Thread Closed

#1
lets say i am working with it in php
i have this json
{
    "A": {
        "setA": 15,
        "setB": 51
    },
    "B": {
        "setA": 14,
        "setB": 1
    },
    "C": {
        "setA": 5,
        "setB": 581
    }
}

how would i delete B i know i can set B destroying the content but then i have this
{
    "A": {
        "setA": 15,
        "setB": 51
    },
    "B":"",
    "C": {
        "setA": 5,
        "setB": 581
    }
}

but i would like to have this
{
    "A": {
        "setA": 15,
        "setB": 51
    },
    "C": {
        "setA": 5,
        "setB": 581
    }
}
ReportQuote
#2
A random idea would be to set it to null. But I have not often worked directly with JSON and never in PHP so I don't know. And on top of that my knowledge of PHP is fading, I have forgotten much of what I once knew.

Have I helped you? Do you like my add-ons?
Would you consider donating to show your appreciation for my efforts?

/images/paypal.png
ReportQuote
#3
guess it is true you don't use it you loose it
i get null instead of empty quotes
ReportQuote
#4
got it
unset($json->{"B"});
ReportQuote
#5
More forgetting all the functions and stuff. Always be able to read it because it is close enough to everything else I know. Mainly writing in JavaScript, Python and a little C/C++ at the moment.

Have I helped you? Do you like my add-ons?
Would you consider donating to show your appreciation for my efforts?

/images/paypal.png
ReportQuote
#6
i am in a c++ class this semester
i keep ending up pointing out flaws in the design of the example that would prevent it from practical use
i frequently just google JS function + php and find functions like that
i am converting a sh cgi page to php and i have very little understanding of sh just trying to figure out what it does and make some php
the original author had the html/css/js skill i would expect from a ie6 coder
when i get it done i can send it to you to patch the security holes as a refresher and anything else you happen to see wrong
ReportQuote
#7
Ha ha, I remember the C++ class I did two years ago. I finished each assignment in a few hours then spent the next two weeks trying unravel others assignments. Could not fault the course staff that year, they were a really good.

What kind of assignments are they that you have to do?

You should try some Python + Django some time. I am using it for the new version of my website I am trying to build and loving it. The new site is here and the code here.

Have I helped you? Do you like my add-ons?
Would you consider donating to show your appreciation for my efforts?

/images/paypal.png
ReportQuote
#8
just little things the other day we were supped to use an array
we were supposed to read a file into an array and pass it to a few functions processing it 3 times
bottom line the most inefficient thing i ever saw
much better to read the file 1 time and get everything out of it right away cutting out about 4 processes

anyway care to search for and patch some security holes in some php link i put about a week into that
i am sure i missed something or used the wrong escape by mistake

Edited by Michael on Jan. 7, 2015, 4:17 p.m.

ReportQuote
#9
It does not look like your going to run this on a production web server, but for the sake of the exercise lets say it is.

download.php

Why would you want to force them to download a error message?
	else{
		header("Content-type: text/plane");
		header("Content-Disposition: attachment; filename=\"Error.txt\"");
		echo "The file ".$_GET['file']." was not found in the scans folder.";
	}

I would remove the Content-Disposition header.

This is a shocker. Never ever do this again.
	if(file_exists("scans/".$_GET['file'])){
		header("Content-type: ".ext2mime(substr($_GET['file'],strrpos($_GET['file'],".")+1)));
		header("Content-Disposition: attachment; filename=\"".$_GET['file']."\"");
		echo file_get_contents("scans/".$_GET['file']);
	}

What happens if its value is "../../../../ect/passwd"? All a hacker has to do is attempt enough times to work out the right number of "../" to put and he can read any file off your server he wants to.

index.php

function Get_Values($name){
	if(isset($_POST[$name]))
		return $_POST[$name];
	else if(isset($_GET[$name]))
		return $_GET[$name];
	else
		return null;
}

Um, what happened to using $_REQUEST?

	if($DELETE=="Remove"){
		$FILE=Get_Values('file');
		if($FILE==null){
			shell_exec("rm scans/*");
		}
		else{
			$FILE2=addslashes(substr($FILE,0,strrpos($FILE,".")+1));
			shell_exec("rm scans/*$FILE2*");
			Print_Message("File Deleted","The file <code>".html($FILE)."</code> has been removed.");
		}
	}

Really nice!!! What if the value of $FILE is " && rm -rf /". Which makes the command "rm scans/* && rm -rf /*". Nice, but sorry not on my computer.

I will let you think about the above. You repeat the same problems over and over, so no point listing them all. If you fix them up I will have another look over the code. Next time don't make it so easy ;)

Have I helped you? Do you like my add-ons?
Would you consider donating to show your appreciation for my efforts?

/images/paypal.png
ReportQuote
#10
how about now
same location as before
it only accepts what ever is after the last / for all request if there is not one it is the same as before
i am sure the original cgi was worse as far as hols are concerned
ReportQuote
#11
Ok so my rm -rf attack now becomes.

" && `echo "cm0gLXJmIC8K" | base64 -d -` && "

Sorry just wiped your server again.

Using shell_exec with any user input is really dangerous. User input in general is just dangerous. You might have better luck using the php functions like these ones:
http://php.net/manual/en/function.opendir.php
http://php.net/manual/en/function.unlink.php
http://php.net/manual/en/function.rename.php
http://php.net/manual/en/book.imagick.php

But again for your script it might not be worth it because your not putting it on a public server. But again I think we are doing this for the pure sake of the exercise.

Have I helped you? Do you like my add-ons?
Would you consider donating to show your appreciation for my efforts?

/images/paypal.png
ReportQuote
#12
there was one part where i used rename i gave a operation not permitted message but it worked anyway
did not know i coudl use imagemagick with out shell_exec or system
i do not think www-data has access to do that (rather not find out though)
ReportQuote
#13
QUOTE:
there was one part where i used rename i gave a operation not permitted message but it worked anyway

That sounds like doing "rm * .o" which gives "rm: cannot remove `.o': No such file or directory" all your .c files have been fried in the mean time.

QUOTE:
did not know i coudl use imagemagick with out shell_exec or system

There are bindings for it for most popular programming languages.

QUOTE:
i do not think www-data has access to do that (rather not find out though)

www-data will not, but it will still delete every file that is has permissions to do so to. Which may not be comfortable. But that is not really the point. Bad security piles up. Lets assume you fixed nothing I pointed out, and you also have something else on your system with user regos. First I can get your mysql password using the security hole in download.php, I then use some command in place of the rm one above to dump the contents of your mysql database, I use the download.php attack to get the contents of the dump. Lets assume you have been reasonable and encoded your users passwords with md5, but you did not use a salt, so I use rainbow tables to decode them all. I will use the rm -rf hack to clean up after myself (don't care what it does, just don't want you knowing what I did, and it will take out enough). I will then use the usernames/passwords collected to attack other sites your users might have registered to with the same credentials - hopefully that includes other more interesting sites then your own.

Been spending some time over the past months studying how to defend web applications from attack. Ever since my site got taken down really. I have started to become paranoid.

Have I helped you? Do you like my add-ons?
Would you consider donating to show your appreciation for my efforts?

/images/paypal.png
ReportQuote
#14
the line rename($tmpFile,$file);
before running it $tmpFile exists and $file does not exist
after running it $file exists and $tmpFile does not exist
just what you would expect except i generated a operation not permitted warning
what if i do this:
function SecurityCheck($l){
        if(strpos($l,"&&")>-1){
                $l=substr($l,strrpos($l,"&&")+2);
        }
        if(strpos($l,"/")>-1){
                $l=substr($l,strrpos($l,"/")+1);
        }
        return $l;
}

also the only shell_exec usage is left are the convert and the scanimage ones (that accept user input)
edit i am expecting something use a pipe

Edited by az on Feb. 18, 2011, 9:07 a.m.

ReportQuote
#15
It sounds strange that it would give an error even when it worked. You might have to just ignore it. If I remember right you can use @ to help with that in php.

If you do that for your SecurityCheck I would have to resort to using pipes, or's, subcommands, a commands separator or some escape sequence. Only really secure things might be to only allow stuff by regular expression "+" but that might prevent some valid file names too.
You could at least put quotes around all the values, it would at least stop spaces (which could be perfectly valid) from causing problems. I would then at least have to close the quote.

Have I helped you? Do you like my add-ons?
Would you consider donating to show your appreciation for my efforts?

/images/paypal.png
ReportQuote
#16
i would guess this would be the easiest location to attempt a exploit
shell_exec("scanimage --help -d \"".addslashes($ACTION)."\"");

i cant filter this with the SecurityCheck function and it still work
example or actual data "hpaio:/usb/psc_2400_series?serial=MY3ADG51Q56T"
edit released RC2

Edited by az on Feb. 18, 2011, 8:12 p.m.

ReportQuote
#17
If you change your SecurityCheck function to remove backticks (`) and use it in this case I will say that I can't think of a way right now to attack the program.

Have I helped you? Do you like my add-ons?
Would you consider donating to show your appreciation for my efforts?

/images/paypal.png
ReportQuote

Thread Closed