...

View Full Version : file_get_contents - Return PHP?



Troy297
11-01-2007, 02:05 AM
Hey All,

I'm currently developing a script and am trying to integrate a "license verification" and at current its going pretty well. I've worked out most of the kinks on both ends and I've got it to produce all the right errors and stuff when the license is wrong.... except I need to go a step further.

Basically what I want to do is be able to send back php from my "License/Update Server" to the users script installation and have it run. Like for example if this is the 20th time their has unsuccessfully had its licensed checked then I may want to send a kill process to the next panel that tried to authenticate with that license incase its a license thats been leaked somehow.

So... heres my code:

The Script:

<?php
if($content = @file_get_contents("http://members.mysite.com/")){
echo $content;
}else{
echo "<td><img src='images/update_error.gif' /></td><td>An Error Occured!</td>";
}
?>

My Update Server:

<?php
echo 'This is returned.';
?>

So basically 'This is returned.' is what the script prints out to the user. Now how might I do the same thing except have it so I can send back PHP code and have it run to the script?

Sorry if I'm unclear. Feel free to ask for clarification, and thanks!

firepages
11-01-2007, 07:18 AM
you could return plaintext PHP code and eval() it.

but ;)

eval() is mostly evil , though in your case you will have control over the contents of the eval()'d file ... but then imagine someone hacks the validation server and adds malicious code to the validation script ? also anyone can look at the contents of the validation code which may give them ideas of what to return and simply change the call from your server to theirs...

none of this is going to be easy/safe unless you use some form of encoder etc

Troy297
11-01-2007, 11:26 AM
Alright, thanks for the advice.... Now I've tried this out and can you just tell me how it looks or if you see any possible security flaws that would be exploitable?


<?php
if($content = @file_get_contents("http://members.mysite.com/")){
if(admin() == TRUE){
$parts = explode("~~~", $content);
echo $parts[1];
eval($parts[0]);
}
}
?>

And I plan on encrypting that entire bit of code and more so now one can mess around with it. Also once again the update server that it contacts to get the response returns a message in this format:


PHP Code To Execute ~~~ License Valid... etc.

Offtopic - When a url has "https://" in front rather than just "http://" what does it actually mean? And if it would be of any help in my case to attempt to stop any hacking attempts how do I implement it? I will Google later but just curious... Thanks :)

firepages
11-01-2007, 01:32 PM
In a worst case scenario where someone has control of your server (or can fool the client into thinking their server is yours (by messing with the clients/networks hosts file or DNS or proxy)) then any code in $parts[0] will be run on the clients machine.

Not sure how but perhaps you could first check $parts[0] for allowed functions and not allow any PHP functions but safe ones to be run.. e.g. cancel if the code to eval includes exec,unlink, backticks, rm ... etc etc, loads of possibles, too many.

IF, the code to be eval'd is always the same, then you could use MD5_string() or some other mechanism for checking the code to be run is that which was expected ? , would need to know more about the $parts[0] before I could comment more.

If you use https:// then anything sent between the server and client is encrypted , that way nobody will be able to sniff the contents of $parts[0]

aedrin
11-01-2007, 03:51 PM
If you use https:// then anything sent between the server and client is encrypted , that way nobody will be able to sniff the contents of $parts[0]

In other words, HTTP using SSL. (that's what the S indicates)


Now I've tried this out and can you just tell me how it looks or if you see any possible security flaws that would be exploitable

Your use of eval() is a possible security flaw. Even though you understand its dangers, you are still using it.

I have never found a need for eval(). The only reason I have seen it be used is as a shortcut to a real solution. This would be such a case.

No matter how much you encrypt your code, you can only eval() it decrypted. This means your PHP has the method of decrypting it. Meaning it's wasted effort.

I think you'll be better off spending your development time on improving your product, than trying to build a bullet proof authentication scheme.

firepages
11-02-2007, 12:27 AM
No matter how much you encrypt your code, you can only eval() it decrypted. This means your PHP has the method of decrypting it. Meaning it's wasted effort.

I think we already worked out the fact that eval was dangerous ?

I assumed that the client code will be byte-code and therefore not that easy to decompile.

This type of activation/licence/authentication is an interesting subject and bright idea's might be more useful than `eval is evil, give up`

aedrin
11-02-2007, 03:49 PM
I think we already worked out the fact that eval was dangerous ?

Since it was being considered still, not dangerous enough.


I assumed that the client code will be byte-code and therefore not that easy to decompile.

That's a bad assumption as I've seen no people use this technique. I'm sure there are some, but requiring your clients to install additional programs just to use your component isn't good for business.


This type of activation/licence/authentication is an interesting subject and bright idea's might be more useful than `eval is evil, give up`

Yes, that is a good point. But you don't think companies out there have tried to figure this out? I'd rather spend my time developing new components that are helpful and help save me time. Than develop something that will do nothing. If someone intends to pirate your component/technology, they will. If something prevents it, they will find an alternative. Either way you gain zero business.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum