Fix For All Admin.php Exploits (Maybe?)

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

GanjaUK wrote:

I actually put them in another folder in admin, you said you could put them anywhere didnt you? I just had the contents of basicauthfile displayed in text above the header.

Yes you can put them anywhere as long as you adjust the path in the call.

registered · Posted: Tue May 04, 2004 1:40 pm

What I did was:

Code:




require_once('admin/xxxxx/myprivatefile.php'); 


require_once('admin/xxxxx/basicauthfile.php');

And put a htaccess deny from all and blank index in same folder.

Posted: Tue May 04, 2004 1:42 pm

Raven wrote:

The code was missing the <? and ?> tags - sorry! Add those and see if that fixes it.

Did you try this?

Posted: Tue May 04, 2004 1:46 pm

Actually looking at it now, yeah I missed that, I just copied what you pasted to start with, didnt notice the lack of <? ?> in the code, it was silly o'clock when I tried it Laughing

. I will try it again tonight, that should fix it.

New Member Joined: Feb 09, 2004 Posts: 18

This is what I have above the require("auth.php") line

Code:

<?php


// Start NSN Secure Admin


require_once("mainfile.php");


$userinfo = getusrinfo($user);


$row = $db->sql_fetchrow( $db->sql_query("SELECT name FROM ".$prefix."_nsnsecureadmin"));


$namesec = $row['name'];


if ($userinfo[username] == $namesec)  {


// End NSN Secure Admin





if(stristr($_SERVER["QUERY_STRING"],'AddAuthor') || stristr($_SERVER["QUERY_STRING"],'UpdateAuthor')) {


die("Illegal Operation");


}


$checkurl = $_SERVER['REQUEST_URI']; 





if ((preg_match("/\?admin/", "$checkurl")) || (preg_match("/\&admin/", "$checkurl"))) { 


echo "die"; 


exit; 


}


require_once("mainfile.php");


get_lang(admin);





function create_first($name, $url, $email, $pwd, $user_new) {


    global $prefix, $db, $user_prefix;


    $first = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_authors"));


    if ($first == 0) {


   $pwd = md5($pwd);


   $the_adm = "God";


   $db->sql_query("INSERT INTO ".$prefix."_authors VALUES ('$name', '$the_adm', '$url', '$email', '$pwd', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '0', '1', '')");


   if ($user_new == 1) {


       $user_regdate = date("M d, Y");


       $user_avatar = "gallery/blank.gif";


       $commentlimit = 4096;


       if ($url == "http://") { $url = ""; }


            $db->sql_query("INSERT INTO ".$user_prefix."_users (user_id, username, user_email, user_website, user_avatar, user_regdate, user_password, theme, commentmax, user_level, user_lang, user_dateformat) VALUES (NULL,'$name','$email','$url','$user_avatar','$user_regdate','$pwd','$Default_Theme','$commentlimit', '2', 'english','D M d, Y g:i a')");


   }


   login();


    }


}





$the_first = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_authors"));


if ($the_first == 0) {


    if (!$name) {


    include("header.php");


    title("$sitename: "._ADMINISTRATION."");


    OpenTable();


    echo "<center><b>"._NOADMINYET."</b></center><br><br>"


   ."<form action=\"admin.php\" method=\"post\">"


   ."<table border=\"0\">"


   ."<tr><td><b>"._NICKNAME.":</b></td><td><input type=\"text\" name=\"name\" size=\"30\" maxlength=\"25\"></td></tr>"


   ."<tr><td><b>"._HOMEPAGE.":</b></td><td><input type=\"text\" name=\"url\" size=\"30\" maxlength=\"255\" value=\"http://\"></td></tr>"


   ."<tr><td><b>"._EMAIL.":</b></td><td><input type=\"text\" name=\"email\" size=\"30\" maxlength=\"255\"></td></tr>"


   ."<tr><td><b>"._PASSWORD.":</b></td><td><input type=\"password\" name=\"pwd\" size=\"11\" maxlength=\"10\"></td></tr>"


   ."<tr><td colspan=\"2\">"._CREATEUSERDATA."  <input type=\"radio\" name=\"user_new\" value=\"1\" checked>"._YES."&nbsp;&nbsp;<input type=\"radio\" name=\"user_new\" value=\"0\">"._NO."</td></tr>"


   ."<tr><td><input type=\"hidden\" name=\"fop\" value=\"create_first\">"


   ."<input type=\"submit\" value=\""._SUBMIT."\">"


   ."</td></tr></table></form>";


    CloseTable();


    include("footer.php");


    }


    switch($fop) {


   case "create_first":


   create_first($name, $url, $email, $pwd, $user_new);


   break;


    }


    die();


}

Maybe NSN Admin secure is the problem, I'll look i to that.

EDIT
NSN secrurity is not the problem. When I disable that function I get the log in screeen a couple of times and then I get the:"Get Out Of Here!" message

Posted: Tue May 04, 2004 1:51 pm

Goldberg,

Add the PHP tags to the basicauthfile.php.

Posted: Tue May 04, 2004 1:55 pm

Yeah its working now. Get the IE pop up auth box then straight to admin.

Posted: Tue May 04, 2004 2:50 pm

Raven wrote:

Goldberg,

Add the PHP tags to the basicauthfile.php.

I did. I've installed more admin secure options but can't seem to find the problem.
The script from Telli works just fine for me. When I've got more time I'll see if I can get yours to work. Just keep up the good work Very Happy

Posted: Tue May 04, 2004 2:53 pm

Goldberg wrote:

EDIT
NSN secrurity is not the problem. When I disable that function I get the log in screeen a couple of times and then I get the:"Get Out Of Here!" message

That's because after 3 times of not matching the userid and password in your secret file HTTP Auth kicks you out.

Posted: Wed May 05, 2004 7:45 pm

ok i tried the script and what i got was this at the top of the page

Code:

Parse error: parse error in /home/shawn/public_html/alpha.php on line 2





Parse error: parse error in /home/shawn/public_html/omega.php on line 7

any ideas i am using php 7.1 with the latest patches
i also have the protector, admin secure, and the hack alert installed

admin secure has a similar feature built in but i thought i would try your solution first and see what it was like

Posted: Wed May 05, 2004 7:54 pm

Please post the first 10 lines of each script. This is not a script error, per se, it is a syntax error in your files.

Posted: Wed May 05, 2004 9:31 pm

ok the alpha.php is this

Code:

<?


 $ravenAdminID   = 'chaos';


 $ravenAdminPASS = '436137c504dad8e58f4cbf62868a0204';


 ?>

the omega.php is

Code:

<?


 // Grabs the $PHP_AUTH_USER variable whatever are the values of the


 // 'register_globals' and the 'variables_order' directives


 // loic1 - 2001/25/11: use the new globals arrays defined with php 4.1+


 if (empty($PHP_AUTH_USER)) {


    if (!empty($_SERVER) && isset($_SERVER['PHP_AUTH_USER'])) {


       $PHP_AUTH_USER = $_SERVER['PHP_AUTH_USER'];


    }


    else if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['PHP_AUTH_USER'])) {


       $PHP_AUTH_USER = $HTTP_SERVER_VARS['PHP_AUTH_USER'];


    }

as you can see all i have done is added

Code:

require_once('myprivatefile.php');


require_once('basicauthfile.php')

but change them to

Code:

require_once('alpha.php');


require_once('omega.php')

so basically i changed the login and password i made a new md5 hash and inserted that as the new password. i then renamed the files as alpha, omega.php and changed the require once calls to reflect that name change i dont think i missed anything i can think of but i am a novice in php.

