...

View Full Version : HELP with include injection?



Remix919
11-22-2011, 03:31 AM
Ok, so for the past 2 weeks I kept having some idiot from malaysia somehow posting a file into my website directory and sending mass spam using my server. This issue is isolated to just 1 account on the server and each time I tracked the file down using the mail headers and deleted the file, but he just kept doing it, now I think I FINALLY figured out how he's doing it and would like some advice as to whether or not this is how he's doing it and if so, how can I stop it?

So, that being said, I have a simple piece of PHP code that basically allows me to change the page that shows up in the main content area of the website, well, I think this is also how he's been somehow injecting files into my website account because I just realized that I can use ?view=http://domain.com/hack as the file included. Do you guys think this is how he's been getting in and how can I stop this from happening?



<?
$view = $_REQUEST['view'];
if($view == "") {
$view = "main";
}
include "$view.php";
?>

myfayt
11-22-2011, 04:02 AM
Just to comment, it could be a bot putting the file and sending emails from your website. They act like humans and run 24/7.

Adee
11-22-2011, 04:03 AM
<?
$view = $_REQUEST['view'];
if($view == "") {
$view = "main";
}
include "$view.php";
?>

this is really insecure..

if you have to use this do something like..



$view = $_REQUEST['view'];
if($view == "")
{
$view = "main";
}

if(!preg_match('/(http)?\:?\/?\/?([w]+)?\./', $view))
{
include "$view.php";
}
else
{
echo "invalid.";
}


basically that won't allow anything with http, www, or anything.whatever

Remix919
11-22-2011, 04:06 AM
Just to comment, it could be a bot putting the file and sending emails from your website. They act like humans and run 24/7.

A bot? what do you mean? at one point I did find a PHP shell script that when accessed via a web browser allowed them to view my FTP structure and upload files without having to login first, but I figured they used the injection to get that file in there in the first place. I highly doubt they have my password because it's a highly secure randomly generated and I changed it after each incident.

Remix919
11-22-2011, 04:07 AM
<?
$view = $_REQUEST['view'];
if($view == "") {
$view = "main";
}
include "$view.php";
?>

this is really insecure..

if you have to use this do something like..



$view = $_REQUEST['view'];
if($view == "")
{
$view = "main";
}

if(!preg_match('/(http)/', $view))
{
include "$view.php";
}



Thanks Adee! Just what I was looking for :D

Adee
11-22-2011, 04:13 AM
Thanks Adee! Just what I was looking for :D

i edited my post.. that won't stop someone from doing site.com/file.php lol

tangoforce
11-22-2011, 04:21 AM
Easier still, use the full server path to your files (screws up http requests and lowers the cpu load by avoiding regular expressions):


<?
$view = $_REQUEST['view'];
if($view == "") {
$view = "main";
}
include "path/to/yoursite.com/public_html/$view.php";
?>


Any more http://url.to/hacker.php will be screwed.

myfayt
11-22-2011, 04:41 AM
A bot? what do you mean? at one point I did find a PHP shell script that when accessed via a web browser allowed them to view my FTP structure and upload files without having to login first, but I figured they used the injection to get that file in there in the first place. I highly doubt they have my password because it's a highly secure randomly generated and I changed it after each incident.


A bot is a script or program that crawls the web and posts spam and things. Also called Spiders which research things.

http://en.wikipedia.org/wiki/Web_crawler

But also some are made strictly for spamming websites and mass emails.

Remix919
11-22-2011, 06:01 AM
Thanks for all the help guys! And I updated to your most recent code Adee, I appreciate your help too tango, but I do include some files below the root, so not sure if that code will work?

XterM
11-22-2011, 09:11 AM
try to validate $view and existed file. i validated it in some steps.

define valid pages in an array. defined valid pages, make validation is easy.
define $default page too. default page is used if $view is not valid. don't forget to upload default page.



$default = "main";
$valid = array("gallery","new");

$view = $_GET[view];

$view = (!in_array($view, $valid))?$default:$view; //simple validate



don't finished here. next step, check if file is existed. we don't want any error displayed. cause, hacker very like for looking some errors.




$view = ((file_exists($view.".php"))?$view:$default;



then, include it



include($view.".php");


no error will displayed, even when you forgot to upload your "view" files.

i follow this tutorial:
http://explorecrew.org/portal.php?page=read&ID=196#[PHP] Pages Inclusion Hardening

in that tutorial, inclusion injection prevention disclousured completed.

I am sorry my english is very bad.

hope it help.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum