Jump to content

RFI Remote File Injection attempt

nelspruitdesign

By nelspruitdesign
in PHP Coding Help

 Share

Recommended Posts

nelspruitdesign Newbie

nelspruitdesign

Posted
Posted (edited)

According to my ISP this script is vulnerable to Remote File Injection attempt. I have sanitised all inputs, validated the inputs that are required, Can an input be validated and allowed to be NULL? What do I need to do to make this script bullet proof.

 

Also can anyone recommend a good supplier of VPS hosting services at reasonable prices that are not going to break my scripts with continuous changes to the server.

 

Please Help

 

<?

$logged = $_COOKIE["logged"];

$aka = $_COOKIE["aka"];

$suid = $_COOKIE["suid"];

If ($logged == 'yes') {

?>

<script type="text/javascript">

 

function checkForm(form)

{

// validation fails if the input is blank

if(form.dsho.value == '') {

alert("Error: Short Description is required!");

form.dsho.focus();

return false;

}

if(form.metad.value == '') {

alert("Error: metad is required!");

form.metad.focus();

return false;

}

 

if(form.titl.value == '') {

alert("Error: a Title is required!");

form.titl.focus();

return false;

}

 

 

// validation was successful

return true;

}

 

</script>

 

<?

$d = $_REQUEST["cat"];

$d = (mysql_real_escape_string($d));

$d = str_replace("&", "'", $d);

$d = str_replace("'", """, $d);

$d = str_replace("\"", "\", $d);

$d = str_replace("+", "+", $d);

 

$dsho = $_REQUEST["dsho"];

$dsho = (mysql_real_escape_string($dsho));

$dsho = str_replace("&", "'", $dsho);

$dsho = str_replace("'", """, $dsho);

$dsho = str_replace("\"", "\", $dsho);

$dsho = str_replace("+", "+", $dsho);

 

$titl = $_REQUEST["titl"];

$titl = (mysql_real_escape_string($titl));

$titl = str_replace("&", "'", $titl);

$titl = str_replace("'", """, $titl);

$titl = str_replace("\"", "\", $titl);

$titl = str_replace("+", "+", $titl);

 

$metad = $_REQUEST["metad"];

$metad = (mysql_real_escape_string($metad));

$metad = str_replace("&", "'", $metad);

$metad = str_replace("'", """, $metad);

$metad = str_replace("\"", "\", $metad);

$metad = str_replace("+", "+", $metad);

 

$tag = $_REQUEST["tag"];

$tag = (mysql_real_escape_string($tag));

$tag = str_replace("&", "'", $tag);

$tag = str_replace("'", """, $tag);

$tag = str_replace("\"", "\", $tag);

$tag = str_replace("+", "+", $tag);

 

$fb = $_REQUEST["fb"];

$fb = (mysql_real_escape_string($fb));

$fb = str_replace("&", "'", $fb);

$fb = str_replace("'", """, $fb);

$fb = str_replace("\"", "\", $fb);

$fb = str_replace("+", "+", $fb);

 

$twit = $_REQUEST["twit"];

$twit = (mysql_real_escape_string($twit));

$twit = str_replace("&", "'", $twit);

$twit = str_replace("'", """, $twit);

$twit = str_replace("\"", "\", $twit);

$twit = str_replace("+", "+", $twit);

 

$plus = $_REQUEST["plus"];

$plus = (mysql_real_escape_string($plus));

$plus = str_replace("&", "'", $plus);

$plus = str_replace("'", """, $plus);

$plus = str_replace("\"", "\", $plus);

$plus = str_replace("+", "+", $plus);

 

$flick = $_REQUEST["flick"];

$flick = (mysql_real_escape_string($flick));

$flick = str_replace("&", "'", $flick);

$flick = str_replace("'", """, $flick);

$flick = str_replace("\"", "\", $flick);

$flick = str_replace("+", "+", $flick);

 

$pin = $_REQUEST["pin"];

$pin = (mysql_real_escape_string($pin));

$pin = str_replace("&", "'", $pin);

$pin = str_replace("'", """, $pin);

$pin = str_replace("\"", "\", $pin);

$pin = str_replace("+", "+", $pin);

 

