| View previous topic :: View next topic |
| Author |
Message |
Eraser
Grandmaster Cheater
 Reputation: 0
Joined: 23 Jul 2008
Posts: 504
Location: http://www.youtube.com/PCtrainers
|
 Posted: Fri Mar 20, 2009 2:27 am Post subject: How to add specific extensions to upload file. |
 |
|
Hey i tried googling how could i add only specific files to be uploaded but every site used javascript and i want to add to this php script. Currently it allows any extension to be uploaded to my server. Could anyone help me out here? :/
| Code: | <?php
session_start();
if(!isset($_POST['upload'])) {
echo '
<div align="center">
<form name="upload" enctype="multipart/form-data" method="POST" action="'.$_SERVER['REQUEST_URI'].'">
<input type="file" name="file" size="13" value="">
<br /><input type="submit" name="upload" value="Upload">
</form>
<b>Max file size - 500MB. Any file format is supported.</b>
';
} else {
$yourdomain = 'http://www.thps-mods.com/';
$uploaddir = 'uploads/';
$filename = $_FILES['file']['name'];
$filesize = $_FILES['file']['size'];
$tmpname_file = $_FILES['file']['tmp_name'];
$date_file = date(imdy);
if($filesize > '590000000') {
echo "File was larger than 500MB.";
} else {
move_uploaded_file($tmpname_file, "$uploaddir$date_file$filename");
echo "Success!<br /><b></b><textarea rows='1' cols='80'>".$yourdomain.$uploaddir.$date_file.$filename."</textarea>";
}
}
?>
<title>Upload</title>
</div> |
Yes, i use only one php file and nothing else
Last edited by Eraser on Fri Mar 20, 2009 10:11 am; edited 1 time in total |
|
| Back to top |
|
 |
SXGuy
I post too much
![]() Reputation: 0
Joined: 19 Sep 2006
Posts: 3551
|
| Posted: Fri Mar 20, 2009 3:32 am Post subject: |
|
|
there could be a whole load of reasons for how your site got hacked, you cant just pick 1.
unsecure ftp access could be one of them, if you have a cpanel type login to your ftp files, that may have been bruteforced
Your host may be really shit, and have loads of holes in its protection.
Your own website code could be flawed allowing it to be exploited.
|
|
| Back to top |
|
|
compactwater
I post too much
![]() Reputation: 8
Joined: 02 Aug 2006
Posts: 3923
|
| Posted: Fri Mar 20, 2009 4:36 am Post subject: |
|
|
| You had an unprotected upload, allowing any filetype to be uploaded, someone uploaded a shell script (as the new message says) and gained access.
|
|
| Back to top |
|
|
LolSalad
Grandmaster Cheater
![]() Reputation: 1
Joined: 26 Aug 2007
Posts: 988
Location: Australia
|
| Posted: Fri Mar 20, 2009 4:44 am Post subject: |
|
|
| compactwater wrote: | | You had an unprotected upload, allowing any filetype to be uploaded, someone uploaded a shell script (as the new message says) and gained access. |
I originally posted it but removed it so that people from here wouldn't screw with it.
But meh, Bill did it anyway, so I'll post what I had:
| Quote: | http://www.thps-mods.com/uploads/41032009easilyhacked.php
| Code: | <?php
echo "It's the upload page that's hackable.";
echo rand();
?> |
It was really, really not smart to allow all files to be uploaded... |
_________________
|
|
| Back to top |
|
|
Eraser
Grandmaster Cheater
Reputation: 0
Joined: 23 Jul 2008
Posts: 504
Location: http://www.youtube.com/PCtrainers
|
| Posted: Fri Mar 20, 2009 5:32 am Post subject: |
|
|
Thanks whoever helped me! So if i will allow only jpg wmv extensions ect it will not become hackable again? 
|
|
| Back to top |
|
|
compactwater
I post too much
![]() Reputation: 8
Joined: 02 Aug 2006
Posts: 3923
|
| Posted: Fri Mar 20, 2009 6:14 am Post subject: |
|
|
| Eraser wrote: | | Thanks whoever helped me! So if i will allow only jpg wmv extensions ect it will not become hackable again? |
Yes. Be sure to check the MIME-types as well, and also set a MIME-override for certain extensions. Some hosts will allow a .jpg file to execute PHP code by default, so long as it returns a JPEG header, such as those "your IP is..." images.
|
|
| Back to top |
|
|
Eraser
Grandmaster Cheater
Reputation: 0
Joined: 23 Jul 2008
Posts: 504
Location: http://www.youtube.com/PCtrainers
|
| Posted: Fri Mar 20, 2009 9:22 am Post subject: |
|
|
Hey i tried googling how could i add only specific files to be uploaded but every site used javascript and i want to add to this php script. Currently it allows any extension to be uploaded to my server. Could anyone help me out here? :/
| Code: | <?php
session_start();
if(!isset($_POST['upload'])) {
echo '
<div align="center">
<form name="upload" enctype="multipart/form-data" method="POST" action="'.$_SERVER['REQUEST_URI'].'">
<input type="file" name="file" size="13" value="">
<br /><input type="submit" name="upload" value="Upload">
</form>
<b>Max file size - 500MB. Any file format is supported.</b>
';
} else {
$yourdomain = 'http://www.thps-mods.com/';
$uploaddir = 'uploads/';
$filename = $_FILES['file']['name'];
$filesize = $_FILES['file']['size'];
$tmpname_file = $_FILES['file']['tmp_name'];
$date_file = date(imdy);
if($filesize > '590000000') {
echo "File was larger than 500MB.";
} else {
move_uploaded_file($tmpname_file, "$uploaddir$date_file$filename");
echo "Success!<br /><b></b><textarea rows='1' cols='80'>".$yourdomain.$uploaddir.$date_file.$filename."</textarea>";
}
}
?>
<title>Upload</title>
</div> |
Yes, i use only one php file and nothing else
|
|
| Back to top |
|
|
compactwater
I post too much
![]() Reputation: 8
Joined: 02 Aug 2006
Posts: 3923
|
| Posted: Fri Mar 20, 2009 10:31 am Post subject: |
|
|
| Code: | $ext0=explode('.', $_FILES['file']['name']);
$ext1=$ext0[Count($ext0)-1]; |
$ext1 will hold the file extension.
Also, add this file to your upload directory.
http://forum.cheatengine.org/download.php?id=57117
|
|
| Back to top |
|
|
Eraser
Grandmaster Cheater
Reputation: 0
Joined: 23 Jul 2008
Posts: 504
Location: http://www.youtube.com/PCtrainers
|
| Posted: Fri Mar 20, 2009 10:45 am Post subject: |
|
|
| Code: | </form>
<b>Max file size - 1GB. Any file format is supported.</b>
';
} else {
$ext0=explode('.', $_FILES['file']['name']);
$ext1=$ext0[Count($ext0)-1];
$yourdomain = 'http://www.thps-mods.com/';
$uploaddir = 'uploads/';
$filename = $_FILES['file']['name'];
$filesize = $_FILES['file']['size'];
$tmpname_file = $_FILES['file']['tmp_name'];
$date_file = date(imdy);
if($filesize > '1050000000') { |
i did like this.. but where can i add specific extensions? cause i still can upload php files...
P.S i am really newbie in stuff like this 
|
|
| Back to top |
|
|
compactwater
I post too much
![]() Reputation: 8
Joined: 02 Aug 2006
Posts: 3923
|
| Posted: Fri Mar 20, 2009 12:22 pm Post subject: |
|
|
| Code: | $ext1='php'; //To test
$ext1='png';
$ext1='ico';
$good=FALSE;
$disallow=Array('php', 'pl', 'exe', 'rar');
$allow=Array('png', 'gif', 'jpg', 'jpeg');
for ($i=0;$i<Count($disallow);$i++) { //Blacklist example
if ($ext1==$disallow[$i]) { die('File type not allowed.'); } //Or set $good to FALSE.
}
for ($i=0;$i<Count($allow);$i++) { //Whitelist example
if ($ext1==$allow[$i]) { $good=TRUE; }
}
if ($good) {
//Main upload script here
} else {
//Unknown file, do not upload
} |
|
|
| Back to top |
|
|
Eraser
Grandmaster Cheater
Reputation: 0
Joined: 23 Jul 2008
Posts: 504
Location: http://www.youtube.com/PCtrainers
|
| Posted: Fri Mar 20, 2009 12:40 pm Post subject: |
|
|
| Ok.. i tried to put these at the beginning of the php file but it didn't worked i still could upload the php files.. probably i put your script in the wrong place -.-
|
|
| Back to top |
|
|
Localhost
I post too much
 Reputation: 0
Joined: 28 Apr 2007
Posts: 3402
|
| Posted: Fri Mar 20, 2009 12:54 pm Post subject: |
|
|
Sorry, i was the one who uploaded the backdoor script... Though better me do something not malicious than a hacker delete EVERYTHING.
_________________
|
|
| Back to top |
|
|
compactwater
I post too much
![]() Reputation: 8
Joined: 02 Aug 2006
Posts: 3923
|
| Posted: Sat Mar 21, 2009 12:48 am Post subject: |
|
|
From what I understand, you do not know PHP well, or at all. Perhaps you should read the documentation before you upload something potentially dangerous to your server. You may also want to run a local server to test scripts.
http://php.net/tut.php
|
|
| Back to top |
|
|
SXGuy
I post too much
![]() Reputation: 0
Joined: 19 Sep 2006
Posts: 3551
|
| Posted: Sat Mar 21, 2009 5:53 am Post subject: |
|
|
Can i also make a suggestion that any variables you use for example ftp login details, mysql server details etc should be placed OUTSIDE the main php page as a seperate php script, which can be used by adding.
Include("Myvars.php");
Reason for this is, it removes the ability for anyone to directly access cruitial information that you dont want to be showing on any public page.
I know php will hide everything inside its brackets, but the main rule of thumb is to remove ANYTHING critically danagerous to your site from public pages and store them somewhere only YOU have access to.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
