| View previous topic :: View next topic |
| Author |
Message |
Lyfa
The Lonely Man
 Reputation: 12
Joined: 02 Nov 2008
Posts: 743
|
 Posted: Sun Oct 04, 2009 3:10 pm Post subject: Need some C&C |
 |
|
I made an uploading script. I need c&c.
I don't care about the design for now, I'll work on that later, I want C&C on the code for now
http://f3ar.hobo-studios.org/up/ - Moved to a hidden location for now
The index page - HTML
| Code: | <form enctype="multipart/form-data" action="upload.php" method="POST">
Please choose a file: <input name="uploaded" type="file" /><br />
<input type="submit" value="Upload" />
</form> |
The upload page - PHP
| Code: | <?php
//This function separates the extension from the rest of the file name and returns it
function findexts ($filename)
{
$filename = strtolower($filename) ;
$exts = split("[/\\.]", $filename) ;
$n = count($exts)-1;
$exts = $exts[$n];
return $exts;
}
if ($uploaded_type =="text/php")
{
echo "No PHP files<br>";
$ok=0;
}
if ($uploaded_type =="text/htm")
{
echo "No HTM files<br>";
$ok=0;
}
if ($uploaded_type =="text/html")
{
echo "No HTML files<br>";
$ok=0;
}
//This applies the function to our file
$ext = findexts ($_FILES['uploaded']['name']) ;
//This line assigns a random number to a variable. You could also use a timestamp here if you prefer.
$ran = rand () ;
//This takes the random number (or timestamp) you generated and adds a . on the end, so it is ready of the file extension to be appended.
$ran2 = $ran.".";
//This assigns the subdirectory you want to save into... make sure it exists!
$target = "files/";
//This combines the directory, the random file name, and the extension
$target = $target . $ran2.$ext;
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo "The file has been uploaded as http://f3ar.hobo-studios.org/up/files/".$ran2.$ext;
}
else
{
echo "Sorry, there was a problem uploading your file.";
}
?> |
How can I get it so that it wont upload the PHP, HTM, and HTML files as I have them blocked, but it uploads anyway?
_________________
Last edited by Lyfa on Tue Oct 06, 2009 1:37 pm; edited 1 time in total |
|
| Back to top |
|
 |
LolSalad
Grandmaster Cheater
![]() Reputation: 1
Joined: 26 Aug 2007
Posts: 988
Location: Australia
|
| Posted: Sun Oct 04, 2009 7:50 pm Post subject: |
|
|
You idiot, you've just made it completely public that you're allowing PHP files to be uploaded and as a result, if anyone wants to, they can completely fuck over hobo-studios in seconds.
First of all you should not be assigning a random name because it's obvious that files can be overwritten that way, and secondly, check the file extension as well as the mime type.
Also, you should be only allowing certain files rather than only disallowing certain files and allowing everything else.
As proof of how easy it is to fuck with your site, I deleted the upload script. Don't re-upload it until it is secure.
_________________
|
|
| Back to top |
|
|
NoManchesPuto
I post too much
![]() Reputation: 0
Joined: 24 Jan 2009
Posts: 2820
|
| Posted: Sun Oct 04, 2009 7:59 pm Post subject: |
|
|
| Where'd you get the script? I mean like what site?
|
|
| Back to top |
|
|
Lyfa
The Lonely Man
Reputation: 12
Joined: 02 Nov 2008
Posts: 743
|
| Posted: Mon Oct 05, 2009 1:37 pm Post subject: |
|
|
| Wahoa wrote: | You idiot, you've just made it completely public that you're allowing PHP files to be uploaded and as a result, if anyone wants to, they can completely fuck over hobo-studios in seconds.
First of all you should not be assigning a random name because it's obvious that files can be overwritten that way, and secondly, check the file extension as well as the mime type.
Also, you should be only allowing certain files rather than only disallowing certain files and allowing everything else.
As proof of how easy it is to fuck with your site, I deleted the upload script. Don't re-upload it until it is secure. |
That's what | Code: | if ($uploaded_type =="text/php")
{
echo "No PHP files<br>";
$ok=0;
} |
is supposed to stop, but I guess it doesn't, anyway, that's the old script
| 1 wrote: | | Where'd you get the script? I mean like what site? |
I made all but the security parts
_________________
|
|
| Back to top |
|
|
NoManchesPuto
I post too much
![]() Reputation: 0
Joined: 24 Jan 2009
Posts: 2820
|
| Posted: Mon Oct 05, 2009 1:44 pm Post subject: |
|
|
| F3ar wrote: | | 1 wrote: | | Where'd you get the script? I mean like what site? |
I made all but the security parts |
Sounds pretty cool, good job. Whats it in? Php? (I can't really tell lol)
|
|
| Back to top |
|
|
Lyfa
The Lonely Man
Reputation: 12
Joined: 02 Nov 2008
Posts: 743
|
| Posted: Mon Oct 05, 2009 2:16 pm Post subject: |
|
|
| 1 wrote: | | F3ar wrote: | | 1 wrote: | | Where'd you get the script? I mean like what site? |
I made all but the security parts |
Sounds pretty cool, good job. Whats it in? Php? (I can't really tell lol) |
| Quote: | | The upload page - PHP |
I'm not sure :/
_________________
|
|
| Back to top |
|
|
CrisNMP
Fun Supervisor
 Reputation: 16
Joined: 11 Apr 2007
Posts: 4649
|
| Posted: Mon Oct 05, 2009 2:20 pm Post subject: |
|
|
Next time I see an upload script on your directory I'll delete your ftp info.
_________________
BENBENBENBENBENBENBENBEN |
|
| Back to top |
|
|
NoManchesPuto
I post too much
![]() Reputation: 0
Joined: 24 Jan 2009
Posts: 2820
|
| Posted: Mon Oct 05, 2009 2:52 pm Post subject: |
|
|
| HookrStripperLoggerMan wrote: | | Next time I see an upload script on your directory I'll delete your ftp info. |
Lol'd...
@F3ar: Ah, just read the script you found lol..
|
|
| Back to top |
|
|
Lyfa
The Lonely Man
Reputation: 12
Joined: 02 Nov 2008
Posts: 743
|
| Posted: Mon Oct 05, 2009 6:42 pm Post subject: |
|
|
| HookrStripperLoggerMan wrote: | | Next time I see an upload script on your directory I'll delete your ftp info. |
I moved to a free host for now :/ Gonna buy a domain soon and then some hosting
| 1 wrote: | | HookrStripperLoggerMan wrote: | | Next time I see an upload script on your directory I'll delete your ftp info. |
Lol'd...
@F3ar: Ah, just read the script you found lol.. |
If you have any suggestions on what to add or take off please do tell
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