$yout = $_REQUEST["yout"];

$yout = (mysql_real_escape_string($yout));

$yout = str_replace("&", "'", $yout);

$yout = str_replace("'", """, $yout);

$yout = str_replace("\"", "\", $yout);

$yout = str_replace("+", "+", $yout);

 

$stumb = $_REQUEST["stumb"];

$stumb = (mysql_real_escape_string($stumb));

$stumb = str_replace("&", "'", $stumb);

$stumb = str_replace("'", """, $stumb);

$stumb = str_replace("\"", "\", $stumb);

$stumb = str_replace("+", "+", $stumb);

 

$linked = $_REQUEST["linked"];

$linked = (mysql_real_escape_string($linked));

$linked = str_replace("&", "'", $linked);

$linked = str_replace("'", """, $linked);

$linked = str_replace("\"", "\", $linked);

$linked = str_replace("+", "+", $linked);

 

$profile = $_REQUEST["profile"];

$profile = (mysql_real_escape_string($profile));

$profile = str_replace("&", "'", $profile);

$profile = str_replace("'", """, $profile);

$profile = str_replace("\"", "\", $profile);

$profile = str_replace("+", "+", $profile);

 

$spc = date("y/m/d", strtotime("+3 day"));

 

include ("../constants/constants.php");

$title = $dtitle;

$tags = $dtags;

$metadesc = $dmetadesc;

include ("../constants/header.php");

 

$sqlq = "SELECT * FROM xxxx WHERE id='".$suid."' LIMIT 0,1";

$objRS = mysql_query($sqlq);

while($row = mysql_fetch_array($objRS, MYSQL_ASSOC)){

$ident = $row['id'];

$addon = $row['addon'];

 

}

?>

<div id="contenti">

<div id="contwrap">

<div id="iwrap1">

<?

If ($dsho != NULL) {

$addon = $addon +5;

 

If ($profile != NULL) { $addon = $addon +3; }

If (strlen($profile) > 250) { $addon = $addon +3; }

If (strlen($profile) > 500) { $addon = $addon +3; }

If ($dsho != NULL) { $addon = $addon +2; }

If ($titl != NULL) { $addon = $addon +2; }

If ($tag != NULL) { $addon = $addon +2; }

If ($fb != NULL) { $addon = $addon +1; }

If ($twit != NULL) { $addon = $addon +1; }

If ($flick != NULL) { $addon = $addon +1; }

If ($plus != NULL) { $addon = $addon +1; }

If ($stumb != NULL) { $addon = $addon +1; }

If ($yout != NULL) { $addon = $addon +1; }

If ($pin != NULL) { $addon = $addon +1; }

If ($linked != NULL) { $addon = $addon +1; }

 

 

 

$upd = "UPDATE xxxx SET fb='".$fb."', twitter='".$twit."', plus='".$plus."', linked='".$linked."', youtube='".$yout."', flickr='".$flick."', stumble='".$stumb.", pinterest='".$pin."', Description='".$profile."', Dshort='".$dsho."', Title='".$titl."', Metadesc='".$metad."', MetaTag='".$tag."', econf='1', status='1', addon='".$addon."' WHERE id=".$suid;

mysql_query($upd);

 

$inserter = "INSERT INTO xxxx (co, sc) VALUES ('".$suid."', '".$d."')";

mysql_query($inserter);

 

?>

<div id="iwrap1d">

<h2>Success</h2>

Some text here

</div>

<div id="iwrap1e">

<h2>Entry Status</h2>

<?

If ($addon >= '45') {

echo "You have achieved the minimum content weighting and your profile is now published on xxxx";

} else {

echo "You have not yet achieved the minimum content weighting and your profile needs more work before it will be published. Your rating is ".$addon." percent, Click here to update more information";

 

}

} else {

 

?>

 

 

<div id="iwrap1d">

Hi <? echo $aka; ?>

Some text here

 

</div>

<div id="iwrap1e">

<h2>Update Profile</h2>

 

<h2>Update Company Details</h2>

Update your business details today.

<br />

<form name="Update" action="xxxx.php" onsubmit="return checkForm(this);" method="post">

Short Description : <input type="text" name="dsho" /><br />

In 85 Characters describe your core business.

<br /><br />

Title: <input type="text" name="tit1" /><br />

Up to 50 Characters What do you do and where? ie Plumber Nelspruit, Newts Drain and Plumb.

<br /><br />

SEO Description: <input type="text" name="metad" /><br />

Up to 160 Characters Describe your core business using keywords, sentences not just keywords.

<br /><br />

Tags: <input type="text" name="tag" /><br />

Up to 80 Characters Keywords that describe your service, comma seperated ie Plumber, Drain cleaning, Plumbing Maintenance, Plumbing Installations, Tap repairs

<br /><br />

 

<strong>Add Profile</strong><br />

No contact details, websites or email addresses to be added in this section. Type up a minimum of a 50 word Profile to describe the business and it's services. Add a keyword list. <a href="examples.php" target="_blank">To see a few good examples click here</a><br />

<textarea cols="40" rows="10" name="profile"></textarea><br /><br />

Select Category: <select name="cat">

<?

$sqld = "SELECT * FROM xxxx ORDER BY Name ASC";

$objRd = mysql_query($sqld);

while($rowd = mysql_fetch_array($objRd, MYSQL_ASSOC)) {

$si = $rowd['id'];

$sn = $rowd['Name'];

echo "<option value=".$si.">".$sn."</option>";

}?>

</select>

<br />

<strong>Social Media</strong><br />

Add your social media links here. <br />

Facebook Page: <input type="text" name="fb" /><br />

Twitter: <input type="text" name="twit" /><br />

Google Plus: <input type="text" name="plus" /><br />

Pinterest: <input type="text" name="pin" /><br />

You Tube: <input type="text" name="yout" /><br />

Linked In: <input type="text" name="linked" /><br />

Stumble Upon: <input type="text" name="stumb" /><br />

Flickr: <input type="text" name="flick" /><br />

 

 

<input type="submit" value="Register" />

<?

}

 

?>

</div></div></div>

<?

include ("../constants/rnav.php");

} else {

?>

<div align="center">

<form name="Log_In" action="xxxx.php" method="post">

Username (email): <input type="text" name="uname" /><br />

Password <input type="password" name="upass" /><br />

<input type="hidden" name="ref" value="../submit/xxxx.php?a=<? echo $a; ?>/" />

<input type="submit" value="Log In" />

 

<? } ?>

Edited by nelspruitdesign
Link to comment
Share on other sites
nelspruitdesign Newbie

nelspruitdesign

Posted
  • Author
Posted

This is the so called vulnerability, The input fields.. Does this make sense to anybody? This is the ISP's response to my query as to where they saw the vulnerability in the script?

 

 

 

Please check the following in xxxx.php:

 

<strong>Social Media</strong><br />

Add your social media links here. <br />

Facebook Page: <input type="text" name="fb" /><br />

Twitter: <input type="text" name="twit" /><br />

Google Plus: <input type="text" name="plus" /><br />

Pinterest: <input type="text" name="pin" /><br />

You Tube: <input type="text" name="yout" /><br />

Linked In: <input type="text" name="linked" /><br />

Stumble Upon: <input type="text" name="stumb" /><br />

Flickr: <input type="text" name="flick" /><br />

 

The above allows the attacker to use a URL for instance as http://example.com/phpshell.php. When the form is submitted the malicious script will be fetched remotely. It is therefore advisable to exclude URLs from forms starting with http:// or ftp://. If you need to get a URL from your users, don't ask them for the full URL plus prefix; have them input "www.example.com" rather than "http://www.example.com", and add the schema prefix on the front programatically if you need it.

 

Please let us know should you have any additional queries or if we may be of any further assistance.

Keep well and have a lovely day further :-)

Link to comment
Share on other sites
Christian F. Member

Christian F.

Posted
Posted

First off: Please use the [code][/code] tags around your code, as it helps make both your post and your code a lot easier to read.

 

Secondly: Use the full PHP tags, as the short tags usually are not supported/turn on by hosts.

 

Thirdly: You really should separate your output code and processing code. In other words, move all of the PHP code to the top of the script, before you echo out anything to the browser. Then use variables to hold the output, and echo it out wherever you need it.

