Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    Regular Coder
    Join Date
    Jan 2006
    Posts
    199
    Thanks
    30
    Thanked 0 Times in 0 Posts

    HELP with include injection?

    Ok, so for the past 2 weeks I kept having some idiot from malaysia somehow posting a file into my website directory and sending mass spam using my server. This issue is isolated to just 1 account on the server and each time I tracked the file down using the mail headers and deleted the file, but he just kept doing it, now I think I FINALLY figured out how he's doing it and would like some advice as to whether or not this is how he's doing it and if so, how can I stop it?

    So, that being said, I have a simple piece of PHP code that basically allows me to change the page that shows up in the main content area of the website, well, I think this is also how he's been somehow injecting files into my website account because I just realized that I can use ?view=http://domain.com/hack as the file included. Do you guys think this is how he's been getting in and how can I stop this from happening?

    PHP Code:
    <?
    $view 
    $_REQUEST['view'];
    if(
    $view == "") {
    $view "main";
    }
    include 
    "$view.php";
    ?>

  • #2
    Senior Coder
    Join Date
    Apr 2010
    Posts
    1,392
    Thanks
    67
    Thanked 102 Times in 101 Posts
    Just to comment, it could be a bot putting the file and sending emails from your website. They act like humans and run 24/7.
    Been a sign maker for 7 years. My business:
    American Made Signs

  • #3
    Regular Coder
    Join Date
    Jul 2010
    Location
    Oregon City
    Posts
    280
    Thanks
    5
    Thanked 50 Times in 49 Posts
    PHP Code:
    <?
    $view 
    $_REQUEST['view'];
    if(
    $view == "") {
    $view "main";
    }
    include 
    "$view.php";
    ?>
    this is really insecure..

    if you have to use this do something like..

    PHP Code:
    $view $_REQUEST['view'];
    if(
    $view == ""
    {
        
    $view "main";
    }

    if(!
    preg_match('/(http)?\:?\/?\/?([w]+)?\./'$view))
    {
        include 
    "$view.php";
    }
    else
    {
        echo 
    "invalid.";

    basically that won't allow anything with http, www, or anything.whatever
    Last edited by Adee; 11-22-2011 at 03:13 AM.

  • Users who have thanked Adee for this post:

    Remix919 (11-22-2011)

  • #4
    Regular Coder
    Join Date
    Jan 2006
    Posts
    199
    Thanks
    30
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by myfayt View Post
    Just to comment, it could be a bot putting the file and sending emails from your website. They act like humans and run 24/7.
    A bot? what do you mean? at one point I did find a PHP shell script that when accessed via a web browser allowed them to view my FTP structure and upload files without having to login first, but I figured they used the injection to get that file in there in the first place. I highly doubt they have my password because it's a highly secure randomly generated and I changed it after each incident.

  • #5
    Regular Coder
    Join Date
    Jan 2006
    Posts
    199
    Thanks
    30
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Adee View Post
    PHP Code:
    <?
    $view 
    $_REQUEST['view'];
    if(
    $view == "") {
    $view "main";
    }
    include 
    "$view.php";
    ?>
    this is really insecure..

    if you have to use this do something like..

    PHP Code:
    $view $_REQUEST['view'];
    if(
    $view == ""
    {
        
    $view "main";
    }

    if(!
    preg_match('/(http)/'$view))
    {
        include 
    "$view.php";

    Thanks Adee! Just what I was looking for

  • #6
    Regular Coder
    Join Date
    Jul 2010
    Location
    Oregon City
    Posts
    280
    Thanks
    5
    Thanked 50 Times in 49 Posts
    Quote Originally Posted by Remix919 View Post
    Thanks Adee! Just what I was looking for
    i edited my post.. that won't stop someone from doing site.com/file.php lol

  • #7
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,281
    Thanks
    57
    Thanked 523 Times in 510 Posts
    Blog Entries
    5
    Easier still, use the full server path to your files (screws up http requests and lowers the cpu load by avoiding regular expressions):
    PHP Code:
    <?
    $view 
    $_REQUEST['view'];
    if(
    $view == "") {
    $view "main";
    }
    include 
    "path/to/yoursite.com/public_html/$view.php";
    ?>
    Any more http://url.to/hacker.php will be screwed.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #8
    Senior Coder
    Join Date
    Apr 2010
    Posts
    1,392
    Thanks
    67
    Thanked 102 Times in 101 Posts
    Quote Originally Posted by Remix919 View Post
    A bot? what do you mean? at one point I did find a PHP shell script that when accessed via a web browser allowed them to view my FTP structure and upload files without having to login first, but I figured they used the injection to get that file in there in the first place. I highly doubt they have my password because it's a highly secure randomly generated and I changed it after each incident.

    A bot is a script or program that crawls the web and posts spam and things. Also called Spiders which research things.

    http://en.wikipedia.org/wiki/Web_crawler

    But also some are made strictly for spamming websites and mass emails.
    Been a sign maker for 7 years. My business:
    American Made Signs

  • #9
    Regular Coder
    Join Date
    Jan 2006
    Posts
    199
    Thanks
    30
    Thanked 0 Times in 0 Posts
    Thanks for all the help guys! And I updated to your most recent code Adee, I appreciate your help too tango, but I do include some files below the root, so not sure if that code will work?

  • #10
    New Coder
    Join Date
    Jul 2011
    Location
    Kediri - Indonesia
    Posts
    61
    Thanks
    2
    Thanked 19 Times in 19 Posts
    try to validate $view and existed file. i validated it in some steps.

    define valid pages in an array. defined valid pages, make validation is easy.
    define $default page too. default page is used if $view is not valid. don't forget to upload default page.

    Code:
    $default = "main";
    $valid = array("gallery","new");
    
    $view = $_GET[view];
    
    $view = (!in_array($view, $valid))?$default:$view; //simple validate
    don't finished here. next step, check if file is existed. we don't want any error displayed. cause, hacker very like for looking some errors.

    Code:
    $view = ((file_exists($view.".php"))?$view:$default;
    then, include it

    Code:
    include($view.".php");
    no error will displayed, even when you forgot to upload your "view" files.

    i follow this tutorial:
    http://explorecrew.org/portal.php?page=read&ID=196#[PHP] Pages Inclusion Hardening

    in that tutorial, inclusion injection prevention disclousured completed.

    I am sorry my english is very bad.

    hope it help.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •