shoutbox hack .. help plz

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
mrlol
Forum Newbie
Posts: 2
Joined: Mon Sep 08, 2008 1:36 am

shoutbox hack .. help plz

Post by mrlol »

Hi...

i have problem with my website.. one user can access my website without registering as member.. furthermore he have admin access at my shoutbox.. he also have:-

+admin access
+admin icon
+rating shout 9999999....
+IP is not in the range in office intranet (something like 255.255.255.255)
+i already banned his ip but he still there!
+his name never show in who's online list

i dont know how he can get admin access without registering and he can shout at my shoutbox.
i already secured my phpmyadmin/mysql with password and new alias for phpmyadmin & upgrade my wamp using the latest one.

below i provide my shoutbox code.. btw im super noob :oops:

plz help me anyone... arghhh :banghead: lol

TQ

Code: Select all

<?php require_once('Connections/alex.php'); ?>
<?php
   $currentPage = $_SERVER["PHP_SELF"];
   
   session_start();
   if(!session_is_registered(MM_Username))
   {  header("location:Denied.php");
   }
   
   function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
   {  $theValue = (!get_magic_quotes_gpc()) ? addslashes($theValue) : $theValue;
      switch ($theType) 
      {  case "text":
               $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
               break;    
         case "long":
         case "int":
               $theValue = ($theValue != "") ? intval($theValue) : "NULL";
               break;
         case "double":
               $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
               break;
         case "date":
               $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
               break;
         case "defined":
               $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
               break;
      }
      return $theValue;
   }
   
   $editFormAction = $_SERVER['PHP_SELF'];
      if (isset($_SERVER['QUERY_STRING'])) 
      {  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
      }
      if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "shout")) 
      {  $insertSQL = sprintf("INSERT INTO comments (UserName, Level, Comments, Point) VALUES (%s, %s, %s, %s)",
               GetSQLValueString($_POST['user'], "text"),
            GetSQLValueString($_POST['Level'], "text"),
               GetSQLValueString($_POST['shout'], "text"),
            GetSQLValueString($_POST['Pt'], "text"));
         
         mysql_select_db($database_alex, $alex);
            $Result1 = mysql_query($insertSQL, $alex) or die(mysql_error());
            $insertGoTo = "ShoutBox.php";
         
         if (isset($_SERVER['QUERY_STRING'])) 
         {  $insertGoTo .= (strpos($insertGoTo, '?')) ? "&" : "?";
            $insertGoTo .= $_SERVER['QUERY_STRING'];
         }
         header(sprintf("Location: %s", $insertGoTo));
      }
   
   $colname_user = "1";
      if (isset($_SESSION['MM_Username'])) 
      {  $colname_user = (get_magic_quotes_gpc()) ? $_SESSION['MM_Username'] : addslashes($_SESSION['MM_Username']);
      }
      
      mysql_select_db($database_alex, $alex);
      $query_user = sprintf("SELECT * FROM `user` WHERE UserName = '%s'", $colname_user);
      $user = mysql_query($query_user, $alex) or die(mysql_error());
      $row_user = mysql_fetch_assoc($user);
      $totalRows_user = mysql_num_rows($user);
 
 
mysql_select_db($database_alex, $alex);
$query_point = sprintf("SELECT * FROM comments WHERE UserName = '%s' ORDER BY Point DESC", $colname_user);
$point = mysql_query($query_point, $alex) or die(mysql_error());
$row_point = mysql_fetch_assoc($point);
$totalRows_point = mysql_num_rows($point);
      
      $maxRows_shout = 40;
      $pageNum_shout = 0;
      if (isset($_GET['pageNum_shout'])) 
      {  $pageNum_shout = $_GET['pageNum_shout'];
      }     
      $startRow_shout = $pageNum_shout * $maxRows_shout;
         
      mysql_select_db($database_alex, $alex);
         $query_shout = "SELECT * FROM comments ORDER BY `Date` DESC";
         $query_limit_shout = sprintf("%s LIMIT %d, %d", $query_shout, $startRow_shout, $maxRows_shout);
         $shout = mysql_query($query_limit_shout, $alex) or die(mysql_error());
         $row_shout = mysql_fetch_assoc($shout);
 
      if (isset($_GET['totalRows_shout'])) 
      {  $totalRows_shout = $_GET['totalRows_shout'];
      } 
      else 
      {  $all_shout = mysql_query($query_shout);
         $totalRows_shout = mysql_num_rows($all_shout);
      }
      $totalPages_shout = ceil($totalRows_shout/$maxRows_shout)-1;
 
      $queryString_shout = "";
         if (!empty($_SERVER['QUERY_STRING'])) 
         {  $params = explode("&", $_SERVER['QUERY_STRING']);
            $newParams = array();
            foreach ($params as $param) 
            {  if (stristr($param, "pageNum_shout") == false && 
               stristr($param, "totalRows_shout") == false) 
               {  array_push($newParams, $param);
               }
            }
            if (count($newParams) != 0) 
            {  $queryString_shout = "&" . htmlentities(implode("&", $newParams));
            }
         }
         $queryString_shout = sprintf("&totalRows_shout=%d%s", $totalRows_shout, $queryString_shout);
 
      $queryString_shout = "";
         if (!empty($_SERVER['QUERY_STRING'])) 
         {  $params = explode("&", $_SERVER['QUERY_STRING']);
            $newParams = array();
            foreach ($params as $param) 
            {  if (stristr($param, "pageNum_shout") == false && 
               stristr($param, "totalRows_shout") == false) 
               {  array_push($newParams, $param);
               }
            }
            if (count($newParams) != 0) 
            {  $queryString_shout = "&" . htmlentities(implode("&", $newParams));
            }
         }
         $queryString_shout = sprintf("&totalRows_shout=%d%s", $totalRows_shout, $queryString_shout);
 
$value= $row_point['Point'];     
$updateSQL = sprintf("UPDATE user SET Total='" .$value. "' WHERE UserName = '%s'", $colname_user);
$result = mysql_query($updateSQL);
 
?>
 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<META HTTP-EQUIV="refresh" CONTENT=60;URL="ShoutBox.php" />
<title>Alex</title>
 
   <SCRIPT language=JavaScript1.1>
   <!-- Begin
      function right(e) 
      {  if (navigator.appName == 'Netscape' && (e.which == 3 || e.which == 2))
            return false;  
         else if (navigator.appName == 'Microsoft Internet Explorer' && (event.button == 2 || event.button == 3)) 
            {  alert("Alexander © 2008");
               return false;
            }
         return true;
      }
 
      document.onmousedown=right;
      document.onmouseup=right;
      if (document.layers) window.captureEvents(Event.MOUSEDOWN);
      if (document.layers) window.captureEvents(Event.MOUSEUP);
         window.onmousedown=right;
         window.onmouseup=right;
   //  End -->
   </SCRIPT>
 
   <style type="text/css">
   <!--
   body {
   cursor: url(http://www.hi5smile.com/cursors/mouse.ani); 
   background-color: #000000;
   }
   
   .style1 
   {  color:#999999;
      font-family:"Copperplate Gothic Bold";
      font-size:10px;
   }
   .style2 
   {  color:#000000;
      font-family:Arial;
      font-size:14px;
   }
   .style3 
   {  font-family: "Copperplate Gothic Bold";
      font-size:14px;
      color:#000000;
      background-color: #990000;
      border-top-color: #666666;
      border-right-color: #666666;
      border-bottom-color: #666666;
      border-left-color: #666666;
      border-color: #666666;
      cursor: hand;
   }
   .style5 
   {  font-family: Arial;
      font-size: 11px;
      color:#999999;
   }
   .style6
   {  font-family:"Copperplate Gothic Bold";
      font-size: 14px;
      color:#333333;
   }
   a:link 
   {  color: #999999;
      text-decoration: none;
   }
   a:visited 
   {  text-decoration: none;
      color: #999999;
   }
   a:hover 
   {  text-decoration: none;
      color: #999999;
   }
   a:active 
   {  text-decoration: none;
      color: #999999;
   }
   a 
   {
   font-family: Arial;
   font-size: 11px;
   color: #999999;
   }
   -->
   </style>
</head>
 
<body><div class="style6"></div>
   <table width="420" height="63" border="0" align="center" cellpadding="0" cellspacing="0">
     <tr>
         <td height="23" colspan="7" valign="top">
        <form onsubmit="return ValidateData(this);" action="<?php echo $editFormAction; ?>" method="POST" name="shout" id="shout"><div align="center"><input name="shout" type="text" class="style2" id="shout" onFocus="if(this.value=='Type Your Shout Here....')this.value='';" value="Type Your Shout Here...." size="45">
        <label><input name="submit" type="submit" class="style3" id="submit" value="Shout It" alt="|| Enter To Shout ||"><input name="user" type="hidden" id="user" value="<?php echo $row_user['UserName']; ?>"><input name="Level" type="hidden" id="Level" value="<?php echo $row_user['Level']; ?>">
        </label><input type="hidden" name="MM_insert" value="shout">
        <input name="Pt" type="hidden" id="Pt" value="<?php echo $row_point['Point'] + 1; ?>">
        </div></form></td>
     </tr>
   <tr> 
         <td width="25" height="20"><span class="style5"><a href="<?php printf("%s?pageNum_shout=%d%s", $currentPage, max(0, $pageNum_shout - 1), $queryString_shout); ?>"><img src="image/arrow/ICON_Left_Arrow.gif" width="20" height="20" border="0" alt="|| Back Pages ||"></a></span></td>
      <td width="61"><span class="style1">Previous</span></td>
      <td width="5"><div align="center" class="style5"></div></td>
         <td width="256" class="style1"><div align="center"><?php echo min($totalPages_shout + 1, $pageNum_shout + 1); echo "  of  "; echo $totalPages_shout + 1; ?></div></td>
      <td width="3" class="style5">&nbsp;</td>
      <td width="40" class="style5"><div align="center" class="style1">Next</div></td>
      <td width="30" height="20" class="style5"><a href="<?php printf("%s?pageNum_shout=%d%s", $currentPage, min($totalPages_shout, $pageNum_shout + 1), $queryString_shout); ?>"><img src="image/arrow/ICON_Right_Arrow.gif" width="20" height="20" border="0" alt="|| Next Pages ||"></a></td>
      
   </tr>
   <tr>
     <td height="5" colspan="7">&nbsp;</td>
   </tr>
<?php do {  $text = $row_shout['Comments'];
         $x=1;
         $data = explode(" ", $text); 
         $count = count($data); 
         if ($data[0]=='/me')
         {  echo "<tr class='style5'><td colspan=6>";
            echo "<font color=white face='Segoe Print'><font color=#99000>||</font> " .$row_shout['UserName']. " ";
            do{   echo($data[$x]); 
               echo " ";
               $x++;
              }while($x<=$count);
            echo " <font color=#99000>||</font></font></td>";
            $usr = $row_user['UserName'];
               if ($row_shout['UserName']==$usr || $row_user['Level']=='Admin')
               {  echo "<td><div align='center'><a href='DeleteShout.php?id=" .$row_shout['CommentsID']. "'><img src='image/delete/tong.gif' width=16 height=16 border=0 align='top' alt='|| Delete ||'></a>"; 
               }
            echo "</div></td></tr>";
         }
 
