Page 1 of 1

How Did someone get admin on my login script look at it and

Posted: Tue Dec 02, 2003 2:24 pm
by roman
That is the sourcecode of the php12.php file. I have only changed the name of all files that are linked with this one and I
have removed some smaller stuff

<?php
//
//stuff
//
$target = "aaa.php";
if (isset($HTTP_GET_VARS["action"])){
if ($HTTP_GET_VARS["action"]=="register"){
if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
$hfile = fopen($target, "a");
$con_file = file_get_contents($target);
if (strpos($con_file, "::".$HTTP_GET_VARS["nick"])){
$script='<script type="text/javascript">';
$script.="alert(\"Sorry that nick already exist!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
$nick = urldecode(substr($HTTP_GET_VARS["nick"], 0, 20));
$id = urldecode(substr($HTTP_GET_VARS["id"], 0, 20));
fputs($hfile, "::".$sessionuser['user']."::".$nick."::".$id."\n");
fclose($hfile);
$script='<script type="text/javascript">';
$script.="alert(\"You are registered now!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}else{
$script='<script type="text/javascript">';
$script.="alert(\"You have to fill out the whole form!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
}
if ($HTTP_GET_VARS["action"]=="login"){
if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
$hfile = fopen($target, "r");
$i = 0;

while (!feof ($hfile)){
$line[$i] = fgets ($hfile, 1024);
$cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
if ($cntrl){
$len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){
header('Location:bbb.php');
}else{
header('Location:ccc.php');
}
}
$i += 1;
}
$script='<script type="text/javascript">';
$script.="alert(\"Sorry but your nick or your ID are wrong!\");";
$script.='window.location.href="php12.php";';
$script.='</script>';
$html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
echo $html;
}
else{
echo "Sorry but your input was incorrect. You can't log in without nick or pin!";
}
}
}else{

//some stuff

?>
<form action="php12.php" method="get">
<table width="60%" align="center" cellpadding="0" cellspacing="1">

This is my new programm. It looks really safe to me but some days ago, someone found a way to get admin . I have no idea how he did it. Can you see how it was done here is some of the script?

Posted: Tue Dec 02, 2003 2:35 pm
by microthick
Just making more readable. No code changes.

Code: Select all

<?php

//
//stuff
//
$target = "aaa.php";
if (isset($HTTP_GET_VARS["action"])){
 if ($HTTP_GET_VARS["action"]=="register"){
  if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
     $hfile = fopen($target, "a");
     $con_file = file_get_contents($target);
     if (strpos($con_file, "::".$HTTP_GET_VARS["nick"])){
       $script='<script type="text/javascript">';
       $script.="alert("Sorry that nick already exist!");";
       $script.='window.location.href="php12.php";';
       $script.='</script>';
       $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
       echo $html;
     }
     $nick = urldecode(substr($HTTP_GET_VARS["nick"], 0, 20));
     $id = urldecode(substr($HTTP_GET_VARS["id"], 0, 20));
     fputs($hfile, "::".$sessionuser['user']."::".$nick."::".$id."\n");
     fclose($hfile);
     $script='<script type="text/javascript">';
     $script.="alert("You are registered now!");";
     $script.='window.location.href="php12.php";';
     $script.='</script>';
     $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
     echo $html;
  }else{
     $script='<script type="text/javascript">';
     $script.="alert("You have to fill out the whole form!");";
     $script.='window.location.href="php12.php";';
     $script.='</script>';
     $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
     echo $html;
  }
 }
 if ($HTTP_GET_VARS["action"]=="login"){
  if(isset($HTTP_GET_VARS["nick"]) and isset($HTTP_GET_VARS["id"])){
     $hfile = fopen($target, "r");
     $i = 0;

       while (!feof ($hfile)){
        $line[$i] = fgets ($hfile, 1024);
        $cntrl = strstr($line[$i], "::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
        if ($cntrl){
          $len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]);
          if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){
            header('Location:bbb.php');
          }else{
          header('Location:ccc.php');
          }
        }
        $i += 1;
       }
     $script='<script type="text/javascript">';
     $script.="alert("Sorry but your nick or your ID are wrong!");";
     $script.='window.location.href="php12.php";';
     $script.='</script>';
     $html='<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"><html><head><title>Error!</title></head><body bgcolor="#D0D0D0">'.$script.'</body></html>';
     echo $html;
  }
 else{
    echo "Sorry but your input was incorrect. You can't log in without nick or pin!";
 }
 }
}else{

//some stuff

?>

Posted: Tue Dec 02, 2003 3:42 pm
by mrvanjohnson
Didn't get to much into your code but a couple of observations.

1) you are using a GET method. For log on pages especially you might want to think about POST. Also consider forcing people to go SSL if you have that option.

2) You should think about using [php_man]MD5 [/php_man] to encrypt the Username and Password.

As far as how someone got Admin access. It looks like you are managing things through a flat file. You need to make sure that flat file is no where in the web servers path so that no one can navigate to it through a browser. If it is then someone might have just stumbled across the file and used it.

Don't know if any of that helps but I hope yo find your solution. Nothing like having a whole in your application and not knowing where it is. Good Luck.

Posted: Tue Dec 02, 2003 3:58 pm
by mrvanjohnson
I'm little confused as to what these lines are suppose to be doing..

Code: Select all

<?php
          $len = strlen("::".$sessionuser['user']."::".$HTTP_GET_VARS["nick"]."::".$HTTP_GET_VARS["id"]); 
          if (substr(($line[$i]), strlen($line[$i])-8, strlen($line[$i])-1-$len)=="::admin"){ 
?>
Can you walk me through this section of code. I would imagine if you had a back door it would have to be right here unless someone is able to give themselves admin rights during the registration which I could not see.

Posted: Tue Dec 02, 2003 5:26 pm
by m3mn0n
Click: [google]php user management tutorial[/google]