Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
bones
Hangin' Around


Joined: Sep 18, 2003
Posts: 36

PostPosted: Tue Mar 02, 2004 3:53 pm Reply with quote

just wanted to let you know that your 7.0 distro and the hacker script
works perfectly so far the hacker script has stopped the hacker from hacking my site 3 times. Nice job raven.
bob
 
View user's profile Send private message Visit poster's website
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Tue Mar 02, 2004 4:09 pm Reply with quote

I can't tell you the number that have been stopped here also. Thanks for the update!
 
View user's profile Send private message
bones
PostPosted: Tue Mar 02, 2004 4:16 pm Reply with quote

your welcome, i am just called you came up with that script. thanks again
bob
 
Rikk03
Worker
Worker


Joined: Feb 16, 2004
Posts: 164

PostPosted: Wed Mar 03, 2004 6:26 am Reply with quote

I added the hacker script and several of the admin interfaces for Add Story DB Backup and Blocks control all disappear, - I did as instructed, - pasted the union code into mainfile.php.

If i remove that code then they show up again. Any ideas whats causing it?
Richard
 
View user's profile Send private message
Raven
PostPosted: Wed Mar 03, 2004 7:00 am Reply with quote

Please post the first 25 lines or so in your mainfile.php script.
 
Rikk03
PostPosted: Wed Mar 03, 2004 7:03 am Reply with quote

<?php
$phpver = phpversion();
if ($phpver >= '4.0.4pl1' && strstr($HTTP_USER_AGENT,'compatible')) {
if (extension_loaded('zlib')) {
ob_end_clean();
ob_start('ob_gzhandler');
}
} else if ($phpver > '4.0') {
if (strstr($HTTP_SERVER_VARS['HTTP_ACCEPT_ENCODING'], 'gzip')) {
if (extension_loaded('zlib')) {
$do_gzip_compress = TRUE;
ob_start();
ob_implicit_flush(0);
//header('Content-Encoding: gzip');
}
}
}

$phpver = explode(".", $phpver);
$phpver = "$phpver[0]$phpver[1]";
if ($phpver >= 41) {
$PHP_SELF = $_SERVER['PHP_SELF'];
}

if (!ini_get("register_globals")) {
import_request_variables('GPC');
}

foreach ($_GET as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
(eregi("\"", $secvalue))) {
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}

foreach ($_POST as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) || (eregi("<[^>]*style*\"?[^>]*>", $secvalue))) {
die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
}
}

if (eregi("mainfile.php",$PHP_SELF)) {
Header("Location: index.php");
die();
}

if ($forum_admin == 1) {
require_once("../../../config.php");
require_once("../../../db/db.php");
} elseif ($inside_mod == 1) {
require_once("../../config.php");
require_once("../../db/db.php");
require_once("../../admin/modules/oscnuke/init.php");
} else {
require_once("config.php");
require_once("db/db.php");
require_once("includes/sql_layer.php");
$dbi = sql_connect($dbhost, $dbuname, $dbpass, $dbname);
include_once("admin/modules/oscnuke/init.php");
}



$mainfile = 1;
$sql = "SELECT sitename, nukeurl, site_logo, slogan, startdate, adminmail, anonpost, Default_Theme, foot1, foot2, foot3, commentlimit, anonymous, minpass, pollcomm, articlecomm, broadcast_msg, my_headlines, top, storyhome, user_news, oldnum, ultramode, banners, backend_title, backend_language, language, locale, multilingual, useflags, notify, notify_email, notify_subject, notify_message, notify_from, footermsgtxt, email_send, attachmentdir, attachments, attachments_view, download_dir, defaultpopserver, singleaccount, singleaccountname, numaccounts, imgpath, filter_forward, moderate, admingraphic, httpref, httprefmax, CensorMode, CensorReplace, copyright, Version_Num, activate_ads, first_ad, next_ads, max_ads, random_ads, hide_ads FROM ".$prefix."_config";
$result = $db->sql_query($sql);
$row = $db->sql_fetchrow($result);
$sitename = $row[sitename];
$nukeurl = $row[nukeurl];
$site_logo = $row[site_logo];
$slogan = $row[slogan];
$startdate = $row[startdate];
$adminmail = $row[adminmail];
 
Rikk03
PostPosted: Wed Mar 03, 2004 7:04 am Reply with quote

phpnuke 7.0
 
Raven
PostPosted: Wed Mar 03, 2004 7:09 am Reply with quote

I need to see the code you are adding and where you added it, etc.
 
Rikk03
PostPosted: Wed Mar 03, 2004 7:16 am Reply with quote

Code:
<?php

if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: hackattempt.php/");

$phpver = phpversion();
if ($phpver >= '4.0.4pl1' && strstr($HTTP_USER_AGENT,'compatible')) {
    if (extension_loaded('zlib')) {
   ob_end_clean();
   ob_start('ob_gzhandler');
    }
} else if ($phpver > '4.0') {
    if (strstr($HTTP_SERVER_VARS['HTTP_ACCEPT_ENCODING'], 'gzip')) {
   if (extension_loaded('zlib')) {
       $do_gzip_compress = TRUE;
       ob_start();
       ob_implicit_flush(0);
       //header('Content-Encoding: gzip');
   }
    }
}

$phpver = explode(".", $phpver);
$phpver = "$phpver[0]$phpver[1]";
if ($phpver >= 41) {
    $PHP_SELF = $_SERVER['PHP_SELF'];
}

if (!ini_get("register_globals")) {
    import_request_variables('GPC');
}

foreach ($_GET as $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
   (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
   (eregi("\([^>]*\"?[^)]*\)", $secvalue)) ||
   (eregi("\"", $secvalue))) {
   die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}

foreach ($_POST as $secvalue) {
    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||   (eregi("<[^>]*style*\"?[^>]*>", $secvalue))) {
   die ("<center><img src=images/logo.gif><br><br><b>The html tags you attempted to use are not allowed</b><br><br>[ <a href=\"javascript:history.go(-1)\"><b>Go Back</b></a> ]");
    }
}

if (eregi("mainfile.php",$PHP_SELF)) {
    Header("Location: index.php");
    die();
}

if ($forum_admin == 1) {
    require_once("../../../config.php");
    require_once("../../../db/db.php");
} elseif ($inside_mod == 1) {
    require_once("../../config.php");
    require_once("../../db/db.php");
    require_once("../../admin/modules/oscnuke/init.php");
} else {
    require_once("config.php");
    require_once("db/db.php");
   require_once("includes/sql_layer.php");
    $dbi = sql_connect($dbhost, $dbuname, $dbpass, $dbname);
    include_once("admin/modules/oscnuke/init.php"); 
}
 
Rikk03
PostPosted: Wed Mar 03, 2004 7:20 am Reply with quote

should i put that union code into the header instead maybe?
 
Rikk03
PostPosted: Wed Mar 03, 2004 7:22 am Reply with quote

Ive got to go out - back in an hour or so
 
Raven
PostPosted: Wed Mar 03, 2004 7:24 am Reply with quote

Look at your error logs (server and php) to see if there are any notes there. Also, remove the trailing /. You can try moving it but I don't know why that would matter.
 
Rikk03
PostPosted: Wed Mar 03, 2004 9:38 am Reply with quote

Removing the trailing / worked!

Richard Razz
 
64bitguy
The Mouse Is Extension Of Arm


Joined: Mar 06, 2004
Posts: 1159
Location: Sanbornton, NH USA

PostPosted: Fri Mar 12, 2004 10:58 pm Reply with quote

Hi RavenFolk!

Just wanted to thank Raven for another d*** nice script!

(I hope that my saying the D word doesn't get me banned) Smile

Anyway.. I set this script up in my PHP-Nuke 7.0 (NukeCops 2.2 bundle) and just to let you know, I replaced their

Code:
if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: index.php"); 


With your

Code:
if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: hackattempt.php");


Please note that this differs from your instructions which show:
Code:
    if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) header("Location: hackattempt.php/");


The TRAILING / HAD TO BE REMOVED in order for this solution to work and in order for the page to come up. Otherwise, I simply got an error and no email was created either.

You may want to update your readme to indicate this minor correction.

As another note, I was happy to see that the NukeCops bundle addressed the issue, but I AM concerned that no effort is made in their solution to notify me that an attempt has been made to comprimise my site. Anyway... this seems to totally fix that problem.

Thanks again!

_________________
Steph Benoit Only registered users can see links on this board! Get registered or login!
1CMS, 100% Section 508 and W3C XHTML/CSS Compliant (Truly) 
View user's profile Send private message Visit poster's website
Raven
PostPosted: Fri Mar 12, 2004 11:10 pm Reply with quote

Actually, use this code instead:

if (stristr($_SERVER["QUERY_STRING"],'%20union%20')) {
$loc = $_SERVER['QUERY_STRING'];
header("Location: hackattempt.php?$loc");
die();
}

I have just updated the download and will announce it Smile
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©