How Did someone get admin on my login script look at it and

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
roman
Forum Newbie
Posts: 2
Joined: Sat Nov 29, 2003 8:09 am

How Did someone get admin on my login script look at it and

Post by roman »

That is the sourcecode of the php12.php file. I have only changed the name of all files that are linked with this one and I
have removed some smaller stuff

<?php
//
//stuff
//
$target = "aaa.php";
if (isset($HTTP_GET_VARS["action"])){
if ($HTTP_GET_VARS["action"]=="register"){
if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
$hfile = fopen($target, "a");
$con_file = file_get_contents($target);
if (strpos($con_file, "::".$HTTP_GET_VARS["nick"])){
$script='<script type="text/javascript">';
$script.="alert(\"Sorry that nick already exist!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
$nick = urldecode(substr($HTTP_GET_VARS["nick"], 0, 20));
$id = urldecode(substr($HTTP_GET_VARS["id"], 0, 20));
fputs($hfile, "::".$sessionuser['user']."::".$nick."::".$id."\n");
fclose($hfile);
$script='<script type="text/javascript">';
$script.="alert(\"You are registered now!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}else{
$script='<script type="text/javascript">';
$script.="alert(\"You have to fill out the whole form!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
}
if ($HTTP_GET_VARS["action"]=="login"){
if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
$hfile = fopen($target, "r");
$i = 0;

while (!feof ($hfile)){
$line[$i] = fgets ($hfile, 1024);
$cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
if ($cntrl){
$len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){
header('Location:bbb.php');
}else{
header('Location:ccc.php');
}
}
$i += 1;
}
$script='<script type="text/javascript">';
$script.="alert(\"Sorry but your nick or your ID are wrong!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
else{
echo "Sorry but your input was incorrect. You can't log in without nick or pin!";
}
}
}else{

//some stuff

?>
<form action="php12.php" method="get">
<table width="60%" align="center" cellpadding="0" cellspacing="1">

This is my new programm. It looks really safe to me but some days ago, someone found a way to get admin . I have no idea how he did it. Can you see how it was done here is some of the script?
microthick
Forum Regular
Posts: 543
Joined: Wed Sep 24, 2003 2:15 pm
Location: Vancouver, BC

Post by microthick »

Just making more readable. No code changes.

Code: Select all

<?php

//
//stuff
//
$target = "aaa.php";
if (isset($HTTP_GET_VARS["action"])){
 if ($HTTP_GET_VARS["action"]=="register"){
  if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
     $hfile = fopen($target, "a");
     $con_file = file_get_contents($target);
     if (strpos($con_file, "::".$HTTP_GET_VARS["nick"])){
       $script='<script type="text/javascript">';
       $script.="alert("Sorry that nick already exist!");";
       $script.='window.location.href="php12.php";';
       $script.='</script>';
       $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
       echo $html;
     }
     $nick = urldecode(substr($HTTP_GET_VARS["nick"], 0, 20));
     $id = urldecode(substr($HTTP_GET_VARS["id"], 0, 20));
     fputs($hfile, "::".$sessionuser['user']."::".$nick."::".$id."\n");
     fclose($hfile);
     $script='<script type="text/javascript">';
     $script.="alert("You are registered now!");";
     $script.='window.location.href="php12.php";';
     $script.='</script>';
     $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
     echo $html;
  }else{
     $script='<script type="text/javascript">';
     $script.="alert("You have to fill out the whole form!");";
     $script.='window.location.href="php12.php";';
     $script.='</script>';
     $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
     echo $html;
  }
 }
 if ($HTTP_GET_VARS["action"]=="login"){
  if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
     $hfile = fopen($target, "r");
     $i = 0;

       while (!feof ($hfile)){
        $line[$i] = fgets ($hfile, 1024);
        $cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
        if ($cntrl){
          $len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
          if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){
            header('Location:bbb.php');
          }else{
          header('Location:ccc.php');
          }
        }
        $i += 1;
       }
     $script='<script type="text/javascript">';
     $script.="alert("Sorry but your nick or your ID are wrong!");";
     $script.='window.location.href="php12.php";';
     $script.='</script>';
     $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
     echo $html;
  }
 else{
    echo "Sorry but your input was incorrect. You can't log in without nick or pin!";
 }
 }
}else{

//some stuff

?>
User avatar
mrvanjohnson
Forum Contributor
Posts: 137
Joined: Wed May 28, 2003 11:38 am
Location: San Diego, CA

Post by mrvanjohnson »

Didn't get to much into your code but a couple of observations.

1) you are using a GET method. For log on pages especially you might want to think about POST. Also consider forcing people to go SSL if you have that option.

2) You should think about using [php_man]MD5 [/php_man] to encrypt the Username and Password.

As far as how someone got Admin access. It looks like you are managing things through a flat file. You need to make sure that flat file is no where in the web servers path so that no one can navigate to it through a browser. If it is then someone might have just stumbled across the file and used it.

Don't know if any of that helps but I hope yo find your solution. Nothing like having a whole in your application and not knowing where it is. Good Luck.
User avatar
mrvanjohnson
Forum Contributor
Posts: 137
Joined: Wed May 28, 2003 11:38 am
Location: San Diego, CA

Post by mrvanjohnson »

I'm little confused as to what these lines are suppose to be doing..

Code: Select all

<?php
          $len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]); 
          if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){ 
?>
Can you walk me through this section of code. I would imagine if you had a back door it would have to be right here unless someone is able to give themselves admin rights during the registration which I could not see.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

Click: [google]php user management tutorial[/google]
Post Reply