         if($data[0]!='/me')
         { echo "<tr><td colspan='2' valign='top'><span class='style5'>";  
           echo "<a href=User.php?user=";
           echo $row_shout['UserName'];
           if($row_shout['UserName'])
           {   echo " title='|| " .ucfirst($row_shout['UserName']). " point is " .$row_shout['Point']. " ||'";
           }
           echo " target='home'>";
            if($row_shout['UserName']=='alex') 
            {  echo "<font face='Comic Sans MS' color=#666666>" .ucfirst($row_shout['UserName']). "</font>";
            }
            if($row_shout['UserName']!='alex') 
            {  echo "<font color=#999999>" .$row_shout['UserName']. "</font>";
            }
           echo "</a>"; 
            if($row_shout['Level']=='Admin')
            {  echo "<img src='image/stat.gif' weight='12' height='12' align='middle' alt='AWS'>"; 
            }
            if($row_shout['Level']!='Admin' && $row_shout['Level']!='user')
            {  echo "<img src='image/new/staz.gif' weight='12' height='12' align='middle' alt='AFS'>";
            }
            if($row_shout['Point']>200 && $row_shout['Point']<900)
            {  echo "<img src='image/new/p1.gif' weight='20' height='20' align='absmiddle' alt='|| Point more than 200 ||'>";
            }
            if($row_shout['Point']>900 && $row_shout['Point']<2000)
            {  echo "<img src='image/new/p3.gif' weight='20' height='20' align='absmiddle' alt='|| Point more than 900 ||'>";
            }
            if($row_shout['Point']>2000 && $row_shout['Point']<5000)
            {  echo "<img src='image/new/p7.gif' weight='20' height='20' align='absmiddle' alt='|| Point more than 2000 ||'>";
            }
            if($row_shout['Point']>5000)
            {  echo "<img src='image/new/smiley/hamtaro_smilies.gif' weight='18' height='18' align='absmiddle' alt='|| Point more than 5000 ||'>";
            }
            echo "</span></td><td width='30' valign='top'><div align='center'><span class='style5'><img src='image/arrow/hoRightBlueArrow.gif' height='12' width='12' align='absmiddle'></span></div></td>";
            echo "<td colspan='3'><span class='style5'>";
               if($row_shout['UserName']=='alex') 
               {  echo "<font face='Comic Sans MS' color=#666666>" .$row_shout['Comments']. "</font>"; 
               }
               if($row_shout['UserName']!='alex') 
               {  echo "<font color=#999999>" .$row_shout['Comments']. "</font>"; 
               }
            echo "</span></td><td class='style5' valign='top'><div align='center'>";
                  $usr = $row_user['UserName'];
               if ($row_shout['UserName']==$usr || $row_user['Level']=='Admin')
               {  echo "<a href='DeleteShout.php?id=" .$row_shout['CommentsID']. "'><img src='image/delete/tong.gif' width=16 height=16 border=0 align='top' alt='|| Delete ||'></a>"; 
               }
            echo "</div></td></tr>";
         }
    } while ($row_shout = mysql_fetch_assoc($shout)); ?>
   </table>
   
    <script language="JavaScript">
      function ValidateData()
      {  var alertsay = "";   // define for long lines
                        // alertsay is not necessary for your code,
                        // but I need to break my lines in multiple lines
                        // so the code won't extend off the edge of the page
 
         // check to see if the field is blank
         if (shout.shout.value == "")
         {  alert("You must fill a shout field!!!");
            shout.shout.focus();
            return (false);
         }
         
         // check to see if the field is blank
         if (shout.shout.value == "Type Your Shout Here....")
         {  alert("You must fill a shout field!!!");
            shout.shout.focus();
            return (false);
         }
      }
      </script>
</body>
</html>
 
<?php
   mysql_free_result($shout);
   mysql_free_result($user);
   mysql_free_result($point);
   
?>
mrlol
Forum Newbie
Posts: 2
Joined: Mon Sep 08, 2008 1:36 am

Re: shoutbox hack .. help plz

Post by mrlol »

by the way.. he also can use private message and others that involved databases..

tq
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: shoutbox hack .. help plz

Post by Mordred »

350 lines of (may I say, "spaghetti") code, and it may not be the vulnerable one...
I'll pass ;)

Looks like the guy has access to your database, so I would look into the DB server settings, the user priviledges, and look around the mysql_query() for injections. Are you using GBK or some such strange charset btw? addslashes() is the wrong function to call.
Cut
Forum Commoner
Posts: 39
Joined: Sat Aug 23, 2008 8:01 pm

Re: shoutbox hack .. help plz

Post by Cut »

These lines, at least:

Code: Select all

 
#                GetSQLValueString($_POST['user'], "text"),
#             GetSQLValueString($_POST['Level'], "text"),
#                GetSQLValueString($_POST['shout'], "text"),
#             GetSQLValueString($_POST['Pt'], "text"));
Everything in POST is up to the user. Hence, he can post whatever username, level, and point number he wants. I don't see where you're getting his IP.
Post Reply