Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
chatserv
Member Emeritus



Joined: May 02, 2003
Posts: 1389
Location: Puerto Rico

PostPosted: Thu Apr 29, 2004 2:19 pm Reply with quote

Hackalert is authored by Raven, not me, as it comes it protects you from union based attacks but can be adapted for many other forms of protection which is what has been done with several of those offered in here.
 
View user's profile Send private message Visit poster's website
southern
Client



Joined: Jan 29, 2004
Posts: 624

PostPosted: Thu Apr 29, 2004 2:25 pm Reply with quote

Empirically, from my own experience, Raven's hackalert script is superior to misterWORK's Protector. I cannot speak to the so-called 'Fortress' of NC as I haven't tried it and have no intention of trying it.

_________________
Computer Science is no more about computers than astronomy is about telescopes.
- E. W. Dijkstra 
View user's profile Send private message
sixonetonoffun
Spouse Contemplates Divorce



Joined: Jan 02, 2003
Posts: 2496

PostPosted: Thu Apr 29, 2004 2:34 pm Reply with quote

Yeah I think it depends on what the user wants.
Protector brings with it the most bloat but offers info at several levels and is actively maintained and updated. (Its come a long way in its short cycle) There was talk of this being put into the distro at NC? I don't know if it is or not but that would be nice for people who are trying to remain current or at least kind of current..

Ravens Alert script is nice because it could be called anyplace within your script.
All the variables that are checked could also be setup to send an alert (I think Steve might be on this yet?)

Fortress adds a new layer of checking global variables. Then also has a modest alert script. (But it is also unstable unless some new version has come out since this am) It was released with much more fanfare then it justified so far.
 
View user's profile Send private message
sixonetonoffun







PostPosted: Thu Apr 29, 2004 2:38 pm Reply with quote

lmao southern I just can't stay away from testing these filters. Though I've not used or tested Protector I did download it and examine it a little.
 
southern







PostPosted: Thu Apr 29, 2004 3:05 pm Reply with quote

I live to make you laugh, careful of that tractor... I live in that field ya know.
 
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Thu Apr 29, 2004 3:05 pm Reply with quote

Different strokes for different folks. My script is two-fold as has been stated. It adds code to mainfile.php to catch the UNION exploit. Chat and I actually collaborated one night when the exploit first started being used. We tossed a bunch of stuff at each other and somehow I ended up with that. Then, the script is a caveat. You could just die() with a slap from somebody. I wanted sensationalism Shocked Laughing and came up with what I did in the actual script. I was using the IP lookup and auto-email 'technology' back in 2002 (way before anyone started using it with nuke) when the red-worm attacks were so prevalant. My script back then would actually auto-email the abuse addys from the lookup in addition to the webmaster. Anyway, as Chat notes, you can call my script from any code and it will do that lookup and email procedure. Trying to compare it to PS is apples and oranges. PS is more aimed at banning whereas mine is at notification. As to the other one you mention, it's imitation, imo.
 
View user's profile Send private message
sixonetonoffun







PostPosted: Thu Apr 29, 2004 3:46 pm Reply with quote

lol yeah I have a 55 UB Special gas.

Edit:
ooops this got off topic and out of synch.
 
sixonetonoffun







PostPosted: Thu Apr 29, 2004 3:58 pm Reply with quote

Anyone care to add info for
admin secure and myNukeSecuRity ?

Admin secure the code was so blobbed together I didn't even bother checking it out could just as well been encrypted. myNukeSecuRity looked nice and simple my 2 favorite things.
 
sting
Involved
Involved



Joined: Sep 23, 2003
Posts: 456
Location: Somewhere out there...

PostPosted: Fri Apr 30, 2004 12:17 pm Reply with quote

Found the bugtraq on the /**/exploit. Interestingly enough it was about breaking through protector..


Here it is:

Quote:


{================================================================================}
{ [waraxe-2004-SA#025] }
{================================================================================}
{ }
{ [ Multiple vulnerabilities in Protector System 1.15b1 for PhpNuke ] }
{ }
{================================================================================}

Author: Janek Vind "waraxe"
Date: 23. April 2004
Location: Estonia, Tartu
Web: [ Only registered users can see links on this board! Get registered or login! ]


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Protector System - A PHPNuke addon for blocking ip numbers from your site & prevent
hack attempt!

Creator: Marcus aka Mister
Mail: [ Only registered users can see links on this board! Get registered or login! ]
Home page: [ Only registered users can see links on this board! Get registered or login! ]
Support page: [ Only registered users can see links on this board! Get registered or login! ]


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

A1 - unchecked user submitted variable "portNum" (in integrated Network Query Tool)

If we make http request like this:
[ Only registered users can see links on this board! Get registered or login! ]

... then we will see standard php error messages, revealing full path to script:

Warning: fsockopen() expects parameter 2 to be long, string given in D:\apache_wwwroot\nuke72\admin\modules\blocker_query.php on line 305
Port foobar does not appear to be open.

Reason is, that script does not check validity of the portNum, which must be integer in range of 1..65535.



B. Cross-site scripting aka XSS (in integrated Network Query Tool)


B1 - XSS through unsanitaized user submitted variable "target"
[ Only registered users can see links on this board! Get registered or login! ]">[xss code here]


B2 - XSS through unsanitaized user submitted variable "portNum"
[ Only registered users can see links on this board! Get registered or login! ] code here]



C. Sql injection:

C1 - noncritical sql injection in "blocker.php"

Let's look at original code in /includes/blocker.php line 252:


if( isset( $_SERVER ) ) { $ref_addr = $_SERVER['HTTP_REFERER']; }
else { $ref_addr = getenv( 'HTTP_REFERER' ); }

if( isset( $_SERVER ) )
{
$last_page = $_SERVER['SCRIPT_NAME'];
if (($_SERVER['QUERY_STRING']) != "") { $last_page = $last_page . "?" . $_SERVER['QUERY_STRING'] ;}
$query_blocker = $_SERVER['QUERY_STRING'] ;
}
else
{
$last_page = getenv(SCRIPT_NAME);
if ((getenv(QUERY_STRING)) != "") { $last_page = $last_page . "?" . getenv(QUERY_STRING) ;}
}
$last_page = urldecode($last_page);

As we can see, $last_page has value of the urldecoded QUERY_STRING. So if we will add to query
string something like %27, then after urldecode() we have "'" (single quote) and this can be
beginning of the brand new sql injection case. Let's look further:

###################################
#Page Tracker Function by Kipuka
#
###################################
if ($tracker_del_on == 1) {
$max_tracker_check = $db->sql_query("SELECT count(*) as count FROM ".$prefix."_blocked_pagetracker WHERE id_tracker = '$access_id'");
$numrows = $db->sql_numrows($max_tracker_check);

if ($numrows > 0) {
list($count) = $db->sql_fetchrow($max_tracker_check);
}
//die("$last_page");
if ($count < $tracker_max_b) {
$db->sql_query("INSERT DELAYED INTO ".$prefix."_blocked_pagetracker (last_page ,page_date ,id_tracker) VALUES ('$last_page', '$date', '$access_id')");

$sqlx = "INSERT DELAYED INTO ".$prefix."_blocked_pagetracker (last_page ,page_date ,id_tracker) VALUES ('$last_page', '$date', '$access_id')";
$xxx = mysql_error();
//die("$xxx");

} else {
$tracker_limitB = $count - $tracker_max_b;
$result = $db->sql_query("SELECT id FROM ".$prefix."_blocked_pagetracker WHERE id_tracker = '$access_id' ORDER BY page_date LIMIT ".$tracker_limitB.",1");
$numrows = $db->sql_numrows($result);
if ($numrows > 0) {
$row = $db->sql_fetchrow($result);
$page_id = $row['id'];
$db->sql_query("DELETE FROM ".$prefix."_blocked_pagetracker WHERE id_tracker = '$access_id' AND id <= '$page_id'");
}
$xxx = mysql_error();
die("$xxx");
$db->sql_query("INSERT INTO ".$prefix."_blocked_pagetracker (last_page ,page_date ,id_tracker) VALUES ('$last_page', '$date', '$access_id')");
}
}

So, sql injection possibility exists, but not in "SELECT FROM" clause, but in "INSERT INTO" construction. So forget the
UNION and JOIN tricks. And MySql version 4.1 is not yet in wide use, so we can't use subselects ...
Therefore this is noncritical sql injection case, but anyway, potential attacker can use this security hole to
accomplish some tasks by using of the built-in mysql functions like:

DATABASE()
USER()
SYSTEM_USER()
SESSION_USER()
VERSION()

Because attacker does'nt have the visual feedback from script, "blindfolded" methods must be used, for example
"benchmark" method. This can be implemented in perl (php, python, etc...) script, using http requests similar to this:
[ Only registered users can see links on this board! Get registered or login! ]

I have written proof of concept code in perl for this exploit and it works perfectly.


D. Easy bypass of the anti-sql-injection filters

Protector System implements various filters against XSS and sql injection. Examples:

...

//IF the user sending any $_SERVER["HTTP_REFERER"] then continue
if (strlen($_SERVER["HTTP_REFERER"]) > 0) {
//If the user is POSTing from another server do a scan
if(eregi("(^|[^a-zA-Z0-9])union(\ )+(all\ |distinct\ )?(\ )*select\ |\.\.\/", $sTemp) && !ereg("(http://$_SERVER[HTTP_HOST])", $_SERVER["HTTP_REFERER"]))
{
$original_ip = long2ip(-(4294967296-$ipcheck));
$the_error = "User $the_blocked_user with IP $original_ip tried to send information thru a POST method\r\n"

...

if(eregi("(^|[^a-zA-Z0-9])union(\ )+(all\ |distinct\ )?(\ )*select\ |\.\.\/", $sTemp))
{
//Just send a mail incase =)
if ($pro_mail && $pro_mail != '' && $mail_blocker == '1') { mail($pro_mail, $blocker_subject, $the_unset_error, $headers); }
unset($_POST[$FormFieldName]);
echo "<p><h1>Your Attempt to use SQL exploit was blocked</h1>";
echo "<i>Powered whit Protector System</i>";
die();
}
}

...

if($sec_cookieB == '1')
{
foreach ($_COOKIE as $cookie_name => $value_cookie) {
$result = $db ->sql_query("SELECT cookie FROM ".$prefix."_blocked_agent WHERE cookie = '$cookie_name'");
if($db->sql_numrows($result)>0 && !empty($_COOKIE))
{
if (eregi("union\ |&#?[a-zA-Z0-9]+;|:\/\/|\.\.\/|[$<>{}\(\)\"'`]", $value_cookie)) {
$value_cookie = htmlspecialchars($value_cookie, ENT_QUOTES);
setcookie($cookie_name,"", time() - 3600);
unset($_COOKIE[$cookie_name]);
}
}

...

###########################################################################
#Block unvanted GET code!
#Security scan of REQUEST_METHOD GET
#
############################################################################
if($sec_getB == '1')
{
if ((eregi("admin.php", $_SERVER['PHP_SELF']) && preg_match("/\?admin/", "$last_page")) OR (eregi("(^|[^a-zA-Z0-9])union(\ )+(all\ |distinct\ )?(\ )*select\ |\.\.\/", $last_page)) OR (stristr($last_page, "admin=")))
{

...

Nice try - not only GET, but POST and COOKIE variables get sanitized too Wink
But look, what i have readed some days ago:
[ Only registered users can see links on this board! Get registered or login! ]

This whitepaper, written by Ofer Maor and Amichai Shulman, describes various methods to
bypass sql injection detection and the final conclusion is:

"At this point, we believe the conclusion of this paper is clear to the
reader. Signature protection against SQL Injection is simply not
enough. Although this paper demonstrates only some of the variety
of evasion techniques for avoiding SQL Injection signatures, some or
even all of these techniques are likely to operate on most of today's
signature protection mechanisms."

I`m hundred percent agree with this. So let's try to fool sql injection filters in
Protector System in practice. First, we make request like this:
[ Only registered users can see links on this board! Get registered or login! ]

Oops, we got caught by Protector System: "The ip 127.0.0.1 has been blocked!"

Ok, it's time to show, how to evade this filter with using of the sql comments:
[ Only registered users can see links on this board! Get registered or login! ]

Bingo! Filter does let us through!



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to [ Only registered users can see links on this board! Get registered or login! ] staff!



Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[ Only registered users can see links on this board! Get registered or login! ]
Janek Vind "waraxe"

Homepage: [ Only registered users can see links on this board! Get registered or login! ]

---------------------------------- [ EOF ] ------------------------------------



-sting
 
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
Raven







PostPosted: Fri Apr 30, 2004 12:32 pm Reply with quote

It appears that Chatserv fixed the base64 exploit quite a while ago. It simply involves using addslashes() to the cookie values.
 
sting







PostPosted: Fri Apr 30, 2004 12:54 pm Reply with quote

That is what I am discovering.

-sting
 
sting







PostPosted: Fri Apr 30, 2004 1:45 pm Reply with quote

According to Chatserv, one other way to prevent base64 exploits is to use the addslashes() command before any reference of the base64_decode function. The following is the documentation of this particular fix.

In your auth.php file

Find:
Quote:

if(isset($admin) && $admin != "") {
$admin = base64_decode($admin);


And replace it with:

Quote:

if(isset($admin) && $admin != "") {
$admin = addslashes($admin);
$admin = base64_decode($admin);


Those of you running 7.0 and above - you will need to edit the following in your mainfile.php; those of you with 6.9 and below need to do the same but be aware the the last two functions - is_group and update_points do not exist (i.e. therefore do not need to be nor can be edited) in your mainfile.php.

In your mainfile.php,
Function: is_admin($admin):
Find
Quote:

function is_admin($admin) {
global $prefix, $db;
if(!is_array($admin)) {
$admin = base64_decode($admin);

Replace with:
Quote:

function is_admin($admin) {
global $prefix, $db;
if(!is_array($admin)) {
$admin = addslashes($admin);
$admin = base64_decode($admin);


Function:is_user($user):
Find
Quote:

function is_user($user) {
global $prefix, $db, $user_prefix;
if(!is_array($user)) {
$user = base64_decode($user);

Replace with:
Quote:

function is_user($user) {
global $prefix, $db, $user_prefix;
if(!is_array($user)) {
$user = addslashes($user);
$user = base64_decode($user);


Function cookiedecode($user) :
Find:
Quote:

function cookiedecode($user) {
global $cookie, $prefix, $db, $user_prefix;
$user = base64_decode($user);

Replace with:
Quote:
function cookiedecode($user) {
global $cookie, $prefix, $db, $user_prefix;
$user = addslashes($user);
$user = base64_decode($user);


Function getuserinfo($user):
Find:
Quote:

function getusrinfo($user) {
global $userinfo, $user_prefix, $db;
$user2 = base64_decode($user);

Replace with:
Quote:

function getusrinfo($user) {
global $userinfo, $user_prefix, $db;
$user = addslashes($user);
$user2 = base64_decode($user);


Function: public_message()
Watch this one - its a bit tricky to locate - there are two occurrences of base64_decode in this one that need to have the addslashes before it. They were bunched up in the code, not nice and neat like the previous ones, so look closely. I suggest doing a find on base64 and changing as you go through, hitting 'next' along the way.

Find:
Quote:
if (!is_user($user) OR (is_user($user) AND ($pm_show == 1))) {
$c_mid = base64_decode($p_msg);

Replace with:
Quote:

if (!is_user($user) OR (is_user($user) AND ($pm_show == 1))) {
$p_msg = addslashes($p_msg);
$c_mid = base64_decode($p_msg);


Find:
Quote:
if ($mid == 0 OR $mid == "") {
setcookie("p_msg");
} else {
$mid = base64_encode($mid);

Replace with:
Quote:

if ($mid == 0 OR $mid == "") {
setcookie("p_msg");
} else {
$mid = addslashes($mid);
$mid = base64_encode($mid);


Function: get_theme()
Find:
Quote:

function get_theme() {
global $user, $cookie, $Default_Theme;
if(is_user($user)) {
$user2 = base64_decode($user);

Replace with:
Quote:

function get_theme() {
global $user, $cookie, $Default_Theme;
if(is_user($user)) {
$user = addslashes($user);
$user2 = base64_decode($user);


At this point, 6.5 - 6.9 users are finished. 7.0 and above continue on to patch the following two functions:

Function: is_group($user, $name)
Find:
Quote:

function is_group($user, $name) {
global $prefix, $db, $user_prefix;
if(!is_array($user)) {
$user = base64_decode($user);

Replace with:
Quote:
function is_group($user, $name) {
global $prefix, $db, $user_prefix;
if(!is_array($user)) {
$user = addslashes($user);
$user = base64_decode($user);

and finally
Function: update_points($id)
Find:
Quote:

function update_points($id) {
global $user_prefix, $prefix, $db, $user, $pswitch;
if (is_user($user)) {
if(!is_array($user)) {
$user1 = base64_decode($user);

Replace with:
Quote:

function update_points($id) {
global $user_prefix, $prefix, $db, $user, $pswitch;
if (is_user($user)) {
if(!is_array($user)) {
$user = addslashes($user);
$user1 = base64_decode($user);


Thanks to Chatserv for his patience in helping me to semi-understand and document this one.
-sting


Last edited by sting on Sun May 02, 2004 12:30 pm; edited 1 time in total 
sixonetonoffun







PostPosted: Fri Apr 30, 2004 6:43 pm Reply with quote

When doing these replacements on heavily modded sites it is highly recomended you get a good utility like Beyond Compare or CompareIT (winmerge does a bang up job for these simpler jobs too just doesn't do the advanced directory and binary comparisions). Then you can just compare your mod files with the ones Chatserv has been so diligently patching. Of course as always backup the originals so you can "rollback" should you miss something. Helps us windows kids who can't grep Embarassed

If you really like the comand line there is a great looking set of utilities for various O/S: [ Only registered users can see links on this board! Get registered or login! ]
But the price is a little higher then comparable windows versions above.

Another windows compare util
FCU [ Only registered users can see links on this board! Get registered or login! ]
Has both a free and very reasonable paid version.

One more for the hardcore!
The Berkley Utilities
40 unix commands ported to DOS [ Only registered users can see links on this board! Get registered or login! ]
 
southern







PostPosted: Fri Apr 30, 2004 8:46 pm Reply with quote

DOS on Win XP?? Surely you jest! But thanks, sixone, for the utilities sites and the reminder to backup. There've been times I wished I'd backed up.
And thanks, sting, for taking the trouble to post those fixes... chatserv patches files fastwer than I for one can put on his fixes. Smile
 
southern







PostPosted: Fri Apr 30, 2004 10:05 pm Reply with quote

I can't find the second instance of
Code:


if (!is_user($user) OR (is_user($user) AND ($pm_show == 1))) {
$c_mid = base64_decode($p_msg);

Tricky or nonexistent?
 
sixonetonoffun







PostPosted: Sat May 01, 2004 12:21 am Reply with quote

The 2 aren't the same did ya catch that?

Hmn we can setup a fat partition for that dos hehe!
 
southern







PostPosted: Sat May 01, 2004 12:35 pm Reply with quote

Hmmph, I'm gonna find that other instance if I hafta stay up all night poring over mainfile...
 
sting







PostPosted: Sat May 01, 2004 3:24 pm Reply with quote

Hey guys, sorry - there aren't two instances of that one statement, just two places within that function where the addslashes needs to be added.

Sorry for the confusion

-sting
 
southern







PostPosted: Sat May 01, 2004 8:43 pm Reply with quote

I only find one but the night is young...
How about a snippet of code from 7.1 to show there are two?
Not that I doubt you hehe yet. Smile
 
sting







PostPosted: Sun May 02, 2004 12:31 pm Reply with quote

LOL, okay I edited the post. This is what it says now, and gives you an idea of how to look for it...

Function: public_message()
Watch this one - its a bit tricky to locate - there are two occurrences of base64_decode in this one that need to have the addslashes before it. They were bunched up in the code, not nice and neat like the previous ones, so look closely. I suggest doing a find on base64 and changing as you go through, hitting 'next' along the way.

Find:
Quote:
if (!is_user($user) OR (is_user($user) AND ($pm_show == 1))) {
$c_mid = base64_decode($p_msg);

Replace with:
Quote:

if (!is_user($user) OR (is_user($user) AND ($pm_show == 1))) {
$p_msg = addslashes($p_msg);
$c_mid = base64_decode($p_msg);


Find:
Quote:
if ($mid == 0 OR $mid == "") {
setcookie("p_msg");
} else {
$mid = base64_encode($mid);

Replace with:
Quote:

if ($mid == 0 OR $mid == "") {
setcookie("p_msg");
} else {
$mid = addslashes($mid);
$mid = base64_encode($mid);


These are the two areas within that function that need to be edited.
-sting
 
southern







PostPosted: Sun May 02, 2004 1:13 pm Reply with quote

Thanks very much, sting, that clarifies that. Smile
 
Lee
New Member
New Member



Joined: Apr 29, 2004
Posts: 1

PostPosted: Fri May 07, 2004 7:10 pm Reply with quote

Is this script already installed on the Raven Nuke v7 pack?
 
View user's profile Send private message
sting







PostPosted: Fri May 07, 2004 7:19 pm Reply with quote

It's in chatserv's updates as of May 4 I believe. See the front page for the links to those files.

-sting
 
Raven







PostPosted: Sat May 08, 2004 7:24 pm Reply with quote

I have issued an update today. See the news item on the front page for more info.
 
southern







PostPosted: Sun May 09, 2004 12:11 pm Reply with quote

sixonetonoffun wrote:
When doing these replacements on heavily modded sites it is highly recomended you get a good utility like Beyond Compare or CompareIT (winmerge does a bang up job for these simpler jobs too just doesn't do the advanced directory and binary comparisions). Then you can just compare your mod files with the ones Chatserv has been so diligently patching. Of course as always backup the originals so you can "rollback" should you miss something. Helps us windows kids who can't grep Embarassed

If you really like the comand line there is a great looking set of utilities for various O/S: [ Only registered users can see links on this board! Get registered or login! ]
But the price is a little higher then comparable windows versions above.

Another windows compare util
FCU [ Only registered users can see links on this board! Get registered or login! ]
Has both a free and very reasonable paid version.

One more for the hardcore!
The Berkley Utilities
40 unix commands ported to DOS [ Only registered users can see links on this board! Get registered or login! ]


There is actually a semi-UNIX utility in WIN XP, fsutil; type fsutil at a command prompt...
Documentation: [ Only registered users can see links on this board! Get registered or login! ]
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©