Thanks for the help in advance

Posted: Wed May 05, 2004 9:59 pm

You are missing a ; after the require_once('omega.php')

Posted: Wed May 05, 2004 10:30 pm

was missing added that but still the same error occurs

Code:

}


require_once('alpha.php');


require_once('omega.php');


require("auth.php");


require_once("includes/blocker.php");


if(!isset($op)) { $op = "adminMain"; }


$pagetitle = "- "._ADMINMENU."";


if ($admintest && ($op != "logout")) {


   asec_checkAdminAccess();


}

Posted: Wed May 05, 2004 10:38 pm

Which error is still occuring? Please post the line that is erring and a few lines above it.

New Member Joined: Jan 24, 2004 Posts: 3

AWESOME script...one problem though...
i have it modified to email me upon a failed login attempt, but if the user just keeps clicking "OK" without entering any text in the prompt, it will keep pumping out emails. how can i restrict this to just one (or two or three) logins, whether or not ANY text is in the boxes?

Posted: Thu May 06, 2004 8:48 am

I assume you put the mail() code in the HTTP Auth portion of the script. Unfortunately, that's part of the HTTP protocol code and I am not aware of any user accessible variables. So, it seems that you would have to use some sort of session variable or write the attempts to MySQL.

Posted: Thu May 06, 2004 8:53 am

here is my auth code:

Code:




<?php 


// Grabs the $PHP_AUTH_USER variable whatever are the values of the 


// 'register_globals' and the 'variables_order' directives 


// loic1 - 2001/25/11: use the new globals arrays defined with php 4.1+ 


if (empty($PHP_AUTH_USER)) { 


   if (!empty($_SERVER) && isset($_SERVER['PHP_AUTH_USER'])) { 


      $PHP_AUTH_USER = $_SERVER['PHP_AUTH_USER']; 


   } 


   else if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['PHP_AUTH_USER'])) { 


      $PHP_AUTH_USER = $HTTP_SERVER_VARS['PHP_AUTH_USER']; 


   } 


   else if (isset($REMOTE_USER)) { 


      $PHP_AUTH_USER = $REMOTE_USER; 


   } 


   else if (!empty($_ENV) && isset($_ENV['REMOTE_USER'])) { 


      $PHP_AUTH_USER = $_ENV['REMOTE_USER']; 


   } 


   else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['REMOTE_USER'])) { 


      $PHP_AUTH_USER = $HTTP_ENV_VARS['REMOTE_USER']; 


   } 


   else if (@getenv('REMOTE_USER')) { 


      $PHP_AUTH_USER = getenv('REMOTE_USER'); 


   } 


   // Fix from Matthias Fichtner for WebSite Professional - Part 1 


   else if (isset($AUTH_USER)) { 


      $PHP_AUTH_USER = $AUTH_USER; 


   } 


   else if (!empty($_ENV) && isset($_ENV['AUTH_USER'])) { 


      $PHP_AUTH_USER = $_ENV['AUTH_USER']; 


   } 


   else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['AUTH_USER'])) { 


      $PHP_AUTH_USER = $HTTP_ENV_VARS['AUTH_USER']; 


   } 


   else if (@getenv('AUTH_USER')) { 


      $PHP_AUTH_USER = getenv('AUTH_USER'); 


   } 


} 


// Grabs the $PHP_AUTH_PW variable whatever are the values of the 


// 'register_globals' and the 'variables_order' directives 


// loic1 - 2001/25/11: use the new globals arrays defined with php 4.1+ 


if (empty($PHP_AUTH_PW)) { 


   if (!empty($_SERVER) && isset($_SERVER['PHP_AUTH_PW'])) { 


      $PHP_AUTH_PW = $_SERVER['PHP_AUTH_PW']; 


   } 


   else if (!empty($HTTP_SERVER_VARS) && isset($HTTP_SERVER_VARS['PHP_AUTH_PW'])) { 


      $PHP_AUTH_PW = $HTTP_SERVER_VARS['PHP_AUTH_PW']; 


   } 


   else if (isset($REMOTE_PASSWORD)) { 


      $PHP_AUTH_PW = $REMOTE_PASSWORD; 


