...

View Full Version : Help Required Immediately - URGENT



SamiMukahhal
10-18-2012, 02:42 AM
I'm having problems with people upload shell hacking scripts on my replay uploader, they are hacking my website each and every time.

Here is my script
http://pastebin.com/JfhBFugN

Or here's the code:

<?php

/******************************************************************************

Last revision:

- Author: Seven

- Email: zabkar@gmail.com (Subject DotaParser)

- Date: 7.7.2009

******************************************************************************/

?>

<!DOCTYPE html>

<html>

<head>

<script type="text/javascript">



var _gaq = _gaq || [];

_gaq.push(['_setAccount', 'UA-31574622-1']);

_gaq.push(['_trackPageview']);



(function() {

var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;

ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';

var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);

})();



</script>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Ranked Gaming Parser</title>

<meta name='keywords' content="Defense of the Ancients, DotA, Replays, Parser, DotA Replays, DotA Parser, DotA Games, Icefrog, , Replay, Parse Dota, Top Dota Replays, DotA Replay Download, Dota Replay Upload, DotA replay uploads, DotA replay downloads, DotA replay parsing, DotA replay ranking" />

<meta name='description' content="'Ranked Gaming Parser' Is a DotA replay parsing service provided for Defense of the Ancients (DotA) players located throughout the world. Powered by rankedgaming.com; a DotA Ladder, Stat Tracking, and Gaming community." />

<center><img src="http://www.rankedgamingparser.com/RGP.png" alt="Logo"/>

</center>

<link href="style_x.css" rel="stylesheet" type="text/css" media="screen" />



</head>


<center>

<tr>

<td style="height:40px">

<a class="menuButtons" href="index.php">Upload Replay</a>

&nbsp;

<a class="menuButtons" href="replaydb.php">Replay Database</a>

&nbsp;

<a class="menuButtons" href="http://www.mymgn.com/board/forumdisplay.php?f=709">RGC Forums</a>

&nbsp;

<a class="menuButtons" href="http://shop.rankedgaming.com/shop/">RGC Shop</a>

&nbsp;

<a class="menuButtons" href="http://stats.rankedgaming.com/stats/channel.php?c=19">RGC Stats</a>

</td>

</tr>

</table></center>

<br>

<body>

<div id="fb-root"></div>

<script>(function(d, s, id) {

var js, fjs = d.getElementsByTagName(s)[0];

if (d.getElementById(id)) return;

js = d.createElement(s); js.id = id;

js.src = "//connect.facebook.net/en_US/all.js#xfbml=1";

fjs.parentNode.insertBefore(js, fjs);

}(document, 'script', 'facebook-jssdk'));</script>





<div class="wrapper">

<div class="replay">

<h2> DotA Replay Parser - Upload Replay</h2>

<?php

$print_info = false;

define("MAX_UPLOAD_SIZE", 3000000);



// Upload a file

if(isset($_POST['uploadReplay'])) {

if(!isset($_FILES['replay_file']) || !isset($_POST['replay_title']) || !isset($_POST['replay_winner']) || !isset($_POST['replay_text'])) {

echo 'Error: Make sure you\'ve filled out all the fields.';

}

else {

$title = htmlspecialchars(trim($_POST['replay_title']));

$winner = htmlspecialchars(trim($_POST['replay_winner']));

$text = htmlspecialchars(trim($_POST['replay_text']));



// Check that we have a file

$replayUploaded = false;

$replayFile = "";



if(( !empty($title) && !empty($winner) &&

!empty($_FILES["replay_file"])) && ($_FILES['replay_file']['error'] == 0)) {

//Check if the file is JPEG image and it's size is less than 350Kb

$filename = basename($_FILES['replay_file']['name']);

$ext = substr($filename, strrpos($filename, '.') + 1);

$uniqueID = time();





if (($ext == "w3g") && $_FILES["replay_file"]["size"] < MAX_UPLOAD_SIZE) {

//Determine the path to which we want to save this file

$newname = dirname(__FILE__).'/replays/'.$uniqueID.'.'.$ext;

//Check if the file with the same name is already exists on the server

if (!file_exists($newname)) {

//Attempt to move the uploaded file to it's new place

if ((move_uploaded_file($_FILES['replay_file']['tmp_name'], $newname))) {

$replayFile = $uniqueID.'.'.$ext;

$replayUploaded = true;

}

else {

print_message("Error: A problem occurred during file upload!");

}

}

else {

print_message("Error: File ".$_FILES["replay_file"]["name"]." already exists");

}

}

else {

print_message("Error: Only .w3g replays under 3 MB are accepted for upload");

}

}

else {

print_message("Error: Make sure you've filled out all the fields");

}



// If the replay was uploadead successfully, process it

if( $replayUploaded ) {

@require("reshine.php");

require('replay_saver.php');



$replay = new replay('replays/'.$replayFile);



$replay->extra['title'] = $title;



/* Determine the winner

* If the uploader chose "Automatic" then check if the parser was able to determine a winner,

* otherwise the winner is set to "Unknown"

* Alternatively the uploader can set the winner manually

*/

if("Automatic" != $winner) {

$replay->extra['winner'] = ( $winner == "Sentinel" ? "Sentinel" : "Scourge" );

}

else if(isset($replay->extra['parsed_winner'])) {

$replay->extra['winner'] = $replay->extra['parsed_winner'];

}

else {

$replay->extra['winner'] = "Unknown";

}



$replay->extra['text'] = $text;

$replay->extra['original_filename'] = $filename;





$txt_file = fopen('replays/'.$replayFile.'.txt', 'a');



flock($txt_file, 2);

fputs($txt_file, serialize($replay));

flock($txt_file, 3);

fclose($txt_file);



if ( $replay->extra['parsed'] == false ) {

// Replay not parsed

}

else {

// Replay saved, display the link.

//Create replay saver object

$replaysaver=new replaysaver($title,$text,$replayFile);

//Call save methode

$replaysaver->saveData();

print_message('Replay uploaded successfully. <a href="view_replay.php?file='.$replayFile.'" alt="View replay" > View details </a>');

$print_info = true;

}





}





}

}



function print_message($msg) {

echo '<div style="padding-left: 10px; padding-bottom: 10px;" >';

echo $msg;

echo '</div>';

}

?>



<div class="content" style="width: 99%;">



<form enctype="multipart/form-data" action="index.php" method="post">

<fieldset>

<label for="replay_title" >Title*: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</label><input name="replay_title" id="replay_title" type="input" />

<br />

<label for="replay_winner" >Winner: &nbsp;&nbsp;&nbsp;&nbsp;</label>

<select name="replay_winner" id="replay_winner" />

<option value="Automatic">Automatic </option>

<option value="Sentinel">Sentinel </option>

<option value="Scourge">Scourge </option>

</select>

<br />

<label for="replay_text" style="vertical-align: top;" >Description: </label>

<textarea name="replay_text" id="replay_text" cols="65"></textarea>

<br />

<input type="hidden" name="MAX_FILE_SIZE" id="'.MAX_UPLOAD_SIZE.'" value="3000000" />

<label for="replay_file" >File*: </label><input name="replay_file" id="replay_file" type="file" />

<input type="submit" value="Upload" name="uploadReplay" />

</fieldset>

</form>



<br>

<br>

<center>

<font size="3" color="red">DotA 6.75 is now fully supported !</font>

<br><br>

<font size="3">

There are currently

<font color="#E34000">

<?

$directory = "/home/rgc123/public_html/replays/";

if (glob($directory . "*.w3g") != false)

{

$filecount = count(glob($directory . "*.w3g"));

echo $filecount;

}

else

{

echo 0;

}

?>

</font>

DotA replays in our database and counting!

<br>

<br>

<div class="fb-like" data-href="http://www.facebook.com/ExtremelyAwesomeLeague" data-send="false" data-width="450" data-show-faces="true" data-font="verdana"></div>

<br>

<br>





</center>







</div>



</div>



</div>





<div class="wrapper"><div class="replay"><h2>

<center>&copy; 2012 Made by <a href="">*****GotRaped</h2></div></div>

<br />

</html>



</body>

</html>



Currently my website is down until I resolve this issue.

My webhost said : "Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.w3g. "

I don't know how, please fix my script only to allow the upload of ".w3g" with no way for someone to bypassing it.

Thank you alot !

DrDOS
10-18-2012, 02:52 AM
You need to use an application which can read the actual file header while it's still a tmp_name file and only allow ones with the proper header to be
moved. You can also check the extension as well.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum