Page 1 of 1
Upload script question? uploaded PHP script with png ext.
Posted: Mon Mar 06, 2006 7:13 am
by volito
OK here is a strange one !
Someone uploaded a PHP script with a png ext.. "Written and saved as a png file".
Here is a link to png file. I left it on server for now till I figure out if it is a functional script or someone trying to tell me something . "I have a PHP script that allows members to upload pics" Can someone tell me if this script will actually work or what it suppose to do?
http://www.statenislandsoccer.com/uploa ... ck.php.png
Any thoughts?
Author of upload script GONE "I guess there site is down"
Posted: Mon Mar 06, 2006 8:18 am
by feyd
As it says in the code, it attacks a server. Granted, the loop has been removed, so the attack is extremely minimal, but it is an attack none-the-less.
Posted: Mon Mar 06, 2006 8:37 am
by Benjamin
Looks like the code isn't executing though, so I would assume the uploaded files are not getting execute permissions at least. You might want to add some checks in there to ensure the uploads are really images.
Posted: Mon Mar 06, 2006 9:32 am
by volito
agtlewis wrote: You might want to add some checks in there to ensure the uploads are really images.
Please explain or give example? "You mean add to script to double check if it is a image that is being uploaded. Obviously script is allowing anything as long as the ext. is png"
Should I just delete from server and forget it?
thanks
Posted: Mon Mar 06, 2006 9:36 am
by Benjamin
Here is a class I found on php.net. Perhaps someone can help you integrate it with your current code.
Code: Select all
<?php
class picture
{
var $save_dir; //where file will be saved
var $filename="spacer.gif"; //default file name initially
var $error_message=""; //string to be output if neccesary
var $width; //height of final image
var $height; //width of final image
function picture($save_directory, $file_array, $max_width, $max_height)
{
$this->save_dir = $save_directory;
$this->width = $max_width;
$this->height = $max_height;
//--change filename to time - make it unique
$temp_filename = $file_array['name'];
$ext = explode('.',$temp_filename);
$ext = $ext[count($ext)-1];
$temp_filename = time().".".$ext;
//--check that it's a jpeg or gif
if (preg_match('/^(gif|jpe?g)$/',$ext)) {
// resize in proportion
list($width_orig, $height_orig) = getimagesize($file_array['tmp_name']);
if ($this->width && ($width_orig < $height_orig)) {
$this->width = ($this->height / $height_orig) * $width_orig;
} else {
$this->height = ($this->width / $width_orig) * $height_orig;
}
$image_p = imagecreatetruecolor($this->width, $this->height);
//handle gifs and jpegs separately
if($ext=='gif'){
$image = imagecreatefromgif($file_array['tmp_name']);
imagecopyresampled($image_p, $image, 0, 0, 0, 0, $this->width, $this->height, $width_orig, $height_orig);
imagegif($image_p, $this->save_dir.$temp_filename, 80);
}
else
{
$image = imagecreatefromjpeg($file_array['tmp_name']);
imagecopyresampled($image_p, $image, 0, 0, 0, 0, $this->width, $this->height, $width_orig, $height_orig);
imagejpeg($image_p, $this->save_dir.$temp_filename, 80);
}
imagedestroy($image_p);
imagedestroy($image);
$this->filename=$temp_filename;
}else{
$this->error_message.="<br> file is not a jpeg or gif picture <br>";
}
}
}
?>
Posted: Mon Mar 06, 2006 10:06 am
by volito
Thanks for your time.
Would that be possible to add to current code or should I just post code I am using so all can see.
Maybe there is something missing from my code that was over looked by the original writer.
If yes did you post PHP using quote function on boards?
Sorry new here
edited; I just looked at code in my script it is pretty BIG and all wrapped in a index.php
Is it OK to post script here?
Thanks again
Posted: Mon Mar 06, 2006 10:10 am
by feyd
The file on your server is malicious, it should not be used at all. It is designed to attack another server, not work with images.
Posted: Mon Mar 06, 2006 10:10 am
by Benjamin
Yeah post your code using the PHP button to open and close the php brackets.
Posted: Mon Mar 06, 2006 10:11 am
by Chris Corbyn
volito wrote:agtlewis wrote: You might want to add some checks in there to ensure the uploads are really images.
Please explain or give example? "You mean add to script to double check if it is a image that is being uploaded. Obviously script is allowing anything as long as the ext. is png"
Should I just delete from server and forget it?
thanks
getimagesize() would determine if it's really an image.
