15 replies to this topic

[CaptainClucks]

I know this isn't the right forums for this kind of stuff, but I don't frequent any other place as much as here but...

Just a few minutes ago I was skimming around my script archive looking for some code I needed, when I was finished, I closed explorer and opened scite, as scite re-sized, I noticed there was something out of the usual on my desktop.

It was an image thumbnail out of place, I have a special directory for all images and seeing the image thumbnail with the ocean sunset thing that stands out from all the other icons caught my eye immediately.

I tried to refresh my memory and remember how it got there as I was typing into scite and, and it's lingering presence in my mind made me open it, as I opened it I realized it could have not been me who saved such an image, if it wasn't for that I wouldn't have found a few shells that were uploaded about 3 months ago, both r57 and c99 were there, several copies, if it wasn't for prior foresight they would have been able to use them, but luckily I had disabled execution of php files and replaced the php extension with something else in order to keep someone doing this busy for a good while.

As I looked deeper into the problem I noticed there were a ton of nyancat, my little pony and anonymous pictures all over the server, thankfully it doesn't seem like they were able to delete anything or execute any of the shells.

This is the code I use for file uploads on my site., apparently someone has been exploiting it to upload ridiculous images of anonymous hackers, nyancats and obscene my little pony characters...

Code on index page~

Plain Text        expandcollapse  popup

Function UploadForm() {
  global $allowed,$one,$notyet,$final,$language,$keys,$num_files,$flat_allowed,$txt;
  Echo PageHeader();
  Echo '<div id="upload"><h2><p align="center" class="header">Uploade your shit 1.0</p></h2>';
  require_once('C:/UniServer/www/inc/config.php');
  require_once('C:/UniServer/www/inc/Internal.php');
  require_once("C:/UniServer/www/inc/$language.lng");
  $keys = array_keys($allowed);
  foreach($keys as $one)
  if (!in_array(strtolower($one), array('text', 'exec', 'image', 'package'))) {
   echo '<p align="center"><span style="color:red; font-size: 12pt;"><b>'.$txt['unknown_attr'].': '.$one.'<br />'.$txt['unknown_notify'].'</b></span></p>';
   exit;
  }
  if (_CHANGE_NUM === true && isset($_GET['num_files']) && is_numeric($_GET['num_files']))
  $num_files = (int)$_GET['num_files'];
  foreach($allowed as $notyet)
  foreach($notyet as $final)
  $flat_allowed[] = strtolower($final);
  PrintForm();
  clearstatcache();
  Echo '<br><center>Only you can prevent forest fires!</center></div>';
  Echo PageFooter();
}

Upload.php

Plain Text        expandcollapse  popup

<?PHP
require_once('config.php');
require_once('Internal.php');
require_once("$language.lng");

define('_REALPATH', 'C:\UniServer\www\autorepo\User Uploads/');

$keys = array_keys($allowed);
foreach($keys as $one) if (!in_array(strtolower($one), array('text', 'exec', 'image', 'package'))) {
    echo '<p align="center"><span style="color:red; font-size: 12pt;"><b>'.$txt['unknown_attr'].': '.$one.'<br />'.$txt['unknown_notify'].'</b></span></p>';
    exit;
}
if (_CHANGE_NUM === true && isset($_GET['num_files']) && is_numeric($_GET['num_files']))
$num_files = (int)$_GET['num_files'];
foreach($allowed as $notyet)
foreach($notyet as $final)
$flat_allowed[] = strtolower($final);
if (isset($_POST['_submit'])) {
   for ($i = 0; $i < $num_files; $i++) {
       if ($_FILES['_file']['name'][$i] == '')
          continue;
       $File = strtr(stripslashes($_FILES['_file']['name'][$i]), '\'" |\\/?!*#', '__________');
       $dotpos = strrpos($File, '.');
       $length = strlen($File);
       $ext    = strtolower(substr($File, -($length - $dotpos - 1)));
       $noext  = substr($File, 0, -($length - $dotpos - 1));
        if (!in_array($ext, $flat_allowed)) {
           LogErrors("{$txt['extension']} <b>$ext</b> {$txt['not_allowed']}");
           continue;
        }
        switch($_FILES['_file']['error'][$i]) {
            case 0:
               break;
            case 1:
               LogErrors($txt['PHP_file_size']);
               continue 2;
               break;
            case 2:
               LogErrors("$txt[file_size] $txt[exceded_limit]");
               continue 2;
               break;
            case 3:
               LogErrors($txt['partial_upload']);
               continue 2;
               break;
            case 4:
               LogErrors($txt['no_file']);
               continue 2;
               break;
        }
        if ($_FILES['_file']['size'][$i] > (_MAXSIZE * 1024)) {
           LogErrors($txt['file_size'].' ('.round($_FILES['_file']['size'][$i]/1024, 2)." $txt[KB]) {$txt['not_allowed']}");
           continue;
        }
        $fullname = _REALPATH.$File;
        if (!isset($content))
           $content = '';
        if (_OVERWRITE == false or !isset($_POST['_overwrite'])) {
           if (file_exists($fullname)) {
              LogErrors($txt['file_exists']);
              continue;
           }
           if (isset($allowed['exec']) and in_array($ext, $allowed['exec'])) {
              if ($ext == 'php' and $highlight_php == true and file_exists(_REALPATH.$noext.'html')) {
                 LogErrors($txt['exec_file_exists']);
                 continue;
              } elseif (file_exists(_REALPATH.$noext.'txt')) {
                 LogErrors($txt['exec_file_exists']);
                 continue;
              }
           }
        }
        if(@move_uploaded_file($_FILES['_file']['tmp_name'][$i], $fullname)) {
            if (isset($allowed['image']) and in_array($ext, $allowed['image']))
               is_image();
            elseif (isset($allowed['text']) and in_array($ext, $allowed['text']))
               is_text();
            elseif (isset($allowed['exec']) and in_array($ext, $allowed['exec']))
               is_exec();
            elseif (isset($allowed['package']) and in_array($ext, $allowed['package']))
               $uploaded[] = $File;
            if ($change_mode == true)
               @chmod($fullname, $mode)or
               LogErrors($txt['chmod_fail']);
        } else {
            LogErrors($txt['move_failiur'].'<br />'.$txt['try_again']);
            if (!file_exists(_REALPATH))
               echo '<span style="color:red; font-size: 12pt;"><b>'.$txt['doesnot_exist'].'</b></span><br />';
            elseif (!is_writable(_REALPATH))
               echo '<span style="color:red; font-size: 12pt;"><b>'.$txt['unwritable'].'</b></span><br />';
        }
   }
   if ($show_error_log == true and isset($errors) and count($errors) > 0)
      ShowErrorLog($errors);
   if ($show_uploaded_list == true and isset($uploaded) and count($uploaded) > 0)
      ShowUploaded($uploaded);
   if (isset($content))
      echo $content;
  // if ($show_upload_form == true)
     // PrintForm();
   if ($notify_admin == true)
      MailUploaded();
   if ($log_upload == true)
      FilesLogging();
} else {
    exit;
}
?>

[trancexx]

Oh my little pony, how adorable.

That could be Manadar fucking with you.

[CaptainClucks]

Oh my little pony, how adorable.

That could be Manadar fucking with you.

I doubt it's him, I suspect it might be a few people from some shady website I posted my link at not too long ago.

But it's still creeping me out cause I don't want to shut down apache, yet I don't know if sooner or later they might do something devastating, kinda fun though...

[Manadar]

I remember poking around in that site.. But putting pictures of my little pony is not me.

You could try to figure out by yourself what happened by reading the apache access logs (or check your databases..). Your assumption that it is because of a vulnerability in upload.php could be false and it's simply a known problem with UniServer. (But there is something about your website that screams "I am vulnerable!"..)

What I normally do when I try to break into something is gather information (software of server, scripts +version numbers). HTTP requests by hand usually (anyone know a tool for this?) and tools such as nmap. Then I google for software + version number with a keyword like "known vulnerabilities". If that pops up something, then you need to update that software.

Attacks almost always leave traces around the system. Try to find them in logs and in databases. If SQL injection was used, then there might be rows of failed injections.

[CaptainClucks]

I remember poking around in that site.. But putting pictures of my little pony is not me.

You could try to figure out by yourself what happened by reading the apache access logs (or check your databases..). Your assumption that it is because of a vulnerability in upload.php could be false and it's simply a known problem with UniServer. (But there is something about your website that screams "I am vulnerable!"..)

What I normally do when I try to break into something is gather information (software of server, scripts +version numbers). HTTP requests by hand usually (anyone know a tool for this?) and tools such as nmap. Then I google for software + version number with a keyword like "known vulnerabilities". If that pops up something, then you need to update that software.

Attacks almost always leave traces around the system. Try to find them in logs and in databases. If SQL injection was used, then there might be rows of failed injections.

Problem is that once I found out all this stuff had happened, I had already deleted all the log files about 3 days before I noticed because they were getting over 10 mb, and as for the "I'm vulnerable" portion of this, you can see why it looks like that by reading this... Long story short, melba23 pointed out that I didn't have permission to use a slightly modified version of the autoit logo so I just deleted it and never made one for myself...

Also, I'm surprised no one has ever tried injecting my site... (Edit: You have to add the little ' yourself...) I had worked a little too much trying to pull that off...

And as for it probably being something else, I think you're right, now that I think about it, it could be the auto indexer script I modified, maybe something I did opened a gaping security hole or might just be the server software in general which would be worse since I'm less familiar with it than I should...

Edited by ApudAngelorum, 08 April 2012 - 03:06 PM.

[cageman]

your site could have a sql injection vulnerability. i am no expert, but try autorepo.tk/?dir=' and you know why.

Edited by cageman, 08 April 2012 - 02:10 PM.

[CaptainClucks]

your site could have a sql injection vulnerability. i am no expert, but try autorepo.tk/?dir=' and you know why.

Try seeing how far you can get with that, no but really, that's just a script that I include in most of the php scripts that will detect when a user is trying to find an sql vulnerability, if it detects things like that it'll bring up a bogus sql error message and let a user follow through until they try getting the sql version, it'll display a message somewhere along the lines of "SQL version 9001" and ban the IP.

[cageman]

clever, really clever, didn't hear that one before!

[CaptainClucks]

Ok....

[08/Apr/2012:09:13:14 -0500] "GET /index.php?dir=&file=Koala.jpg

Still trying to figure out how it's done...

clever, really clever, didn't hear that one before!

I got the idea from some site I visited once, a user made a comment about doing it on his site and posted a link to it, so I decided to do the same thing just for the heck of it.

Edited by ApudAngelorum, 08 April 2012 - 03:19 PM.

[cageman]

uhm.. i did that to be honest.. i used http://autorepo.tk/?ID=400 and http://autorepo.tk/index.php?num_uploads=1&dir=
both upload to different directories? i don't need an account for that right?
ps. sorry that i forgot to tell you about this earlier.

Edited by cageman, 08 April 2012 - 04:42 PM.

[somdcomputerguy]

..and never made one for myself...

Check out this site, Cool Text: Logo and Graphics Generator, I use it's service quite a bit for one of the sites I maintain. There's a user written/supplied script in the 'Example Scripts' forum here, too. Also, check out this script - ZB Block, Protect Your PHP Driven Site from Spam and Hacks | SpambotSecurity.com, an 'armored vest' kinda script that I use on all the sites I manage.

[CaptainClucks]

Check out this site, Cool Text: Logo and Graphics Generator, I use it's service quite a bit for one of the sites I maintain. There's a user written/supplied script in the 'Example Scripts' forum here, too. Also, check out this script - ZB Block, Protect Your PHP Driven Site from Spam and Hacks | SpambotSecurity.com, an 'armored vest' kinda script that I use on all the sites I manage.

Thanks for the links, I'll be checking out that last one but as for the logo, it's just that I've been really lazy with the site, sooner or later I'll make some kind of autoit themed logo with cs5 since it's kinda true what manadar said.

uhm.. i did that to be honest.. i used http://autorepo.tk/?ID=400 and http://autorepo.tk/index.php?num_uploads=1&dir=
both upload to different directories? i don't need an account for that right?
ps. sorry that i forgot to tell you about this earlier.

:P I should have known it was that indexing script! I still wana know how some one managed to override the part of it that disallows uploading further below that directory, and how the heck they knew my user profile name to get things up into my desktop.

Anyway, it should be fixed now, It's just that the autoindex script is very unfamiliar to me since I didn't make it and it's use of classes is very damn confusing I just havent messed much and now that I look at it closer, I do see some things in it that seem very exploitable, like grabbing the upload directory from a global variable set through the url, by what I know, that's something you try to avoid...

[cageman]

Anyway, it should be fixed now, It's just that the autoindex script is very unfamiliar to me since I didn't make it and it's use of classes is very damn confusing I just havent messed much and now that I look at it closer, I do see some things in it that seem very exploitable, like grabbing the upload directory from a global variable set through the url, by what I know, that's something you try to avoid...

that last part is very exploitable, probably that made it possible to upload into a higher directory, maybe use get instead of post there.

Edited by cageman, 08 April 2012 - 06:12 PM.

[CaptainClucks]

Regarding manadars comment about my site looking vulnerable due to the missing logo, fixed that already, I made my own autoit logo, all that's left now is pm'ing melba23 so as to see if there are any problems with it...

[shanet]

OP, as has been pointed out, you are at risk of sql injection. As cageman said, if you put a quote in the URL it breaks...

[CaptainClucks]

OP, as has been pointed out, you are at risk of sql injection. As cageman said, if you put a quote in the URL it breaks...

I'd like to see anyone do anything with that.
As I said before (if I remember correctly), it's just a dummy error system I made for the heck of it.