 

Fourthly: While this just may be the editor on this forum that's messing, you should use proper indentation in your code. It, alongside with proper use of newlines, will make your code a lot easier to read and thus maintain.

 

I've also cleaned up your script a bit, added some proper indentation and the full PHP tags. Not to mention a few comments to highlight the problematic areas, and what you need to do to fix them.

<?php

// FIXME: Use sessions instead of cookies. Cookies can easily be altered by the user,
//		since they're just plain text files on the user's computer after all.
$logged = $_COOKIE["logged"];
$aka = $_COOKIE["aka"];
$suid = $_COOKIE["suid"];

// TODO: Revert the test logic, move the form from the bottom up here, and kill the script if not logged in.
if ($logged == 'yes') {
?>
<script type="text/javascript">
function checkForm(form)
{
// validation fails if the input is blank
if(form.dsho.value == '') {
	alert("Error: Short Description is required!");
	form.dsho.focus();
	return false;
}
if(form.metad.value == '') {
	alert("Error: metad is required!");
	form.metad.focus();
	return false;
}

if(form.titl.value == '') {
	alert("Error: a Title is required!");
	form.titl.focus();
	return false;
}

// validation was successful
return true;
}
</script>
<?php

// FIXME: Add proper validation here.
$d = $_REQUEST["cat"];
$dsho = $_REQUEST["dsho"];
$titl = $_REQUEST["titl"];
$metad = $_REQUEST["metad"];
$tag = $_REQUEST["tag"];
$fb = $_REQUEST["fb"];
$twit = $_REQUEST["twit"];
$plus = $_REQUEST["plus"];
$flick = $_REQUEST["flick"];
$pin = $_REQUEST["pin"];
$yout = $_REQUEST["yout"];
$stumb = $_REQUEST["stumb"];
$linked = $_REQUEST["linked"];
$profile = $_REQUEST["profile"];

// FIXME: Add handler for when validaton fails. Show form anew, with values pre-populated and error messages.

$spc = date ("y/m/d", strtotime ("+3 day"));

include ("../constants/constants.php");
$title = $dtitle;
$tags = $dtags;
$metadesc = $dmetadesc;
include ("../constants/header.php");

// FIXME: Use intval () to protect against SQL injections.
$sqlq = "SELECT * FROM xxxx WHERE id='".$suid."' LIMIT 0,1";
$objRS = mysql_query ($sqlq);
while ($row = mysql_fetch_array ($objRS, MYSQL_ASSOC)) {
	$ident = $row['id'];
	$addon = $row['addon'];

}

?>
<div id="contenti">
<div id="contwrap">
	<div id="iwrap1">
<?php

if ($dsho != NULL) {
	$addon = $addon + 5;

	if ($profile != NULL) {
		$addon = $addon + 3;
	}
	if (strlen ($profile) > 250) {
		$addon = $addon + 3;
	}
	if (strlen ($profile) > 500) {
		$addon = $addon + 3;
	}
	if ($dsho != NULL) {
		$addon = $addon + 2;
	}
	if ($titl != NULL) {
		$addon = $addon + 2;
	}
	if ($tag != NULL) {
		$addon = $addon + 2;
	}
	if ($fb != NULL) {
		$addon = $addon + 1;
	}
	if ($twit != NULL) {
		$addon = $addon + 1;
	}
	if ($flick != NULL) {
		$addon = $addon + 1;
	}
	if ($plus != NULL) {
		$addon = $addon + 1;
	}
	if ($stumb != NULL) {
		$addon = $addon + 1;
	}
	if ($yout != NULL) {
		$addon = $addon + 1;
	}
	if ($pin != NULL) {
		$addon = $addon + 1;
	}
	if ($linked != NULL) {
		$addon = $addon + 1;
	}

	// FIXME: Use real_escape_string () with sprintf () to protect against SQL injections.
	$upd = "UPDATE xxxx SET fb='".$fb."', twitter='".$twit."', plus='".$plus."', linked='".
			$linked."', youtube='".$yout."', flickr='".$flick."', stumble='".$stumb.", pinterest='".
			$pin."', Description='".$profile."', Dshort='".$dsho."', Title='".$titl."', Metadesc='".
			$metad."', MetaTag='".$tag."', econf='1', status='1', addon='".$addon."' WHERE id=".$suid;
	mysql_query ($upd);

