I'm having problems with people upload shell hacking scripts on my replay uploader, they are hacking my website each and every time.
Here is my script
http://pastebin.com/JfhBFugN
Or here's the code:
Code:
<?php
/******************************************************************************
Last revision:
- Author: Seven
- Email: zabkar@gmail.com (Subject DotaParser)
- Date: 7.7.2009
******************************************************************************/
?>
<!DOCTYPE html>
<html>
<head>
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-31574622-1']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Ranked Gaming Parser</title>
<meta name='keywords' content="Defense of the Ancients, DotA, Replays, Parser, DotA Replays, DotA Parser, DotA Games, Icefrog, , Replay, Parse Dota, Top Dota Replays, DotA Replay Download, Dota Replay Upload, DotA replay uploads, DotA replay downloads, DotA replay parsing, DotA replay ranking" />
<meta name='description' content="'Ranked Gaming Parser' Is a DotA replay parsing service provided for Defense of the Ancients (DotA) players located throughout the world. Powered by rankedgaming.com; a DotA Ladder, Stat Tracking, and Gaming community." />
<center><img src="http://www.rankedgamingparser.com/RGP.png" alt="Logo"/>
</center>
<link href="style_x.css" rel="stylesheet" type="text/css" media="screen" />
</head>
<center>
<tr>
<td style="height:40px">
<a class="menuButtons" href="index.php">Upload Replay</a>
<a class="menuButtons" href="replaydb.php">Replay Database</a>
<a class="menuButtons" href="http://www.mymgn.com/board/forumdisplay.php?f=709">RGC Forums</a>
<a class="menuButtons" href="http://shop.rankedgaming.com/shop/">RGC Shop</a>
<a class="menuButtons" href="http://stats.rankedgaming.com/stats/channel.php?c=19">RGC Stats</a>
</td>
</tr>
</table></center>
<br>
<body>
<div id="fb-root"></div>
<script>(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_US/all.js#xfbml=1";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>
<div class="wrapper">
<div class="replay">
<h2> DotA Replay Parser - Upload Replay</h2>
<?php
$print_info = false;
define("MAX_UPLOAD_SIZE", 3000000);
// Upload a file
if(isset($_POST['uploadReplay'])) {
if(!isset($_FILES['replay_file']) || !isset($_POST['replay_title']) || !isset($_POST['replay_winner']) || !isset($_POST['replay_text'])) {
echo 'Error: Make sure you\'ve filled out all the fields.';
}
else {
$title = htmlspecialchars(trim($_POST['replay_title']));
$winner = htmlspecialchars(trim($_POST['replay_winner']));
$text = htmlspecialchars(trim($_POST['replay_text']));
// Check that we have a file
$replayUploaded = false;
$replayFile = "";
if(( !empty($title) && !empty($winner) &&
!empty($_FILES["replay_file"])) && ($_FILES['replay_file']['error'] == 0)) {
//Check if the file is JPEG image and it's size is less than 350Kb
$filename = basename($_FILES['replay_file']['name']);
$ext = substr($filename, strrpos($filename, '.') + 1);
$uniqueID = time();
if (($ext == "w3g") && $_FILES["replay_file"]["size"] < MAX_UPLOAD_SIZE) {
//Determine the path to which we want to save this file
$newname = dirname(__FILE__).'/replays/'.$uniqueID.'.'.$ext;
//Check if the file with the same name is already exists on the server
if (!file_exists($newname)) {
//Attempt to move the uploaded file to it's new place
if ((move_uploaded_file($_FILES['replay_file']['tmp_name'], $newname))) {
$replayFile = $uniqueID.'.'.$ext;
$replayUploaded = true;
}
else {
print_message("Error: A problem occurred during file upload!");
}
}
else {
print_message("Error: File ".$_FILES["replay_file"]["name"]." already exists");
}
}
else {
print_message("Error: Only .w3g replays under 3 MB are accepted for upload");
}
}
else {
print_message("Error: Make sure you've filled out all the fields");
}
// If the replay was uploadead successfully, process it
if( $replayUploaded ) {
@require("reshine.php");
require('replay_saver.php');
$replay = new replay('replays/'.$replayFile);
$replay->extra['title'] = $title;
/* Determine the winner
* If the uploader chose "Automatic" then check if the parser was able to determine a winner,
* otherwise the winner is set to "Unknown"
* Alternatively the uploader can set the winner manually
*/
if("Automatic" != $winner) {
$replay->extra['winner'] = ( $winner == "Sentinel" ? "Sentinel" : "Scourge" );
}
else if(isset($replay->extra['parsed_winner'])) {
$replay->extra['winner'] = $replay->extra['parsed_winner'];
}
else {
$replay->extra['winner'] = "Unknown";
}
$replay->extra['text'] = $text;
$replay->extra['original_filename'] = $filename;
$txt_file = fopen('replays/'.$replayFile.'.txt', 'a');
flock($txt_file, 2);
fputs($txt_file, serialize($replay));
flock($txt_file, 3);
fclose($txt_file);
if ( $replay->extra['parsed'] == false ) {
// Replay not parsed
}
else {
// Replay saved, display the link.
//Create replay saver object
$replaysaver=new replaysaver($title,$text,$replayFile);
//Call save methode
$replaysaver->saveData();
print_message('Replay uploaded successfully. <a href="view_replay.php?file='.$replayFile.'" alt="View replay" > View details </a>');
$print_info = true;
}
}
}
}
function print_message($msg) {
echo '<div style="padding-left: 10px; padding-bottom: 10px;" >';
echo $msg;
echo '</div>';
}
?>
<div class="content" style="width: 99%;">
<form enctype="multipart/form-data" action="index.php" method="post">
<fieldset>
<label for="replay_title" >Title*: </label><input name="replay_title" id="replay_title" type="input" />
<br />
<label for="replay_winner" >Winner: </label>
<select name="replay_winner" id="replay_winner" />
<option value="Automatic">Automatic </option>
<option value="Sentinel">Sentinel </option>
<option value="Scourge">Scourge </option>
</select>
<br />
<label for="replay_text" style="vertical-align: top;" >Description: </label>
<textarea name="replay_text" id="replay_text" cols="65"></textarea>
<br />
<input type="hidden" name="MAX_FILE_SIZE" id="'.MAX_UPLOAD_SIZE.'" value="3000000" />
<label for="replay_file" >File*: </label><input name="replay_file" id="replay_file" type="file" />
<input type="submit" value="Upload" name="uploadReplay" />
</fieldset>
</form>
<br>
<br>
<center>
<font size="3" color="red">DotA 6.75 is now fully supported !</font>
<br><br>
<font size="3">
There are currently
<font color="#E34000">
<?
$directory = "/home/rgc123/public_html/replays/";
if (glob($directory . "*.w3g") != false)
{
$filecount = count(glob($directory . "*.w3g"));
echo $filecount;
}
else
{
echo 0;
}
?>
</font>
DotA replays in our database and counting!
<br>
<br>
<div class="fb-like" data-href="http://www.facebook.com/ExtremelyAwesomeLeague" data-send="false" data-width="450" data-show-faces="true" data-font="verdana"></div>
<br>
<br>
</center>
</div>
</div>
</div>
<div class="wrapper"><div class="replay"><h2>
<center>© 2012 Made by <a href="">*****GotRaped</h2></div></div>
<br />
</html>
</body>
</html>
Currently my website is down until I resolve this issue.
My webhost said : "Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.w3g. "
I don't know how, please fix my script only to allow the upload of ".w3g" with no way for someone to bypassing it.
Thank you alot !