Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script
Author Message
stevewalsh
New Member
New Member


Joined: May 06, 2004
Posts: 7

PostPosted: Wed May 12, 2004 12:55 am Reply with quote

to trap this exploit after it had gotten through my hack alert script, i simply changed the code at the start of Mainfile.php from

Code:
$checkurl = preg_replace("#(/\*.*\*/)#", "", $_SERVER["QUERY_STRING"]); //Courte

// Raven http://ravenphpscripts.com
if (stristr($checkurl,'%20union%20')) {
        $loc = $_SERVER['QUERY_STRING'];
        header("Location: hackattempt.php?$loc");
        die();


to

Code:
$checkurl = preg_replace("#(/\*.*\*/)#", "", $_SERVER["QUERY_STRING"]); //Courte

// Raven http://ravenphpscripts.com
if (stristr($checkurl,'%20union%20') or
   strstr($checkurl,'eCcgVU5JT04gU0VMRUNUIDEvKjox')) {
        $loc = $_SERVER['QUERY_STRING'];
        header("Location: hackattempt.php?$loc");
        die();


Hope this helps others.


Last edited by stevewalsh on Wed May 12, 2004 3:59 am; edited 1 time in total 
View user's profile Send private message
GanjaUK
Life Cycles Becoming CPU Cycles


Joined: Feb 14, 2004
Posts: 633
Location: England

PostPosted: Wed May 12, 2004 2:24 am Reply with quote

You can change the: eCcgVU5JT04gU0VMRUNUIDEvKjox when exploiting?

(User-level authentication bypass exploit),
That pesky private message exploit and forum too was still getting in to my site and sending me private messages with MY account, and also the power to change my profile and make and or delete posts etc.

In modules.php
before:

Code:
global $nukeuser, $db, $prefix;


Add:
Code:
    if (stristr($_SERVER["QUERY_STRING"],'&user=') AND $name==Private_Messages) header("Location: hackattempt.php");

Thanks to chatserv for that.

However with that addition to modules.php, they was blocked from exploiting it via private messages but they could still get in via forum module. So I changed to this:

Code:


    if (stristr($_SERVER["QUERY_STRING"],'&user=') AND $name==Private_Messages) header("Location: hackattempt.php");
    if (stristr($_SERVER["QUERY_STRING"],'&user=') AND $name==Forums) header("Location: hackattempt.php");


Now they can kiss the hack alert script instead.

_________________
Only registered users can see links on this board! Get registered or login!

Last edited by GanjaUK on Wed May 12, 2004 2:41 am; edited 1 time in total 
View user's profile Send private message Visit poster's website
stevewalsh
PostPosted: Wed May 12, 2004 2:34 am Reply with quote

Ah, but the eCcgVU5JT04gU0VMRUNUIDEvKjox is the Base64 encoding of the Union statement, so if they change the value, it will no longer do what it's meant to. This is used as a way to get past checking just for the %20UNION%20.

So far, I'm fine on the Forums exploit, as I'm not using the forums module, but thanks for the private message, I'll drop that into my sites right now.
 
GanjaUK
PostPosted: Wed May 12, 2004 2:37 am Reply with quote

stevewalsh wrote:
Ah, but the eCcgVU5JT04gU0VMRUNUIDEvKjox is the Base64 encoding of the Union statement, so if they change the value, it will no longer do what it's meant to.


Ahh right, ok. Smile
 
stevewalsh
PostPosted: Sat May 15, 2004 8:57 am Reply with quote

Yet another change

Code:
$checkurl = preg_replace("#(/\*.*\*/)#", "", $_SERVER["QUERY_STRING"]); //Courtesy of http://www.esnider.net

// Raven http://ravenphpscripts.com
if (stristr($checkurl,'%20union%20') or
   strstr($checkurl,'eCcgVU5JT04gU0VMRUNUIDEvKjox') or
    strstr($checkurl,'/*')) {
        $loc = $_SERVER['QUERY_STRING'];
        header("Location: hackattempt.php?$loc");
        die();
}


the extra line will pick up the MySQL break command (/* */).

HTH
 
sixonetonoffun
Spouse Contemplates Divorce


Joined: Jan 02, 2003
Posts: 2496

PostPosted: Sat May 15, 2004 9:36 am Reply with quote

Nice I know Ravens been considering an expanded version.
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17086

PostPosted: Sat May 15, 2004 11:23 am Reply with quote

My latest release traps the /*. I cannot and never have been able to get the base64 exploit to work on my site. So, just for clarification, the base64 exploit still get's past my latest release of hack alert? If so, please try it on my site. Be sure to tell me your IP elsewise you will be banned from the Land of Oz and I contact every ISP, regardless Smile. PM me your IP if you try the exploit. Thanks.
 
View user's profile Send private message
newbie
Regular
Regular


Joined: May 03, 2004
Posts: 62
Location: USA

PostPosted: Sat May 15, 2004 12:40 pm Reply with quote

Raven wrote:
My latest release traps the /*. I cannot and never have been able to get the base64 exploit to work on my site. So, just for clarification, the base64 exploit still get's past my latest release of hack alert? If so, please try it on my site. Be sure to tell me your IP elsewise you will be banned from the Land of Oz and I contact every ISP, regardless Smile. PM me your IP if you try the exploit. Thanks.


Raven,

If you want ... I get a variety of new attempts everyday .. I can post you the ones that the hackalert doesn't catch. Usually hackalert catches them before the Protector does ... but there's been a couple that weren't caught. I pm'd the most recent one to Six a little while ago.
 
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
GanjaUK
PostPosted: Sat May 15, 2004 1:07 pm Reply with quote

I can try the private message and forum exploit if you like raven. This exploit got through on my site multiple times, until I added the lines to modules.php I mentioned above.
 
Raven
PostPosted: Sat May 15, 2004 8:40 pm Reply with quote

Just to be clear, the only hacks that my script is aimed at are the UNION types. I have posted another script for the admin.php hack. If you have a union attack that gets through, please PM me the exploit. Thanks!
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Hack Attempt Script

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©