PHP to HTML/Form data help

[BigalG]

SORRY THIS SHOULD BE IN HTML HELP!
Hi there. Ive been working on a Web Hosting script to detect hackers. Its working well but now Im at the stage of actioning web page results eg after the script completes, it emails and saves to a file but I'd also like the results that are showing on web page html'd so user can edit and/or delete corrupted files.
Below I get a bunch of files with paths. What is needed is to convert the filename to a clickable url, that when clicked instantiates something (my editing script). Also I need a checkbox next to each file, so that when several files are checked, a final [delete all] button starts the delete process on selected files.
In other words can anyone help with code <html ------$filename-------------------[checkbox]/html> //for each file in the list
And if possible code for a [delete all] that lets me get the checked items to send to the delete function.
 
Thanks kindly. Al.
 
//each of below is a line echo with filenames in a loop as eg echo $file.'<br>';
15 Possibly infected Files in ./ and below
./index.php
./bludit/index.php
./bludit/cgi-bin/dump.php
./bludit/bl-themes/include.php
./bludit/bl-kernel/admin/controllers/settings.php
./bludit/bl-kernel/admin/controllers/logout.php
./bludit/bl-kernel/admin/controllers/edit-post.php
./bludit/bl-kernel/admin/themes/system20.php
./bludit/bl-kernel/admin/views/cache.php
./bludit/bl-kernel/admin/views/manage-posts.php
./bludit/bl-kernel/helpers/session.class.php
./bludit/files.php
./bludit/start.php
./bludit/bl-content/databases/plugins/disqus/general.php
./bludit/bl-plugins/CustomImageDimensions/plugin.php
...............................................
Scan ended; writing to file and email

Edited December 29, 2016 by BigalG

[bsmither]

We can try:

<a href="?action=edit&file=bludit%2Fstart%2Ephp">bludit/start.php</a>

When including the list in the output, you might want to urlencode() the querystrings.

 

Surround all those links with <form> tags, add a <input type="check", name="delete" value="bludit%2Fstart%2Ephp"> next to each link, add a submit button and there you are!

[Jacques1]

The whole approach sounds strange.

 

First off, a web-facing script with write access to critical files will be a very juicy target for the very people you're trying to protect yourself from. PHP scripts are notoriously difficult to secure, so you'll quickly end up decreasing your overall protection.

 

Secondly, scanning files with some home-made “hacker detection” script and relying on laymen(?) to simply delete the files is just not appropriate. Script infections are very serious and can compromise large parts of the system. This requires a professional admin or security expert with SSH access to the system.

 

If your server is regularly infected, you definitely need to revise your security concept. For example, core scripts and directories shouldn't even be writable.

Edited December 29, 2016 by Jacques1

[BigalG]

The whole approach sounds strange.

 

Of course the script has password protection, and permission 600.

I have killed an extensive hacking effort on my website using this.

Originally the wordpress sites were protected by various utilities which didnt help a bit.

Im careful with security having been in security business for several years cant say Im perfect but good enough.

Anyway, thanks for your concern; I hear what you're saying, but I believe this will be a useful free utility.

Regards,

Alistair.

[BigalG]

We can try:

<a href="?action=edit&file=bludit%2Fstart%2Ephp">bludit/start.php</a>

When including the list in the output, you might want to urlencode() the querystrings.

 

Surround all those links with <form> tags, add a <input type="check", name="delete" value="bludit%2Fstart%2Ephp"> next to each link, add a submit button and there you are!

Thank you.

[Jacques1]

Of course the script has password protection, and permission 600.

 

Why make the webserver the owner of the script and give it write access? The webserver only needs read access, so it should have nothing but that.

 

And what about CSRF protection? Clickjacking protection in every variation? File traversal protection? etc.

 

I know a bit about PHP, and even I wouldn't be comfortable writing this script. If at all, I'd write a CLI tool.

 

 

 

Originally the wordpress sites were protected by various utilities which didnt help a bit.

 

I'm not really talking about utilities, rather classical system administration: Read-only application infrastructures, multiple PHP-FPM pools running under different Unix accounts, Linux containers so that you can reduce the damage and quickly go back to a sane state (without manual “clean-ups”).

 

Sure, that may be less fun than writing a tool. But I believe it's much more effective.

[BigalG]

Sorry Jacques Im only going on my own experience. Anyone who uses cpanel should have reasonable backup experience and if not shouldn't be running their host service IMHO. With hands-on of a hackers attack I know whats needed to sort it and if my efforts go someways towards stopping these time wasters then Ive achieved my goal. What you say is valid and appreciated.

[BigalG]

We can try:

<a href="?action=edit&file=bludit%2Fstart%2Ephp">bludit/start.php</a>

When including the list in the output, you might want to urlencode() the querystrings.

 

Surround all those links with <form> tags, add a <input type="check", name="delete" value="bludit%2Fstart%2Ephp"> next to each link, add a submit button and there you are!

Any chance of a bit more help?

