Page 1 of 1

can you see how this was exploited .. help

Posted: Sat Nov 29, 2003 8:09 am
by roman
/That is the sourcecode of the php12.php file. I have only changed the name of all files that are linked with this one and I
//have removed some smaller stuff

<?php
//
//stuff
//
$target = "aaa.php";
if (isset($HTTP_GET_VARS["action"])){
if ($HTTP_GET_VARS["action"]=="register"){
if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
$hfile = fopen($target, "a");
$con_file = file_get_contents($target);
if (strpos($con_file, "::".$HTTP_GET_VARS["nick"])){
$script='<script type="text/javascript">';
$script.="alert(\"Sorry that nick already exist!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
$nick = urldecode(substr($HTTP_GET_VARS["nick"], 0, 20));
$id = urldecode(substr($HTTP_GET_VARS["id"], 0, 20));
fputs($hfile, "::".$sessionuser['user']."::".$nick."::".$id."\n");
fclose($hfile);
$script='<script type="text/javascript">';
$script.="alert(\"You are registered now!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}else{
$script='<script type="text/javascript">';
$script.="alert(\"You have to fill out the whole form!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
}
if ($HTTP_GET_VARS["action"]=="login"){
if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
$hfile = fopen($target, "r");
$i = 0;

while (!feof ($hfile)){
$line[$i] = fgets ($hfile, 1024);
$cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
if ($cntrl){
$len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){
header('Location:bbb.php');
}else{
header('Location:ccc.php');
}
}
$i += 1;
}
$script='<script type="text/javascript">';
$script.="alert(\"Sorry but your nick or your ID are wrong!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
else{
echo "Sorry but your input was incorrect. You can't log in without nick or pin!";
}
}
}else{

//some stuff

?>
<form action="php12.php" method="get">
<table width="60%" align="center" cellpadding="0" cellspacing="1">

<tr>
<td align="center" class="text">
<br /><input type="text" value="nick" name="nick" maxlength="20" size="20" class="challenge_edit">
<br /><input type="text" value="ID" name="id" maxlength="20" size="20" class="challenge_edit">
<br /><input type="radio" name="action" value="register">register
<br /><input type="radio" name="action" value="login">login
<br /><br />
<input type=submit class="challenge_submit" value="Execute">
<br /><br />
</td>
</tr>
</table>
</form>
<?php
//some stuff
?>
<?php
}
?>
This is my new programm. It looks really save for me but some days ago, an other guy found a way to get admin . I have no idea how he did it. Can you find it out for me? To help you, I give you the

Posted: Sat Nov 29, 2003 9:17 am
by m3mn0n
Is only one page going to send the POST vars to this script? If so I would add a referer checker.

Code: Select all

<?php
$yourtrustedsite = "http://www.yoursite.com/form.html";
if ($_GET['HTTP_REFERER'])
          exit;
if ($_POST['HTTP_REFERER'])
          exit;
if ($_SERVER['HTTP_REFERER'] != $yourtrustedsite)
           exit;
?>

Posted: Sat Nov 29, 2003 10:55 am
by Weirdan
REFERER might be spoofed. Do not trust it.

Posted: Sat Nov 29, 2003 12:20 pm
by mchaggis
I can see no reference to passwords or such like, this could they have just guessed that your admin user was ID 1 or 0??

Dunno, the code above seems incomplete, plus you have failed to tell us what happens next... If you want post a URL and I'll take a pop shot at it and see if I can explain how this person did it?

Posted: Sat Nov 29, 2003 1:34 pm
by Gen-ik
It's not very safe anyway.. the usernames (or nicks in this case) and the passwords look like they are stored in a .php file called aaa.php.

If this file simply contains a list of usernames and passwords then I imagine it could be loaded directly into the browser and viewed by anyone.

The actual script looks like a bit of a hack 'n slash job anyway, have you thought about using MySQL or something similar?

Posted: Sat Nov 29, 2003 1:44 pm
by m3mn0n
Weirdan wrote:REFERER might be spoofed. Do not trust it.
I don't claim to be a security expert because I'm still learning new ways to secure my scripts daily, but wouldn't that snipplet of code above prevent any REFERER spoofing?

Posted: Sat Nov 29, 2003 3:28 pm
by mchaggis
no sami, as the REFERER is just pasted by the Browser and is not actually set by any servers, therefore, because it comes from the user, you can not trust it

Posted: Sat Nov 29, 2003 9:46 pm
by m3mn0n
I understand that, but if you eliminate any script execution if an attempt to pass the HTTP_REFERER variable through a POST or GET method is done, wouldn't it be some what more secure?