I personally wouldn't delete it... I like to keep things like this for reference. Are you sure it was uploaded via the website? It wouldn't be much use by itself over HTTP unless your web server is really insecure. It could however be executed on a shared host via the shell (or another script). Do you have any areas on your website that execute shell commands... if so, I'd have a look at your securiy measures taken there too

Posted: Mon Mar 06, 2006 10:12 am
by Benjamin
feyd wrote:The file on your server is malicious, it should not be used at all. It is designed to attack another server, not work with images.
I think someone used his upload form to upload that file.
EDIT: Especially considering they gave it a .png file extension.
PHP
Posted: Mon Mar 06, 2006 10:20 am
by volito
Code: Select all
?>
<?
if (@phpversion() < '4.1.0') {
$_FILE = $HTTP_POST_FILES;
$_GET = $HTTP_GET_VARS;
$_POST = $HTTP_POST_VARS;
}
clearstatcache();
error_reporting(E_ALL & ~E_NOTICE);
$fum_vers = "1.3"; # do not edit this line, the script will not work!!!
$fum_info_full = "File Upload Manager v$fum_vers";
function authDo($auth_userToCheck, $auth_passToCheck)
{
global $auth_usern, $auth_passw;
$auth_encodedPass = md5($auth_passw);
if ($auth_userToCheck == $auth_usern && $auth_passToCheck == $auth_encodedPass) {
$auth_check = TRUE;
} else {
$auth_check = FALSE;
}
return $auth_check;
}
if (isset($logout)) {
setcookie ('fum_user', "",time()-3600);
setcookie ('fum_pass', "",time()-3600);
}
if (isset($login)) {
$auth_password_en = md5($auth_formPass);
$auth_username_en = $auth_formUser;
if (authDo($auth_username_en, $auth_password_en)) {
setcookie ('fum_user', $auth_username_en,time()+3600);
setcookie ('fum_pass', $auth_password_en,time()+3600);
$auth_msg = "<b>Authentication successful!</b> The cookies have been set.<br><br>".
$auth_msg . "Your password (MD5 encrypted) is: $auth_password_en";
} else {
$auth_msg = "<b>Authentication error!</b>";
}
}
if (($_GET[act]=="dl")&&$_GET[file])
{
if ($auth_ReqPass != 1 || ($auth_ReqPass == 1 && isset($fum_user) && !isset($logout))) {
if ($auth_ReqPass != 1 || ($auth_ReqPass == 1 && authDo($fum_user, $fum_pass))) {
$value_de=base64_decode($_GET[file]);
$dl_full=$dir_store."/".$value_de;
$dl_name=$value_de;
if (!file_exists($dl_full))
{
echo"ERROR: Cannot download file, it does not exist.<br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
exit();
}
header("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=$dl_name");
header("Content-Length: ".filesize($dl_full));
header("Accept-Ranges: bytes");
header("Pragma: no-cache");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Content-transfer-encoding: binary");
@readfile($dl_full);
exit();
}
}
}
function getlast($toget)
{
$pos=strrpos($toget,".");
$lastext=substr($toget,$pos+1);
return $lastext;
}
function replace($o)
{
$o=str_replace("/","",$o);
$o=str_replace("\\","",$o);
$o=str_replace(":","",$o);
$o=str_replace("*","",$o);
$o=str_replace("?","",$o);
$o=str_replace("<","",$o);
$o=str_replace(">","",$o);
$o=str_replace("\"","",$o);
$o=str_replace("|","",$o);
return $o;
}
?>
<!-- <?=$fum_info_full?> -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title><? echo ($title) ? ($title) : ("File Upload Manager"); ?></title>
<link rel="stylesheet" href="<?=$dir_img?>/<?=$style?>.css" type="text/css">
<?
if ($auth_ReqPass == 1)
{
if (isset($login) || isset($logout)) {
echo("<meta http-equiv='refresh' content='2;url=$_SERVER[PHP_SELF]'>");
}
}
?>
</head>
<body bgcolor="#F7F7F7"><br><br>
<center>
<?
if ($auth_ReqPass != 1 || ($auth_ReqPass == 1 && isset($fum_user) && !isset($logout))) {
if ($auth_ReqPass != 1 || ($auth_ReqPass == 1 && authDo($fum_user, $fum_pass))) {
?>
<table width="560" cellspacing="0" cellpadding="0" border="0">
<tr>
<td><font size="3"><b><i><? echo ($title) ? ($title) : ("File Upload Manager"); ?></i></b></font> <font style="text-decoration: bold; font-size: 9px;">v<?=$fum_vers?></font>
<?
#--Please do not remove my link/copyright as it is unfair and a breach of the license--#
echo"<a href=\"http://www.mtnpeak.net\" style=\"text-decoration: none; color: #C0C0C0; font-size: 9px; cursor: default\";>© thepeak</a>";
?>
</td>
</tr>
</table>
<?
if (!eregi("777",decoct(fileperms($dir_store))))
{
echo"<br><br><b><h4><font color=\"FF0000\">ERROR: cannot access the upload store file directory. please chmod the \"$dir_store\" directory with value 0777 (xrw-xrw-xrw)!</h4></font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">refresh</a>";
}
else
{
if (!$_FILES[fileupload])
{
?>
<table width="560" cellspacing="0" cellpadding="0" border="0" class="table_decoration" style="padding-top:5px;padding-left=5px;padding-bottom:5px;padding-right:5px">
<form method="post" enctype="multipart/form-data">
<tr>
<td>file:</td><td><input type="file" name="fileupload" class="textfield" size="30"></td>
</tr>
<tr>
<td>rename to:</td><td><input type="text" name="rename" class="textfield" size="46"></td>
</tr>
<tr>
<td>file types allowed:</td><td>
<?
for($i=0;$i<count($file_ext_allow);$i++)
{
if (($i<>count($file_ext_allow)-1))$commas=", ";else $commas="";
list($key,$value)=each($file_ext_allow);
echo $value.$commas;
}
?>
</td>
</tr>
<tr>
<td>file size limit:</td>
<td>
<b><?
if ($file_size_ind >= 1048576)
{
$file_size_ind_rnd = round(($file_size_ind/1024000),3) . " MB";
}
elseif ($file_size_ind >= 1024)
{
$file_size_ind_rnd = round(($file_size_ind/1024),2) . " KB";
}
elseif ($file_size_ind >= 0)
{
$file_size_ind_rnd = $file_size_ind . " bytes";
}
else
{
$file_size_ind_rnd = "0 bytes";
}
echo "$file_size_ind_rnd";
?></b>
</td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="upload" class="button"> <input type="reset" value="clear" class="button"></td>
</tr>
</form>
</table>
<?
if ((!$_GET[act]||!$_GET[file])&&$_GET[act]!="delall")
{
$opendir = @opendir($dir_store);
while ($readdir = @readdir($opendir))
{
if ($readdir<>"." && $readdir<>".." && $readdir != "index.html")
{
$filearr[] = $readdir;
}
$sort=array();
for($i=1;$i<=count($filearr);$i++)
{
$key = sizeof($filearr)-$i;
$file = $filearr[$key];
$sort[$i]=$file;
}
asort($sort);
}
?>
<br>
<table width="560" cellspacing="0" cellpadding="0" border="0" class="table_decoration" style="padding-left:5px">
<tr>
<td><b>admin tools:</b>
<?
if ($file_del_allow != 1 && $auth_ReqPass != 1)
{
echo"<i>none</i>";
}
if ($file_del_allow == 1 && $file_list_allow == 1 && (count($filearr) >= 1))
{
echo"<a href=\"javascript:;\" onClick=\"cf=confirm('Are you sure you want to delete ALL FILES?');if (cf)window.location='?act=delall'; return false;\" style=\"font-size: 9px;\"><delete all files></a>";
}
if ($auth_ReqPass == 1)
{
echo" <a href=\"$_SERVER[PHP_SELF]?logout=1\" style=\"font-size: 9px;\"><log-out><a>";
}
?>
</td>
</tr>
</table>
<br>
<?
if ($file_list_allow == 1 && (count($filearr) >= 1))
{
?>
<table width="560" cellspacing="0" cellpadding="0" border="0" class="table_decoration" style="padding-left:6px">
<tr bgcolor="#DBDBDB">
<td align="left" width="46%">FILE NAME</td>
<td align="center" width="12%">FILE TYPE</td>
<td align="center" width="12%">FILE SIZE</td>
<td align="center" width="30%">FUNCTIONS</td>
</tr>
<?
for($i=1;$i<=count($sort);$i++)
{
list($key,$value)=each($sort);
if ($value)
{
$value_en = base64_encode($value);
$value_view=$value;
if (strlen($value) >= 48)
{
$value_view = substr($value_view, 0, 45) . '...';
}
?>
<tr>
<td width="30%"><?="<a href=\"?act=view&file=$value_en\">$value_view</a>"?></td>
<td align="center" width="5%"><? echo strtoupper(getlast($value)); ?></td>
<td align="center" width="5%"><?