I have this:

                ?>
                <html>
                    <a href="?action=EDIT<?php echo $file; ?>"><?php echo $file; ?></a>
                    <input type="checkbox" name="DELETE" value=<?php echo $file; ?>>
                    <br>
                </html>
                <?php

and this to bring the buttons in to play:

if (count($files) > 0) :
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
    if (isset($_POST['btn_fix'])) {
            fix_files($files);
            die();
    }
    //elseif (isset($_POST['btn_edit']) && $file!='') editfile($file);
    elseif (isset($_POST['EDIT']) && $file!='') editfile($file);
}
    print_files($files);
    ?>
    <form method="post" action="">
        <p>
            <label for="fix">
                <input type="hidden" name="do_fix" value="1" />
                Fix File(s): <input type="submit" name="btn_fix" value="FIX" onclick="
                    var ret1 = confirm('Have you backed up your existing files?');
                    var ret2 = confirm('Clicking OK means you take full responsibility for any losses; [FIX] can corrupt.');
                    return ret1 && ret2;
                                  " />
            </label>
                <label for="EDIT">
                <input type="hidden" name="EDIT" value="2" />
                EDIT/VIEW File: <input type="submit"  name="btn_edit" value="EDIT" onclick="
                    var ret3 = confirm('Have you backed up your existing files?');
                    return ret3;
                                  " />
            </label>
        </p>
    </form>
<?php

Im getting the following from file click eg:

http://localhost/test/hostingscan.php?action=EDIT./bludit/bl-kernel/boot/rules/70.posts.php

 

What Im trying to figure is when the action=EDIT above is clicked how to pick that up in form?

Also when DELETE button is pressed, how do I get the file values from the selected items in

<input type="checkbox" name="DELETE" value=<?php echo $file; ?>>

 

If you have the time muchly appreciated.

[benanamen]

I have been following this thread from the beginning. What you have is an XY problem. See my signature for an explanation. You claim to have been in security for several years yet you don't even know the most basic of form handling and you're attempting to write some anti-hacking script?

 

Whatever you're trying to solve is not the problem and your approach is just nonsense.

 

Why don't you tell us what the actual real problem is exactly, not your attempted solution to it.

Edited December 30, 2016 by benanamen

[Jacques1]

This is also a textbook example of insecure programming. The above code fragment alone is vulnerable to XSS, CSRF, replay attacks and probably path traversals. In fact, you don't even know what you're deleting. There is no hash or checksum of any kind to tell you whether the file you're about to remove is actually the one you've scanned. It might have a completely different content.

 

I understand your goal. But the approach you've chosen is so fundamentally flawed both on a conceptual and technical level that it's effectively malware itself. This has nothing to do with personal opinions. It's about technical facts.

 

If you're willing to put the code aside and re-evaluate the original problem as benanamen suggested, I'm sure we can help. You could also just keep sending mails and not mess the files. But we can't help people put their users at risk.

[BigalG]

I would like to close this conversation with adding that you gentlemen have no idea of where how this script will be implemented.

Did I say the script was live on the server, or active or passive on the server, or in fact on a server at all?

Did I say I was a security programmer? there are many hats in the security world.

You are both full of assumptions and criticisms. Im an older programmer who has very limited knowledge in html and mediocre php and simply came here for a bit of code help. You both are keen to lambast with your superior knowledge.

Im outa here.

[benanamen]

I would like to close this conversation with adding that you gentlemen have no idea of where how this script will be implemented.

 

And that's our fault? Too bad you are not wise enough to take advantage of our "superior knowledge".

 

Buh Bye!

Edited December 30, 2016 by benanamen

[bsmither]

I suggested:

<a href="?action=edit&file=bludit%2Fstart%2Ephp">bludit/start.php</a>

and this is what is being attempted:

<a href="?action=EDIT<?php echo $file; ?>"><?php echo $file; ?></a>

which gives you:

?action=EDIT./bludit/bl-kernel/boot/rules/70.posts.php

The &file= is missing, unless it is included as part of $file. Since the leading dot-slash seems to be common for every item in the report, my suggestion did not include that, and also suggested that the data to populate the HTML link be urlencode()'d.

 

Having a collection of checkboxes with the same name sometimes gets you an array, but sometimes gets you a scalar. To make sure we get an array of selected files to delete - one or more than one - we add brackets to the name.

<input type="checkbox" name="DELETE[]" value=<?php echo $file; ?>> <!-- do not forget to use quotes for the value attribute -->

If the form is POSTed, PHP gives you $_POST['DELETE'] as an array of selected checkbox values.

[BigalG]

 

Thanks so much; the checkbox info will be a great help, as did your previous. Ive spent today figuring POST/GET with PHP though I understand PHP and HTML shouldnt be used together if possible, so once the box of bolts gets working then its getting methods to work more securely.

Got it working as far as file edit goes by clicking on any file it gets into edit mode with a very small no-frills PHP editor, and allows modifying, saving the edited file appropriately.

I'll post my work up here in the next days and any (constructive) criticisms appreciated.

 

Happy New Year - its tonight here!