	// FIXME: Use intval () to protect against SQL injections.
	$inserter = "INSERT INTO xxxx (co, sc) VALUES ('".$suid."', '".$d."')";
	mysql_query ($inserter);

	?>
		<div id="iwrap1d">
			<h2>Success</h2>
			Some text here
		</div>
		<div id="iwrap1e">
			<h2>Entry Status</h2>
<?php

	if ($addon >= '45') {
		echo "You have achieved the minimum content weighting and your profile is now published on xxxx";
	} else {
		// FIXME: Use htmlspecialchars () to prevent HTML injections.
		echo "You have not yet achieved the minimum content weighting and your profile needs more work before ".
				"it will be published. Your rating is ".$addon." percent, Click here to update more information";
	}
} else {
	?>
		<div id="iwrap1d">
			Hi <?php echo $aka; ?>
			Some text here
		</div>
		<div id="iwrap1e">
			<h2>Update Profile</h2>
			<h2>Update Company Details</h2>

			Update your business details today. <br />
			<form name="Update" action="xxxx.php" onsubmit="return checkForm(this);" method="post">
				Short Description : <input type="text" name="dsho" /><br />
				In 85 Characters describe your core business. <br />
				<br />
				Title: <input type="text" name="tit1" /><br />
				Up to 50 Characters What do you do and where? ie Plumber Nelspruit,
				Newts Drain and Plumb. <br />
				<br />
				SEO Description: <input type="text" name="metad" /><br />
				Up to 160 Characters Describe your core business using keywords,
				sentences not just keywords. <br />
				<br />
				Tags: <input type="text" name="tag" /><br />
				Up to 80 Characters Keywords that describe your service, comma seperated
				ie Plumber, Drain cleaning, Plumbing Maintenance, Plumbing
				Installations, Tap repairs <br />
				<br />
				<strong>Add Profile</strong><br />
				No contact details, websites or email addresses to be added in this
				section. Type up a minimum of a 50 word Profile to describe the business
				and it's services. Add a keyword list. <a href="examples.php"
					target="_blank">To see a few good examples click here</a><br />
				<textarea cols="40" rows="10" name="profile"></textarea><br />
				<br />
				Select Category: <select name="cat">
<?php

	$sqld = "SELECT * FROM xxxx ORDER BY Name ASC";
	$objRd = mysql_query ($sqld);
	while ($rowd = mysql_fetch_array ($objRd, MYSQL_ASSOC)) {
		$si = $rowd['id'];
		$sn = $rowd['Name'];
		// FIXME: Use htmlspecialchars () to prevent HTML-injections.
		echo "<option value=".$si.">".$sn."</option>";
	}
	?>
				</select> <br />
				<strong>Social Media</strong><br />
				Add your social media links here. <br />
				Facebook Page: <input type="text" name="fb" /><br />
				Twitter: <input type="text" name="twit" /><br />
				Google Plus: <input type="text" name="plus" /><br />
				Pinterest: <input type="text" name="pin" /><br />
				You Tube: <input type="text" name="yout" /><br />
				Linked In: <input type="text" name="linked" /><br />
				Stumble Upon: <input type="text" name="stumb" /><br />
				Flickr: <input type="text" name="flick" /><br />
				<input type="submit" value="Register" />
<?php
}

?>   
			</div>
		</div>
	</div>
<?php

include ("../constants/rnav.php");
} else {
?>  
	<div align="center">
	<form name="Log_In" action="xxxx.php" method="post">
		Username (email): <input type="text" name="uname" /><br />
		Password <input type="password" name="upass" /><br />
		<!-- FIXME: Why this hidden input field? I'm betting that it's in the xxx.php page that the RSI is found!
					Also, use htmlspecialchars () to prevent against HTML injections, plus rawurlescape() since
					the output is a part of an URL. URL escaping first, then HTML. -->
		<input type="hidden" name="ref" value="../submit/xxxx.php?a=<?php echo $a; ?>/" />
		<input type="submit" value="Log In" />
<?php
}
?>

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.