$value_full = $dir_store."/".$value;
$file_size = filesize($value_full);
if ($file_size >= 1048576)
{
$show_filesize = number_format(($file_size / 1048576),2) . " MB";
}
elseif ($file_size >= 1024)
{
$show_filesize = number_format(($file_size / 1024),2) . " KB";
}
elseif ($file_size >= 0)
{
$show_filesize = $file_size . " bytes";
}
else
{
$show_filesize = "0 bytes";
}
echo "$show_filesize";
?></td>
<td align="center" width="5%"><?="<a title=\"View File\" href=\"?act=view&file=$value_en\"><view></a>"?> |
<?
if ($file_del_allow == 1)
{
echo"<a title=\"Download file\" href=\"?act=dl&file=$value_en\"><dl></a>";
}
else
{
echo"<a title=\"Download file\" href=\"?act=dl&file=$value_en\"><download></a>";
}
if ($file_del_allow == 1)
{
echo" | <a title=\"Delete file\" href=\"javascript:;\" onClick=\"cf=confirm('Are you sure you want to delete this file?');if (cf)window.location='?act=del&file=$value_en'; return false;\"><delete></a>";
}
else
{
echo" ";
}
?>
</td>
</tr>
<?
}
else
{
echo"<br>";
}
}
?>
</table></center>
<?
}
}
elseif (($_GET[act]=="view")&&$_GET[file])
{
$value_de = base64_decode($_GET[file]);
echo"<script language=\"javascript\">\nViewPopup = window.open(\"$dir_store/$value_de\", \"fum_viewfile\", \"toolbar=no,status=no,menubar=no,scrollbars=yes,resizable=yes,location=no,width=640,height=480\")\nViewPopup.document.bgColor=\"#F7F7F7\"\nViewPopup.document.close()\n</script>";
echo"<br><img src=\"$dir_img/info.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">file opened!</font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a><br><br><br>If the file did not display, you must <b>disable</b> your popup manager, or enable javascript in your browser.";
}
elseif (($_GET[act]=="del")&&$_GET[file])
{
$value_de = base64_decode($_GET[file]);
@unlink($dir_store."/$value_de");
echo"<br><img src=\"$dir_img/info.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">file has been deleted!</font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
}
if ($_GET[act]=="delall")
{
$handle = opendir($dir_store);
while($file=readdir($handle))
if (($file != ".")&&($file != ".."))
@unlink($dir_store."/".$file);
closedir($handle);
echo"<br><img src=\"$dir_img/info.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">all files have been deleted!</font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
}
}
else
{
echo"<br><br>";
$uploadpath=$dir_store."/";
$source=$_FILES[fileupload][tmp_name];
$fileupload_name=$_FILES[fileupload][name];
$weight=$_FILES[fileupload][size];
for($i=0;$i<count($file_ext_allow);$i++)
{
if (getlast($fileupload_name)!=$file_ext_allow[$i])
$test.="~~";
}
$exp=explode("~~",$test);
if (count($exp)==(count($file_ext_allow)+1))
{
echo"<br><img src=\"$dir_img/error.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">ERROR: your file type is not allowed (".getlast($fileupload_name).")</font>, or you didn't specify a file to upload.</b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
}
else
{
if ($weight>$file_size_ind)
{
echo"<br><img src=\"$dir_img/error.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">ERROR: please get the file size less than ".$file_size_ind." BYTES (".round(($file_size_ind/1024),2)." KB)</font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
}
else
{
foreach($_FILES[fileupload] as $key=>$value)
{
echo"<font color=\"#3399FF\">$key</font> : $value <br>";
}
echo "<br>";
$dest = '';
if (($source != 'none') && ($source != '' ))
{
$dest=$uploadpath.$fileupload_name;
if ($dest != '')
{
if (file_exists($uploadpath.$fileupload_name))
{
echo"<br><img src=\"$dir_img/error.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">ERROR: that file has already been uploaded before, please choose another file</font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
}
else
{
if (copy($source,$dest))
{
if ($_POST[rename])
{
$_POST[rename]=replace($_POST[rename]);
$exfile=explode(".",$fileupload_name);
if (@rename("$dir_store/$fileupload_name","$dir_store/$_POST[rename].".getlast($fileupload_name)))
{
echo"<br><img src=\"$dir_img/info.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">file has been renamed to $_POST[rename].".getlast($fileupload_name)."!</font></b></font><br>";
}
}
echo"<br><img src=\"$dir_img/info.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">file has been uploaded!</font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
}
else
{
echo"<br><img src=\"$dir_img/error.gif\" width=\"15\" height=\"15\"> <b><font size=\"2\">ERROR: cannot upload, please chmod the dir to 777</font></b><br>»<a href=\"$_SERVER[PHP_SELF]\">back</a>";
}
}
}
}
}
}
}
}
#/# end of main script, start authentication code IF user not logged in IF $auth_ReqPass is enabled
}
else
{
echo("<p><img src=\"$dir_img/error.gif\" width=\"15\" height=\"15\"> Authentication error</p>" .
