02-06-2010, 08:26 AM
I am using base64_decode() to check and debug my script which is not working
but can not get it to decode and display :(
I am trying to do it with a simple echo:
echo base64_decode('Pz48P3BocAokb3AgPSAkX1JFUVVFU1RbJ29wJ10gPSAnY3Jhd2xwcm9jJzsKaWYoaXNzZXQoJF9TRVJWRVJbJ 1JFUVVFU1RfTUVUSE9EJ10pKQp7CmVjaG8gJ1RoaXMgdG9vbCBjYW4gYmUgZXhlY3V0ZWQgaW4gY29tbWFuZCBsaW5lIG1vZGUgb 25seSc7CmV4aXQ7Cn0KJGRWXzBqVXpMTDhlT0MydnJ0QW4gPSB0cnVlOwpjaGRpcihkaXJuYW1lKF9fRklMRV9fKSk7CiRfUkVRV UVTVFsnYmcnXSA9IHRydWU7CiRfUkVRVUVTVFsncmVzdW1lJ10gPSB0cnVlOwppbmNsdWRlICcuL2luZGV4LnBocCc7Cj8+');
All I get as output is:
"?>" - not particularly useful !
What am I doing wrong ?
02-06-2010, 10:15 AM
If you are viewing the result in a browser, you would need to view the page source code. It would show:
$op = $_REQUEST['op'] = 'crawlproc';
echo 'This tool can be executed in command line mode only';
$dV_0jUzLL8eOC2vrtAn = true;
$_REQUEST['bg'] = true;
$_REQUEST['resume'] = true;
Browser hides everything between < and > considering it as a tag.
Or if you really need to see the result in the browser, you could encode HTML special characters and echo the string:
$str = (base64_decode('Pz48P3BocAokb3AgPSAkX1JFUVVFU1RbJ29wJ10gPSAnY3Jhd2xwcm9jJzsKaWYoaXNzZXQoJF9TRVJWRVJb J1JFUVVFU1RfTUVUSE9EJ10pKQp7CmVjaG8gJ1RoaXMgdG9vbCBjYW4gYmUgZXhlY3V0ZWQgaW4gY29tbWFuZCBsaW5lIG1vZGUg b25seSc7CmV4aXQ7Cn0KJGRWXzBqVXpMTDhlT0MydnJ0QW4gPSB0cnVlOwpjaGRpcihkaXJuYW1lKF9fRklMRV9fKSk7CiRfUkVR VUVTVFsnYmcnXSA9IHRydWU7CiRfUkVRVUVTVFsncmVzdW1lJ10gPSB0cnVlOwppbmNsdWRlICcuL2luZGV4LnBocCc7Cj8+'));
echo '<pre>' . htmlspecialchars($str) . '</pre>';
Still could you tell me please: what generally you are trying to do ? Why are you storing the PHP code as a base64-encoded string ? If you are executing it later by eval(), please be very careful. eval() is a very dangerous function. It is necessary to be absolutely sure there is no way someone could inject his own code there.
02-06-2010, 03:21 PM
Yer - I don't like it but this guy wants the code "hidden" so noone could see it !!!
I told him that the php is not seen in the browser anyway but I guess he is paranoid !
So I thought I would use base64 encode.
Anyway, thanks for your help, I can see the bug now.
Oh, and yes I was going to use eval().
I don't think anyone can inject code into it can they ?
02-06-2010, 04:26 PM
Do you mean you would like to store the PHP code in a cookie and then eval() it ? And the only protection is base64 encoding ? If this is true, any average hacker would be able to execute absolutely any his own PHP code at your system using this eval().
Cookies are stored at the client side. Browser sends them. You have no control over them. It is not too difficult to fake a cookie. It is sent as part of HTTP document - in the HTTP headers. So it is enough to connect to the server, pretend this is a browser and send any PHP code via cookie (using the corresponding HTTP header).
Cookies are considered as a potential user input. Which is not more difficult to abuse than GET or POST.
base64 encoding is no protection at all. It is too easily decoded.
In my opinion cookies must never be used for such a task.
And in my opinion eval() must be avoided whenever possible.
02-06-2010, 07:36 PM
Thankls for your concern but this script is
not going in a cookie but resides on the server.
That's why I told him - the code would not be seen
by anyone. As you can see the code is the "doorway" to the
./index.php. It also sets some variables that are checked later
to ensure the the program was started by this script.
It is just a waste of time really, but he likes the idea that the
starting "doorway" script is encoded making it look unreadable.
However as we have just proved a programmer can easily open it up !!
Anyway, if he keeps him happy !!!
Thanks for your help.
02-07-2010, 07:41 AM
If you want something super secure and, in my opinion, more fun you can look into AES. If you set a key on the server side then you can encrypt whatever you want and store it whatever you want. You can also encrypt it using an identification hash of your own so that you can check the integrity of the string on decryption.
But that would be getting NSA level paranoid :P