   } 


   else if (!empty($_ENV) && isset($_ENV['REMOTE_PASSWORD'])) { 


      $PHP_AUTH_PW = $_ENV['REMOTE_PASSWORD']; 


   } 


   else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['REMOTE_PASSWORD'])) { 


      $PHP_AUTH_PW = $HTTP_ENV_VARS['REMOTE_PASSWORD']; 


   } 


   else if (@getenv('REMOTE_PASSWORD')) { 


      $PHP_AUTH_PW = getenv('REMOTE_PASSWORD'); 


   } 


   // Fix from Matthias Fichtner for WebSite Professional - Part 2 


   else if (isset($AUTH_PASSWORD)) { 


      $PHP_AUTH_PW = $AUTH_PASSWORD; 


   } 


   else if (!empty($_ENV) && isset($_ENV['AUTH_PASSWORD'])) { 


      $PHP_AUTH_PW = $_ENV['AUTH_PASSWORD']; 


   } 


   else if (!empty($HTTP_ENV_VARS) && isset($HTTP_ENV_VARS['AUTH_PASSWORD'])) { 


      $PHP_AUTH_PW = $HTTP_ENV_VARS['AUTH_PASSWORD']; 


   } 


   else if (@getenv('AUTH_PASSWORD')) { 


      $PHP_AUTH_PW = getenv('AUTH_PASSWORD'); 


   } 


} 


// Gets authenticated user settings with IIS 


if (empty($PHP_AUTH_USER) && empty($PHP_AUTH_PW) && function_exists('base64_decode')) { 


   if (!empty($HTTP_AUTHORIZATION) 


      && ereg('^Basic ', $HTTP_AUTHORIZATION)) { 


      list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(':', base64_decode(substr($HTTP_AUTHORIZATION, 6))); 


   } 


   else if (!empty($_ENV) 


       && isset($_ENV['HTTP_AUTHORIZATION']) 


       && ereg('^Basic ', $_ENV['HTTP_AUTHORIZATION'])) { 


      list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(':', base64_decode(substr($_ENV['HTTP_AUTHORIZATION'], 6))); 


   } 


   else if (!empty($HTTP_ENV_VARS) 


          && isset($HTTP_ENV_VARS['HTTP_AUTHORIZATION']) 


          && ereg('^Basic ', $HTTP_ENV_VARS['HTTP_AUTHORIZATION'])) { 


      list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(':', base64_decode(substr($HTTP_ENV_VARS['HTTP_AUTHORIZATION']


, 6))); 


   } 


   else if (@getenv('HTTP_AUTHORIZATION') 


          && ereg('^Basic ', getenv('HTTP_AUTHORIZATION'))) { 


      list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(':', base64_decode(substr(getenv('HTTP_AUTHORIZATION'), 6))); 


   } 


} // end IIS 





if (!($HTTP_SERVER_VARS['PHP_AUTH_USER']=="XXXX" && md5($HTTP_SERVER_VARS['PHP_AUTH_PW'])==trim("XXXX"))) { 


   header("WWW-Authenticate: Basic realm=SecuredArea"); 


   header("HTTP/1.0 401 Unauthorized"); 


   echo "Sorry...three strikes and you're out."; 





        $server=$_SERVER["SERVER_NAME"];


        $rawloc=$_SERVER["QUERY_STRING"];


        $loc=rawurldecode($_SERVER["QUERY_STRING"]);


        $addr=$_SERVER["REMOTE_ADDR"];


        $refer=$_SERVER["HTTP_REFERER"];


        $agents=$_SERVER["HTTP_USER_AGENT"];


        $cookiess=explode(":", base64_decode($_COOKIE["user"]));


        $authorss=explode(":", base64_decode($_COOKIE["admin"]));


        $rawuri=$_SERVER["REQUEST_URI"];


        $uri=rawurldecode($_SERVER["REQUEST_URI"]);


        $port=$_SERVER["REMOTE_PORT"];


        $host=$_SERVER["REMOTE_HOST"];





   $message = "Information:\r\n"


        ."Query: $loc\r\n"


        ."Raw Query: $rawloc\r\n"


        ."Method: $domain" . "$uri\r\n"


        ."Raw Method: $domain" . "$rawuri\r\n"


        ."Suspect Host: $host\r\n"


        ."Suspect IP: $addr\r\n"


        ."Remote Port: $port\r\n"


        ."Suspect Agents: $agents\r\n"


        ."User Cookie: $cookies[1]\r\n"


        ."Admin Cookie: $authors[0]\r\n"


        ."Referred: $refer\r\n";





        $headers = "From: Security\r\n"


        ."Priority: urgent\r\n"


        ."Importance: High\r\n"


        ."Precedence: special-delivery\r\n"


        ."Organization: $sitename\r\n"


        ."MIME-Version: 1.0\r\n"


        ."Content-Type: text/plain\r\n"


        ."Content-Transfer-Encoding: 8bit\r\n"


        ."X-Priority: 1\r\n"


        ."X-MSMail-Priority: High\r\n"


        ."X-Mailer: PHP/" . phpversion() ."\r\n";





   mail($to,"Unauthorized admin.php access",$message, $headers);


   echo "<br /><br />"; 


   die(); 


} 


?>

so this chunk of code gets run after every login failure, not just after the third (which is usually the apache default) failed login attempt...You don't know of any way of limiting this to just after the final failure?

Posted: Thu May 06, 2004 11:10 am

Dmolavi wrote:

so this chunk of code gets run after every login failure, not just after the third (which is usually the apache default) failed login attempt...You don't know of any way of limiting this to just after the final failure?

Try this - not tested. Before this line

Code:

   header("WWW-Authenticate: Basic realm=SecuredArea");

add these lines

Code:

session_start(); 


header("Cache-control: private"); //IE 6 Fix 


if($_SESSION['count']==2) { 


   $_SESSION['count'] = FALSE; 


} else { 


    $_SESSION['count']++; 


}

Then change this line

Code:

mail($to,"Unauthorized admin.php access",$message, $headers);

to

Code:

   if (!$_SESSION['count']) { 


      mail($to,"Unauthorized admin.php access",$message, $headers); 


      session_destroy(); 


   }

Now this should only mail after 3 unsuccessful attempts.

Posted: Thu May 06, 2004 11:11 am

As in the PM I sent to you, but so everyone else here can see it too...this works perfectly.

registered · Regular Joined: May 03, 2004 Posts: 62 Location: USA

Raven,

I'm missing something on this and I really, want to make this work!

I am not sure how to manually encrypt a password for this to work? How would I set it up? I tried just putting a pw in the file but kept being redirected and finally got the "get out" message Smile

Thanks for helping the newbie Wink

Posted: Fri May 14, 2004 4:13 pm

Raven,

I got it!

And it's working great!

Thanks!

Posted: Fri May 14, 2004 4:15 pm

Just put the password in a php file upload it to your server
<?php
echo (md5('password'));
?>
Then view it in your browser
result for this is 5f4dcc3b5aa765d61d8327deb882cf99

Save the result delete the file.

Posted: Fri May 14, 2004 10:41 pm

newbie wrote:

Raven,

I got it!

And it's working great!

Thanks!

Glad you got it Smile

. I'm on the road right now and am really behind on messages.

Posted: Sat May 15, 2004 7:55 am

sixonetonoffun wrote:

Just put the password in a php file upload it to your server
<?php
echo (md5('password'));
?>
Then view it in your browser
result for this is 5f4dcc3b5aa765d61d8327deb882cf99

Save the result delete the file.

LOL,

What I did was did a search on google for "how to md5" ...... and got some phpbb hack script where you type in your desired password and it encrypts it for you.

Then I just put that in the "myprivatefile.php" part ... and it worked Wink

Thanks!