/That is the sourcecode of the php12.php file. I have only changed the name of all files that are linked with this one and I
//have removed some smaller stuff
<?php
//
//stuff
//
$target = "aaa.php";
if (isset($HTTP_GET_VARS["action"])){
if ($HTTP_GET_VARS["action"]=="register"){
if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
$hfile = fopen($target, "a");
$con_file = file_get_contents($target);
if (strpos($con_file, "::".$HTTP_GET_VARS["nick"])){
$script='<script type="text/javascript">';
$script.="alert(\"Sorry that nick already exist!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
$nick = urldecode(substr($HTTP_GET_VARS["nick"], 0, 20));
$id = urldecode(substr($HTTP_GET_VARS["id"], 0, 20));
fputs($hfile, "::".$sessionuser['user']."::".$nick."::".$id."\n");
fclose($hfile);
$script='<script type="text/javascript">';
$script.="alert(\"You are registered now!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}else{
$script='<script type="text/javascript">';
$script.="alert(\"You have to fill out the whole form!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
}
if ($HTTP_GET_VARS["action"]=="login"){
if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
$hfile = fopen($target, "r");
$i = 0;
while (!feof ($hfile)){
$line[$i] = fgets ($hfile, 1024);
$cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
if ($cntrl){
$len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){
header('Location:bbb.php');
}else{
header('Location:ccc.php');
}
}
$i += 1;
}
$script='<script type="text/javascript">';
$script.="alert(\"Sorry but your nick or your ID are wrong!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
else{
echo "Sorry but your input was incorrect. You can't log in without nick or pin!";
}
}
}else{
//some stuff
?>
<form action="php12.php" method="get">
<table width="60%" align="center" cellpadding="0" cellspacing="1">
<tr>
<td align="center" class="text">
<br /><input type="text" value="nick" name="nick" maxlength="20" size="20" class="challenge_edit">
<br /><input type="text" value="ID" name="id" maxlength="20" size="20" class="challenge_edit">
<br /><input type="radio" name="action" value="register">register
<br /><input type="radio" name="action" value="login">login
<br /><br />
<input type=submit class="challenge_submit" value="Execute">
<br /><br />
</td>
</tr>
</table>
</form>
<?php
//some stuff
?>
<?php
}
?>
This is my new programm. It looks really save for me but some days ago, an other guy found a way to get admin . I have no idea how he did it. Can you find it out for me? To help you, I give you the
can you see how this was exploited .. help
Moderator: General Moderators
can you see how this was exploited .. help
Last edited by roman on Sat Nov 29, 2003 11:14 am, edited 1 time in total.
Is only one page going to send the POST vars to this script? If so I would add a referer checker.
Code: Select all
<?php
$yourtrustedsite = "http://www.yoursite.com/form.html";
if ($_GET['HTTP_REFERER'])
exit;
if ($_POST['HTTP_REFERER'])
exit;
if ($_SERVER['HTTP_REFERER'] != $yourtrustedsite)
exit;
?>I can see no reference to passwords or such like, this could they have just guessed that your admin user was ID 1 or 0??
Dunno, the code above seems incomplete, plus you have failed to tell us what happens next... If you want post a URL and I'll take a pop shot at it and see if I can explain how this person did it?
Dunno, the code above seems incomplete, plus you have failed to tell us what happens next... If you want post a URL and I'll take a pop shot at it and see if I can explain how this person did it?
It's not very safe anyway.. the usernames (or nicks in this case) and the passwords look like they are stored in a .php file called aaa.php.
If this file simply contains a list of usernames and passwords then I imagine it could be loaded directly into the browser and viewed by anyone.
The actual script looks like a bit of a hack 'n slash job anyway, have you thought about using MySQL or something similar?
If this file simply contains a list of usernames and passwords then I imagine it could be loaded directly into the browser and viewed by anyone.
The actual script looks like a bit of a hack 'n slash job anyway, have you thought about using MySQL or something similar?