"<p><a href='$_SERVER[PHP_SELF]?logout=1'>Delete cookies and login again<a></p>");
}
}
else
{
if (!isset($login) || isset($relogin)) {
?>
<font size="3"><b><i><? echo ($title) ? ($title) : ("File Upload Manager"); ?></i> - Authentication</b></font><br><br>
<table class="table_auth"><tr><td><center>
Please enter the username and password to enter the restricted area.<br>
You must have cookies enabled in your browser to continue.
</center></td></tr></table>
<form action="<?=$_SERVER[PHP_SELF]?>?login=1" method="POST"><p>
Username: <input type="text" name="auth_formUser" size="20"><br>
Password: <input type="password" name="auth_formPass" size="20">
<p><input type="submit" name="submit" class="button" value="Log-In"></p>
</form></center>
<?
}
elseif (isset($login))
{
echo("<p>$auth_msg</p>" . "<p>You'll be redirected in 2 seconds!</p>");
}
}
?>
</body>
</html>
Posted: Mon Mar 06, 2006 10:31 am
by volito
OK that's the free script I am using? "
copyrighted so hope it's OK to post it"
And yes it is a upload form that puts pictures in a directory and visitors can view.
Are you sure it was uploaded via the website? It wouldn't be much use by itself over HTTP unless your web server is really insecure. It could however be executed on a shared host via the shell (or another script). Do you have any areas on your website that execute shell commands
Most positive checked web server logs and see the post command for that directory.
No shared Host ! only use a few PHP scripts on server - guestbook, email form, message board.
I am not a programmer so not really sure what you mean by shell commands. Just using PHP scripts, Don't have no execute permissions on any folder or directory "going to double check that now' Because I remember some files had to be CHMOD "full permissions"
Thanks again
Edited: Just searched Shell Commands- There are no user interface "GUI" that allows host to execute and control OS commands. "Hope I read that and understood it some what correct" Maybe just the PHP scripts because they do have write permissions and I think on one script it only worked with full permissions. Checking now.
PS: Server Is a windows BOX
Posted: Tue Mar 07, 2006 12:11 am
by volito
Uploaded another one and it was license of one of my scripts. Guess this person is bored !
Found these flaws:
url to view a file: /index.php?act=view&file=d2VlLnBocC50eHQ=
url to delete the same file: /index.php?act=del&file=d2VlLnBocC50eHQ=
http://diswww.mit.edu/menelaus.mit.edu/bt/39137
here is server log;
89.52.52.202 - - [06/Mar/2006:08:18:31 -0800] "GET /upload/fileupload/index.php?act=view&file=d2ViYWRtaW4ucGhwLmdpZg== HTTP/1.1" 200 2283
IP from Germany "unless proxy"
so far i enabled password on script.
Any ideas where to add array's to validate uploads?
Posted: Tue Mar 07, 2006 1:00 am
by matthijs
volito, may I ask: how do you use this script? From what I understand from you posts, you place it on your server and let people (anyone) upload pictures? As far as I know that will always be a big security problem. You'd better look around for a more secure script and make sure it is not accessible, by protecting the directory it is in.
Posted: Tue Mar 07, 2006 5:04 pm
by volito
yes! I enabled password protection on script as this person already uploaded anther script. Now I am checking what this person actually did. As all my programs are broadcasting to IP 239.255.255.255. on port 1900 using UDP.
running all test as I type this reply
