Posted October 18, 2012 Also, there's a well known Apache exploit when php is running as an apache module, that any occurrence of .php in the file name will cause php to be invoked for that file. The solution for this exploit is for the server to be configured to only invoke php when the .php occurs on the end of the requested filename. Quote Link to comment https://forums.phpfreaks.com/topic/269603-help-required-immediately-urgent/#findComment-1385901 Share on other sites More sharing options...
Pikachu2000 Posted October 18, 2012 Share Posted October 18, 2012 There is no such thing as "urgent" on a free help forum. Your problem is no more important than anyone else's. Quote Link to comment https://forums.phpfreaks.com/topic/269603-help-required-immediately-urgent/#findComment-1385903 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.