can you see how this was exploited .. help

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
roman
Forum Newbie
Posts: 2
Joined: Sat Nov 29, 2003 8:09 am

can you see how this was exploited .. help

Post by roman »

/That is the sourcecode of the php12.php file. I have only changed the name of all files that are linked with this one and I
//have removed some smaller stuff

<?php
//
//stuff
//
$target = "aaa.php";
if (isset($HTTP_GET_VARS["action"])){
if ($HTTP_GET_VARS["action"]=="register"){
if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
$hfile = fopen($target, "a");
$con_file = file_get_contents($target);
if (strpos($con_file, "::".$HTTP_GET_VARS["nick"])){
$script='<script type="text/javascript">';
$script.="alert(\"Sorry that nick already exist!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
$nick = urldecode(substr($HTTP_GET_VARS["nick"], 0, 20));
$id = urldecode(substr($HTTP_GET_VARS["id"], 0, 20));
fputs($hfile, "::".$sessionuser['user']."::".$nick."::".$id."\n");
fclose($hfile);
$script='<script type="text/javascript">';
$script.="alert(\"You are registered now!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}else{
$script='<script type="text/javascript">';
$script.="alert(\"You have to fill out the whole form!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
}
if ($HTTP_GET_VARS["action"]=="login"){
if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
$hfile = fopen($target, "r");
$i = 0;

while (!feof ($hfile)){
$line[$i] = fgets ($hfile, 1024);
$cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
if ($cntrl){
$len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){
header('Location:bbb.php');
}else{
header('Location:ccc.php');
}
}
$i += 1;
}
$script='<script type="text/javascript">';
$script.="alert(\"Sorry but your nick or your ID are wrong!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
else{
echo "Sorry but your input was incorrect. You can't log in without nick or pin!";
}
}
}else{

//some stuff

?>
<form action="php12.php" method="get">
<table width="60%" align="center" cellpadding="0" cellspacing="1">

<tr>
<td align="center" class="text">
<br /><input type="text" value="nick" name="nick" maxlength="20" size="20" class="challenge_edit">
<br /><input type="text" value="ID" name="id" maxlength="20" size="20" class="challenge_edit">
<br /><input type="radio" name="action" value="register">register
<br /><input type="radio" name="action" value="login">login
<br /><br />
<input type=submit class="challenge_submit" value="Execute">
<br /><br />
</td>
</tr>
</table>
</form>
<?php
//some stuff
?>
<?php
}
?>
This is my new programm. It looks really save for me but some days ago, an other guy found a way to get admin . I have no idea how he did it. Can you find it out for me? To help you, I give you the
Last edited by roman on Sat Nov 29, 2003 11:14 am, edited 1 time in total.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

Is only one page going to send the POST vars to this script? If so I would add a referer checker.

Code: Select all

<?php
$yourtrustedsite = "http://www.yoursite.com/form.html";
if ($_GET['HTTP_REFERER'])
          exit;
if ($_POST['HTTP_REFERER'])
          exit;
if ($_SERVER['HTTP_REFERER'] != $yourtrustedsite)
           exit;
?>
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

REFERER might be spoofed. Do not trust it.
User avatar
mchaggis
Forum Contributor
Posts: 150
Joined: Mon Mar 24, 2003 10:31 am
Location: UK

Post by mchaggis »

I can see no reference to passwords or such like, this could they have just guessed that your admin user was ID 1 or 0??

Dunno, the code above seems incomplete, plus you have failed to tell us what happens next... If you want post a URL and I'll take a pop shot at it and see if I can explain how this person did it?
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

It's not very safe anyway.. the usernames (or nicks in this case) and the passwords look like they are stored in a .php file called aaa.php.

If this file simply contains a list of usernames and passwords then I imagine it could be loaded directly into the browser and viewed by anyone.

The actual script looks like a bit of a hack 'n slash job anyway, have you thought about using MySQL or something similar?
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

Weirdan wrote:REFERER might be spoofed. Do not trust it.
I don't claim to be a security expert because I'm still learning new ways to secure my scripts daily, but wouldn't that snipplet of code above prevent any REFERER spoofing?
User avatar
mchaggis
Forum Contributor
Posts: 150
Joined: Mon Mar 24, 2003 10:31 am
Location: UK

Post by mchaggis »

no sami, as the REFERER is just pasted by the Browser and is not actually set by any servers, therefore, because it comes from the user, you can not trust it
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

I understand that, but if you eliminate any script execution if an attempt to pass the HTTP_REFERER variable through a POST or GET method is done, wouldn't it be some what more secure?
Post Reply