View Full Version : Help Required Immediately - URGENT

10-18-2012, 02:42 AM
I'm having problems with people upload shell hacking scripts on my replay uploader, they are hacking my website each and every time.

Here is my script

Or here's the code:



Last revision:

- Author: Seven

- Email: zabkar@gmail.com (Subject DotaParser)

- Date: 7.7.2009



<!DOCTYPE html>



<script type="text/javascript">

var _gaq = _gaq || [];

_gaq.push(['_setAccount', 'UA-31574622-1']);


(function() {

var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;

ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';

var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);



<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Ranked Gaming Parser</title>

<meta name='keywords' content="Defense of the Ancients, DotA, Replays, Parser, DotA Replays, DotA Parser, DotA Games, Icefrog, , Replay, Parse Dota, Top Dota Replays, DotA Replay Download, Dota Replay Upload, DotA replay uploads, DotA replay downloads, DotA replay parsing, DotA replay ranking" />

<meta name='description' content="'Ranked Gaming Parser' Is a DotA replay parsing service provided for Defense of the Ancients (DotA) players located throughout the world. Powered by rankedgaming.com; a DotA Ladder, Stat Tracking, and Gaming community." />

<center><img src="http://www.rankedgamingparser.com/RGP.png" alt="Logo"/>


<link href="style_x.css" rel="stylesheet" type="text/css" media="screen" />




<td style="height:40px">

<a class="menuButtons" href="index.php">Upload Replay</a>


<a class="menuButtons" href="replaydb.php">Replay Database</a>


<a class="menuButtons" href="http://www.mymgn.com/board/forumdisplay.php?f=709">RGC Forums</a>


<a class="menuButtons" href="http://shop.rankedgaming.com/shop/">RGC Shop</a>


<a class="menuButtons" href="http://stats.rankedgaming.com/stats/channel.php?c=19">RGC Stats</a>






<div id="fb-root"></div>

<script>(function(d, s, id) {

var js, fjs = d.getElementsByTagName(s)[0];

if (d.getElementById(id)) return;

js = d.createElement(s); js.id = id;

js.src = "//connect.facebook.net/en_US/all.js#xfbml=1";

fjs.parentNode.insertBefore(js, fjs);

}(document, 'script', 'facebook-jssdk'));</script>

<div class="wrapper">

<div class="replay">

<h2> DotA Replay Parser - Upload Replay</h2>


$print_info = false;

define("MAX_UPLOAD_SIZE", 3000000);

// Upload a file

if(isset($_POST['uploadReplay'])) {

if(!isset($_FILES['replay_file']) || !isset($_POST['replay_title']) || !isset($_POST['replay_winner']) || !isset($_POST['replay_text'])) {

echo 'Error: Make sure you\'ve filled out all the fields.';


else {

$title = htmlspecialchars(trim($_POST['replay_title']));

$winner = htmlspecialchars(trim($_POST['replay_winner']));

$text = htmlspecialchars(trim($_POST['replay_text']));

// Check that we have a file

$replayUploaded = false;

$replayFile = "";

if(( !empty($title) && !empty($winner) &&

!empty($_FILES["replay_file"])) && ($_FILES['replay_file']['error'] == 0)) {

//Check if the file is JPEG image and it's size is less than 350Kb

$filename = basename($_FILES['replay_file']['name']);

$ext = substr($filename, strrpos($filename, '.') + 1);

$uniqueID = time();

if (($ext == "w3g") && $_FILES["replay_file"]["size"] < MAX_UPLOAD_SIZE) {

//Determine the path to which we want to save this file

$newname = dirname(__FILE__).'/replays/'.$uniqueID.'.'.$ext;

//Check if the file with the same name is already exists on the server

if (!file_exists($newname)) {

//Attempt to move the uploaded file to it's new place

if ((move_uploaded_file($_FILES['replay_file']['tmp_name'], $newname))) {

$replayFile = $uniqueID.'.'.$ext;

$replayUploaded = true;


else {

print_message("Error: A problem occurred during file upload!");



else {

print_message("Error: File ".$_FILES["replay_file"]["name"]." already exists");



else {

print_message("Error: Only .w3g replays under 3 MB are accepted for upload");



else {

print_message("Error: Make sure you've filled out all the fields");


// If the replay was uploadead successfully, process it

if( $replayUploaded ) {



$replay = new replay('replays/'.$replayFile);

$replay->extra['title'] = $title;

/* Determine the winner

* If the uploader chose "Automatic" then check if the parser was able to determine a winner,

* otherwise the winner is set to "Unknown"

* Alternatively the uploader can set the winner manually


if("Automatic" != $winner) {

$replay->extra['winner'] = ( $winner == "Sentinel" ? "Sentinel" : "Scourge" );


else if(isset($replay->extra['parsed_winner'])) {

$replay->extra['winner'] = $replay->extra['parsed_winner'];


else {

$replay->extra['winner'] = "Unknown";


$replay->extra['text'] = $text;

$replay->extra['original_filename'] = $filename;

$txt_file = fopen('replays/'.$replayFile.'.txt', 'a');

flock($txt_file, 2);

fputs($txt_file, serialize($replay));

flock($txt_file, 3);


if ( $replay->extra['parsed'] == false ) {

// Replay not parsed


else {

// Replay saved, display the link.

//Create replay saver object

$replaysaver=new replaysaver($title,$text,$replayFile);

//Call save methode


print_message('Replay uploaded successfully. <a href="view_replay.php?file='.$replayFile.'" alt="View replay" > View details </a>');

$print_info = true;





function print_message($msg) {

echo '<div style="padding-left: 10px; padding-bottom: 10px;" >';

echo $msg;

echo '</div>';



<div class="content" style="width: 99%;">

<form enctype="multipart/form-data" action="index.php" method="post">


<label for="replay_title" >Title*: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</label><input name="replay_title" id="replay_title" type="input" />

<br />

<label for="replay_winner" >Winner: &nbsp;&nbsp;&nbsp;&nbsp;</label>

<select name="replay_winner" id="replay_winner" />

<option value="Automatic">Automatic </option>

<option value="Sentinel">Sentinel </option>

<option value="Scourge">Scourge </option>


<br />

<label for="replay_text" style="vertical-align: top;" >Description: </label>

<textarea name="replay_text" id="replay_text" cols="65"></textarea>

<br />

<input type="hidden" name="MAX_FILE_SIZE" id="'.MAX_UPLOAD_SIZE.'" value="3000000" />

<label for="replay_file" >File*: </label><input name="replay_file" id="replay_file" type="file" />

<input type="submit" value="Upload" name="uploadReplay" />






<font size="3" color="red">DotA 6.75 is now fully supported !</font>


<font size="3">

There are currently

<font color="#E34000">


$directory = "/home/rgc123/public_html/replays/";

if (glob($directory . "*.w3g") != false)


$filecount = count(glob($directory . "*.w3g"));

echo $filecount;




echo 0;




DotA replays in our database and counting!



<div class="fb-like" data-href="http://www.facebook.com/ExtremelyAwesomeLeague" data-send="false" data-width="450" data-show-faces="true" data-font="verdana"></div>







<div class="wrapper"><div class="replay"><h2>

<center>&copy; 2012 Made by <a href="">*****GotRaped</h2></div></div>

<br />




Currently my website is down until I resolve this issue.

My webhost said : "Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.w3g. "

I don't know how, please fix my script only to allow the upload of ".w3g" with no way for someone to bypassing it.

Thank you alot !

10-18-2012, 02:52 AM
You need to use an application which can read the actual file header while it's still a tmp_name file and only allow ones with the proper header to be
moved. You can also check the extension as well.