| Author |
Message |
stevewalsh
New Member
Joined: May 06, 2004
Posts: 7
|
 Posted:
Wed May 12, 2004 12:55 am |
|
to trap this exploit after it had gotten through my hack alert script, i simply changed the code at the start of Mainfile.php from
Code:$checkurl = preg_replace("#(/\*.*\*/)#", "", $_SERVER["QUERY_STRING"]); //Courte
// Raven http://ravenphpscripts.com
if (stristr($checkurl,'%20union%20')) {
$loc = $_SERVER['QUERY_STRING'];
header("Location: hackattempt.php?$loc");
die();
|
to
Code:$checkurl = preg_replace("#(/\*.*\*/)#", "", $_SERVER["QUERY_STRING"]); //Courte
// Raven http://ravenphpscripts.com
if (stristr($checkurl,'%20union%20') or
strstr($checkurl,'eCcgVU5JT04gU0VMRUNUIDEvKjox')) {
$loc = $_SERVER['QUERY_STRING'];
header("Location: hackattempt.php?$loc");
die();
|
Hope this helps others. |
Last edited by stevewalsh on Wed May 12, 2004 3:59 am; edited 1 time in total |
|
|
|
GanjaUK
Life Cycles Becoming CPU Cycles
Joined: Feb 14, 2004
Posts: 633
Location: England
|
| Posted:
Wed May 12, 2004 2:24 am |
|
You can change the: eCcgVU5JT04gU0VMRUNUIDEvKjox when exploiting?
(User-level authentication bypass exploit),
That pesky private message exploit and forum too was still getting in to my site and sending me private messages with MY account, and also the power to change my profile and make and or delete posts etc.
In modules.php
before:
Code:global $nukeuser, $db, $prefix;
|
Add:
Code: if (stristr($_SERVER["QUERY_STRING"],'&user=') AND $name==Private_Messages) header("Location: hackattempt.php");
|
Thanks to chatserv for that.
However with that addition to modules.php, they was blocked from exploiting it via private messages but they could still get in via forum module. So I changed to this:
Code:
if (stristr($_SERVER["QUERY_STRING"],'&user=') AND $name==Private_Messages) header("Location: hackattempt.php");
if (stristr($_SERVER["QUERY_STRING"],'&user=') AND $name==Forums) header("Location: hackattempt.php");
|
Now they can kiss the hack alert script instead. |
_________________
Only registered users can see links on this board! Get registered or login!
Last edited by GanjaUK on Wed May 12, 2004 2:41 am; edited 1 time in total |
|
|
|
stevewalsh
|
| Posted:
Wed May 12, 2004 2:34 am |
|
Ah, but the eCcgVU5JT04gU0VMRUNUIDEvKjox is the Base64 encoding of the Union statement, so if they change the value, it will no longer do what it's meant to. This is used as a way to get past checking just for the %20UNION%20.
So far, I'm fine on the Forums exploit, as I'm not using the forums module, but thanks for the private message, I'll drop that into my sites right now. |
| |
|
|
|
|
GanjaUK
|
| Posted:
Wed May 12, 2004 2:37 am |
|
| stevewalsh wrote: | | Ah, but the eCcgVU5JT04gU0VMRUNUIDEvKjox is the Base64 encoding of the Union statement, so if they change the value, it will no longer do what it's meant to. |
Ahh right, ok.  |
| |
|
|
|
|
stevewalsh
|
| Posted:
Sat May 15, 2004 8:57 am |
|
Yet another change
Code:$checkurl = preg_replace("#(/\*.*\*/)#", "", $_SERVER["QUERY_STRING"]); //Courtesy of http://www.esnider.net
// Raven http://ravenphpscripts.com
if (stristr($checkurl,'%20union%20') or
strstr($checkurl,'eCcgVU5JT04gU0VMRUNUIDEvKjox') or
strstr($checkurl,'/*')) {
$loc = $_SERVER['QUERY_STRING'];
header("Location: hackattempt.php?$loc");
die();
}
|
the extra line will pick up the MySQL break command (/* */).
HTH |
| |
|
|
|
|
sixonetonoffun
Spouse Contemplates Divorce
Joined: Jan 02, 2003
Posts: 2496
|
| Posted:
Sat May 15, 2004 9:36 am |
|
Nice I know Ravens been considering an expanded version. |
| |
|
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Sat May 15, 2004 11:23 am |
|
My latest release traps the /*. I cannot and never have been able to get the base64 exploit to work on my site. So, just for clarification, the base64 exploit still get's past my latest release of hack alert? If so, please try it on my site. Be sure to tell me your IP elsewise you will be banned from the Land of Oz and I contact every ISP, regardless . PM me your IP if you try the exploit. Thanks. |
| |
|
|
|
|
newbie
Regular
Joined: May 03, 2004
Posts: 62
Location: USA
|
| Posted:
Sat May 15, 2004 12:40 pm |
|
| Raven wrote: | | My latest release traps the /*. I cannot and never have been able to get the base64 exploit to work on my site. So, just for clarification, the base64 exploit still get's past my latest release of hack alert? If so, please try it on my site. Be sure to tell me your IP elsewise you will be banned from the Land of Oz and I contact every ISP, regardless . PM me your IP if you try the exploit. Thanks. |
Raven,
If you want ... I get a variety of new attempts everyday .. I can post you the ones that the hackalert doesn't catch. Usually hackalert catches them before the Protector does ... but there's been a couple that weren't caught. I pm'd the most recent one to Six a little while ago. |
| |
|
 
  |
|
GanjaUK
|
| Posted:
Sat May 15, 2004 1:07 pm |
|
I can try the private message and forum exploit if you like raven. This exploit got through on my site multiple times, until I added the lines to modules.php I mentioned above. |
| |
|
|
|
|
Raven
|
| Posted:
Sat May 15, 2004 8:40 pm |
|
Just to be clear, the only hacks that my script is aimed at are the UNION types. I have posted another script for the admin.php hack. If you have a union attack that gets through, please PM me the exploit. Thanks! |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
