Page 1 of 2

trying to crack my own system

Posted: Wed Oct 19, 2005 3:09 am
by s.dot
K, so I've developed a good random way to generate unique filenames.

So, to test how unique they are, I'm trying to write a script that will "crack" the filename if you will.

What I'm doing is putting a bunch of letters and numbers into an array, using shuffle() to randomize them, pull out a set number of letters and numbers, and then run it through a huge while loop.

Here's an example (a basic one so you can get the idea)

Code: Select all

$user = "joebob";
$dir = "http://www.domain.com/picdir/$user";

$array = array("1","2","3");

for($i=0; $i<99999999; $i++)
{
   shuffle($array);
   $rand = $array[1].$array[2].$array[3];

   $pic = $dir.$rand.".jpg";
   if(@getimagesize($pic))
   {
       // show picture
   }
}
This brings me to two questions. If someone other than me were to run this script, would my server log it anywhere? Since it's being massively tested for getimagesize(); I would want to know if someone were trying something like this.

And #2, is there anything faster than getimagesize() for testing purposes? Running that loop takes a while. I've tried if(file_exists()), but it does't seem to work with URLs.

Posted: Wed Oct 19, 2005 12:06 pm
by Skara
Rather than pick out what to work with in the beginning, then trying to randomize it with a giant loop, try getting the numbers from something that's actually "random." I don't really see the point in that loop.

Posted: Wed Oct 19, 2005 9:27 pm
by Jenk
That's going to have a max of 6 variations, and you cannot guarantee that it will try every variation (I know it is only an example, but the point is still valid :) ):

123.jpg
321.jpg
231.jpg
132.jpg
312.jpg
213.jpg

The following is a brute force attempt:

Code: Select all

$user = "joebob";
$dir = "http://www.domain.com/picdir/$user"; 
for ($i = 0; $i <= 999; $i++) {
    $pic = substr("00$i", -3) . ".jpg";
    if(@getimagesize($dir.$pic)) {
        $i = 1000;
        //show pic
    }
}
:)

Posted: Wed Oct 19, 2005 9:29 pm
by feyd
6 variants, but only a 5 character filename.. (zero based array) ;)

Posted: Sun Oct 23, 2005 8:47 am
by s.dot
Well this is how I'm naming my files

Code: Select all

$extention = ".jpg";
$letters = array("all 26 lowercase letters","26 uppercase letters");
shuffle($letters);

$rand = $letters[0].$letters[1].$letters[2].$letters[3].$letters[4].$letters[5];
$time = time();

$filename = $time.$rand.$ext;
Pretty secure?

Posted: Sun Oct 23, 2005 5:45 pm
by Jenk
Is there any particular reason why you are not just restricting the access to yourself?

Posted: Tue Oct 25, 2005 7:15 pm
by Chris Corbyn
Given that the first part of the filename is time() I can narrow that part right down very quickly in a brute force... that leaves me with 5 more characters.... it wouldn't take long to brute force at all ;)

Why not just use apache to prevent hotlinking or whatever it is you're trying to acheive?

Posted: Tue Oct 25, 2005 7:22 pm
by John Cartwright
Remember, security through obstrurity is not good security :P.. only obscure

Posted: Tue Oct 25, 2005 8:35 pm
by Ambush Commander
d11wtq is right. If you really need random string of characters, use something like...

Code: Select all

function randString($length=16){
        $newstring="";
        for($i=0;$i<$length;$i++) {
            $randnum = mt_rand(0,61);
            if ($randnum < 10) {
                $newstring.=chr($randnum+48);
            } elseif ($randnum < 36) {
                $newstring.=chr($randnum+55);
            } else {
                $newstring.=chr($randnum+61);
            }
        }
        return $newstring;
    }
Which returns a readable random string.

Posted: Tue Oct 25, 2005 8:50 pm
by John Cartwright
Make sure you check if the file name already exists, never know...

Posted: Thu Nov 03, 2005 1:31 am
by s.dot
Well, given that there's time() which is unique every second, and 6 random letters afterward (out of 52 possible letters), i think that's pretty secure.

Im just using this to name pictures that people choose to "lock". In other words, they upload them.. but only people they give the password to have access to this particular photo album. So, "security through obscurity" is the only way. :-P. But, given d11wtq's response, I should develop an algorhythm for naming the files, instead of randomly naming them.

Posted: Thu Nov 03, 2005 2:56 am
by Jenk
scrotaye wrote:Well, given that there's time() which is unique every second, and 6 random letters afterward (out of 52 possible letters), i think that's pretty secure.

Im just using this to name pictures that people choose to "lock". In other words, they upload them.. but only people they give the password to have access to this particular photo album. So, "security through obscurity" is the only way. :-P. But, given d11wtq's response, I should develop an algorhythm for naming the files, instead of randomly naming them.
What d11wtq pointed out, is that even though it is unique, using time() is not secure.

If someone knows you made a file in the afternoon of the 13th may, that means they only have a few hours to suss out for part of the first part of the filename, then the remaining 5 chars is not a challenge for brute force.

Like has been pointed out, just restrict access to the folder and don't bother with the unique naming, it'll only add confusion and not add much security.

Posted: Sat Nov 05, 2005 2:53 am
by n00b Saibot
Jenk wrote:What d11wtq pointed out, is that even though it is unique, using time() is not secure.

If someone knows you made a file in the afternoon of the 13th may, that means they only have a few hours to suss out for part of the first part of the filename, then the remaining 5 chars is not a challenge for brute force.
I think I read that somewhere here on the forum... :)

Posted: Fri Nov 25, 2005 1:02 pm
by RaH
Why not just use referrals? You could test for spoofing by inserting a session id into the referral url, and then test for validity of sess id. if you are serving up a few megs of photos to a few hundred users, the impact of that loop could DoS you.

Posted: Fri Nov 25, 2005 1:17 pm
by josh
Why not store the images out of the DocumentRoot, and pass them through a php script, let the script decide who can see the image and who cant