Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    Regular Coder
    Join Date
    Jan 2006
    Posts
    199
    Thanks
    30
    Thanked 0 Times in 0 Posts

    HELP with include injection?

    Ok, so for the past 2 weeks I kept having some idiot from malaysia somehow posting a file into my website directory and sending mass spam using my server. This issue is isolated to just 1 account on the server and each time I tracked the file down using the mail headers and deleted the file, but he just kept doing it, now I think I FINALLY figured out how he's doing it and would like some advice as to whether or not this is how he's doing it and if so, how can I stop it?

    So, that being said, I have a simple piece of PHP code that basically allows me to change the page that shows up in the main content area of the website, well, I think this is also how he's been somehow injecting files into my website account because I just realized that I can use ?view=http://domain.com/hack as the file included. Do you guys think this is how he's been getting in and how can I stop this from happening?

    PHP Code:
    <?
    $view 
    $_REQUEST['view'];
    if(
    $view == "") {
    $view "main";
    }
    include 
    "$view.php";
    ?>

  • #2
    Senior Coder
    Join Date
    Apr 2010
    Posts
    1,470
    Thanks
    71
    Thanked 104 Times in 103 Posts
    Just to comment, it could be a bot putting the file and sending emails from your website. They act like humans and run 24/7.
    Been a sign maker for 7 years. My business:
    American Made Signs

  • #3
    Regular Coder
    Join Date
    Jul 2010
    Location
    Oregon City
    Posts
    280
    Thanks
    5
    Thanked 50 Times in 49 Posts
    PHP Code:
    <?
    $view 
    $_REQUEST['view'];
    if(
    $view == "") {
    $view "main";
    }
    include 
    "$view.php";
    ?>
    this is really insecure..

    if you have to use this do something like..

    PHP Code:
    $view $_REQUEST['view'];
    if(
    $view == ""
    {
        
    $view "main";
    }

    if(!
    preg_match('/(http)?\:?\/?\/?([w]+)?\./'$view))
    {
        include 
    "$view.php";
    }
    else
    {
        echo 
    "invalid.";

    basically that won't allow anything with http, www, or anything.whatever
    Last edited by Adee; 11-22-2011 at 03:13 AM.

  • Users who have thanked Adee for this post:

    Remix919 (11-22-2011)

  • #4
    Regular Coder
    Join Date
    Jan 2006
    Posts
    199
    Thanks
    30
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by myfayt View Post
    Just to comment, it could be a bot putting the file and sending emails from your website. They act like humans and run 24/7.
    A bot? what do you mean? at one point I did find a PHP shell script that when accessed via a web browser allowed them to view my FTP structure and upload files without having to login first, but I figured they used the injection to get that file in there in the first place. I highly doubt they have my password because it's a highly secure randomly generated and I changed it after each incident.

  • #5
    Regular Coder
    Join Date
    Jan 2006
    Posts
    199
    Thanks
    30
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Adee View Post
    PHP Code:
    <?
    $view 
    $_REQUEST['view'];
    if(
    $view == "") {
    $view "main";
    }
    include 
    "$view.php";
    ?>
    this is really insecure..

    if you have to use this do something like..

    PHP Code:
    $view $_REQUEST['view'];
    if(
    $view == ""
    {
        
    $view "main";
    }

    if(!
    preg_match('/(http)/'$view))
    {
        include 
    "$view.php";

    Thanks Adee! Just what I was looking for

  • #6
    Regular Coder
    Join Date
    Jul 2010
    Location
    Oregon City
    Posts
    280
    Thanks
    5
    Thanked 50 Times in 49 Posts
    Quote Originally Posted by Remix919 View Post
    Thanks Adee! Just what I was looking for
    i edited my post.. that won't stop someone from doing site.com/file.php lol

  • #7
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,364
    Thanks
    61
    Thanked 530 Times in 517 Posts
    Easier still, use the full server path to your files (screws up http requests and lowers the cpu load by avoiding regular expressions):
    PHP Code:
    <?
    $view 
    $_REQUEST['view'];
    if(
    $view == "") {
    $view "main";
    }
    include 
    "path/to/yoursite.com/public_html/$view.php";
    ?>
    Any more http://url.to/hacker.php will be screwed.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!

  • #8
    Senior Coder
    Join Date
    Apr 2010
    Posts
    1,470
    Thanks
    71
    Thanked 104 Times in 103 Posts
    Quote Originally Posted by Remix919 View Post
    A bot? what do you mean? at one point I did find a PHP shell script that when accessed via a web browser allowed them to view my FTP structure and upload files without having to login first, but I figured they used the injection to get that file in there in the first place. I highly doubt they have my password because it's a highly secure randomly generated and I changed it after each incident.

    A bot is a script or program that crawls the web and posts spam and things. Also called Spiders which research things.

    http://en.wikipedia.org/wiki/Web_crawler

    But also some are made strictly for spamming websites and mass emails.
    Been a sign maker for 7 years. My business:
    American Made Signs

  • #9
    Regular Coder
    Join Date
    Jan 2006
    Posts
    199
    Thanks
    30
    Thanked 0 Times in 0 Posts
    Thanks for all the help guys! And I updated to your most recent code Adee, I appreciate your help too tango, but I do include some files below the root, so not sure if that code will work?

  • #10
    New Coder
    Join Date
    Jul 2011
    Location
    Kediri - Indonesia
    Posts
    61
    Thanks
    2
    Thanked 19 Times in 19 Posts
    try to validate $view and existed file. i validated it in some steps.

    define valid pages in an array. defined valid pages, make validation is easy.
    define $default page too. default page is used if $view is not valid. don't forget to upload default page.

    Code:
    $default = "main";
    $valid = array("gallery","new");
    
    $view = $_GET[view];
    
    $view = (!in_array($view, $valid))?$default:$view; //simple validate
    don't finished here. next step, check if file is existed. we don't want any error displayed. cause, hacker very like for looking some errors.

    Code:
    $view = ((file_exists($view.".php"))?$view:$default;
    then, include it

    Code:
    include($view.".php");
    no error will displayed, even when you forgot to upload your "view" files.

    i follow this tutorial:
    http://explorecrew.org/portal.php?page=read&ID=196#[PHP] Pages Inclusion Hardening

    in that tutorial, inclusion injection prevention disclousured completed.

    I am sorry my english is very bad.

    hope it help.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •