can you see how this was exploited .. help
Posted: Sat Nov 29, 2003 8:09 am
/That is the sourcecode of the php12.php file. I have only changed the name of all files that are linked with this one and I
//have removed some smaller stuff
<?php
//
//stuff
//
$target = "aaa.php";
if (isset($HTTP_GET_VARS["action"])){
if ($HTTP_GET_VARS["action"]=="register"){
if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
$hfile = fopen($target, "a");
$con_file = file_get_contents($target);
if (strpos($con_file, "::".$HTTP_GET_VARS["nick"])){
$script='<script type="text/javascript">';
$script.="alert(\"Sorry that nick already exist!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
$nick = urldecode(substr($HTTP_GET_VARS["nick"], 0, 20));
$id = urldecode(substr($HTTP_GET_VARS["id"], 0, 20));
fputs($hfile, "::".$sessionuser['user']."::".$nick."::".$id."\n");
fclose($hfile);
$script='<script type="text/javascript">';
$script.="alert(\"You are registered now!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}else{
$script='<script type="text/javascript">';
$script.="alert(\"You have to fill out the whole form!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
}
if ($HTTP_GET_VARS["action"]=="login"){
if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
$hfile = fopen($target, "r");
$i = 0;
while (!feof ($hfile)){
$line[$i] = fgets ($hfile, 1024);
$cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
if ($cntrl){
$len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){
header('Location:bbb.php');
}else{
header('Location:ccc.php');
}
}
$i += 1;
}
$script='<script type="text/javascript">';
$script.="alert(\"Sorry but your nick or your ID are wrong!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
else{
echo "Sorry but your input was incorrect. You can't log in without nick or pin!";
}
}
}else{
//some stuff
?>
<form action="php12.php" method="get">
<table width="60%" align="center" cellpadding="0" cellspacing="1">
<tr>
<td align="center" class="text">
<br /><input type="text" value="nick" name="nick" maxlength="20" size="20" class="challenge_edit">
<br /><input type="text" value="ID" name="id" maxlength="20" size="20" class="challenge_edit">
<br /><input type="radio" name="action" value="register">register
<br /><input type="radio" name="action" value="login">login
<br /><br />
<input type=submit class="challenge_submit" value="Execute">
<br /><br />
</td>
</tr>
</table>
</form>
<?php
//some stuff
?>
<?php
}
?>
This is my new programm. It looks really save for me but some days ago, an other guy found a way to get admin . I have no idea how he did it. Can you find it out for me? To help you, I give you the
//have removed some smaller stuff
<?php
//
//stuff
//
$target = "aaa.php";
if (isset($HTTP_GET_VARS["action"])){
if ($HTTP_GET_VARS["action"]=="register"){
if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
$hfile = fopen($target, "a");
$con_file = file_get_contents($target);
if (strpos($con_file, "::".$HTTP_GET_VARS["nick"])){
$script='<script type="text/javascript">';
$script.="alert(\"Sorry that nick already exist!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
$nick = urldecode(substr($HTTP_GET_VARS["nick"], 0, 20));
$id = urldecode(substr($HTTP_GET_VARS["id"], 0, 20));
fputs($hfile, "::".$sessionuser['user']."::".$nick."::".$id."\n");
fclose($hfile);
$script='<script type="text/javascript">';
$script.="alert(\"You are registered now!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}else{
$script='<script type="text/javascript">';
$script.="alert(\"You have to fill out the whole form!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
}
if ($HTTP_GET_VARS["action"]=="login"){
if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
$hfile = fopen($target, "r");
$i = 0;
while (!feof ($hfile)){
$line[$i] = fgets ($hfile, 1024);
$cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
if ($cntrl){
$len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){
header('Location:bbb.php');
}else{
header('Location:ccc.php');
}
}
$i += 1;
}
$script='<script type="text/javascript">';
$script.="alert(\"Sorry but your nick or your ID are wrong!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
else{
echo "Sorry but your input was incorrect. You can't log in without nick or pin!";
}
}
}else{
//some stuff
?>
<form action="php12.php" method="get">
<table width="60%" align="center" cellpadding="0" cellspacing="1">
<tr>
<td align="center" class="text">
<br /><input type="text" value="nick" name="nick" maxlength="20" size="20" class="challenge_edit">
<br /><input type="text" value="ID" name="id" maxlength="20" size="20" class="challenge_edit">
<br /><input type="radio" name="action" value="register">register
<br /><input type="radio" name="action" value="login">login
<br /><br />
<input type=submit class="challenge_submit" value="Execute">
<br /><br />
</td>
</tr>
</table>
</form>
<?php
//some stuff
?>
<?php
}
?>
This is my new programm. It looks really save for me but some days ago, an other guy found a way to get admin . I have no idea how he did it. Can you find it out for me? To help you, I give you the