Can Someone Help With PHP Being Exploited?

PHP
1

So… I have gotten notice from my host that malicious files have been being uploaded to my site. When I asked how, they said that they were being uploaded through this PHP code. Could someone explain to me how and if it’s possible to stop the exploit? For the time being, I have just removed the PHP and I am using standard HTML.

Since I cannot upload files as a new user, I hope you don’t mind my posting it here::

<?php
/*
Name:	Prev-Next Page script
Author:	Derek Tombrello
Email:	example@example.com
Purpose:	adds links for the previous and next pages from a list of links
*/

	$pagefiles = array(
		// "list of all pages accessable through prev-next loop",
		"dogcom.htm",
		"isobot.htm",
		"omnibot.htm",
		"omnibot2k.htm",
		"spacebuddy.htm",
		"robiejr.htm",
		"verbot.htm",
		"kasey.htm",
		"readwithpooh.htm",
		"powermax.htm",
		"rockem.htm",
		"sbd3000.htm",
		"toby.htm",
		"2xl_t.htm",
		"alphie.htm",
		"alphie2.htm",
		"alphie2010",
		"bigtrak.htm",
		"botster.htm",
		"dino-chi.htm",
		"furbyb.htm",
		"furby.htm",
		"furby59294.htm",
		"ewok.htm",
		"icybie.htm",
		"idog.htm",
		"meowchi.htm",
		"miopup.htm",
		"poochi.htm",
		"r2cassette.htm",
		"r2d2ia.htm",
		"r2d2mini.htm",
		"robobaby.htm",
		"ta_alphie.htm",
		"talkingalphie.htm",
		"tjbearytales.htm",
		"chatterbot.htm",
		"cyber_spider.htm",
		"femisapien.htm",
		"flytech.htm",
		"robopet.htm",
		"roboquad.htm",
		"roboraptor.htm",
		"roboremote.htm",
		"robosapien.htm",
		"rsv2.htm",
		"sapienjr.htm",
		"rovio.htm",
		"tribot.htm",
		"wowwee_minis.htm",
		"mcds_wowwee.htm",
		"dinkie.htm",
		"kittyt.htm",
		"newborn.htm",
		"polly.htm",
		"puppyt.htm",
		"steg.htm",
		"julie.htm",		
		"mothergoose.htm",
		"ruxpin.htm",
		"2xl_m.htm",
		"allysen.htm",
		"b9.htm",
		"bart.htm",
		"bigbird.htm",
		"bionicbug.htm",
		"brianthebrain.htm",
		"blobot.htm",
		"brianthebrain.htm",
		"capselamx.htm",
		"climbatron.htm",
		"coinstruction.htm",
		"commandobot.htm",
		"commandobot4.htm",
		"compurobot.htm",
		"mouse.htm",
		"emiglio.htm",
		"hexbug.htm",
		"hubot.htm",
		"ique.htm",
		"laserbot.htm",
		"ssmarty.htm",
		"mars.htm",
		"microchip.htm",
		"perigee.htm",
		"mindstorms20.htm",
		"mcradio.htm",
		"dinosaur.htm",
		"mypal2k.htm",
		"nrob.htm",
		"odyssey.htm",
		"ozzi.htm",
		"pinkdino.htm",
		"popitojr.htm",
		"preschool.htm",
		"pumpkinhead.htm",
		"rad20.htm",
		"ramon.htm",
		"robie_bank.htm",
		"robocharger.htm",
		"robotclock.htm",
		"robobank.htm",
		"rworkshop.htm",
		"roomba.htm",
		"rumble.htm",
		"saturn.htm",
		"robug.htm",
		"soundtrack.htm",
		"spacerobot.htm",
		"spider.htm",
		"spykee.htm",
		"steve.htm",
		"s_armatron.htm",
		"smarty.htm",
		"tommy.htm",
		"turbo.htm",
		"weebot.htm",
		"wooden.htm",
		"related.htm",
	);
	$numberofpages = count($pagefiles)-1;
	
/*	$currentpage = $HTTP_GET_VARS['filename']; */
  $currentpage = $_GET['filename'];
	$previous = $numberofpages;
	$next = 0;
	$counter = 0;

	while ($counter <= $numberofpages){
		if ($currentpage == $pagefiles[$counter]){
			if ($counter > 0){
				$previous = $counter-1;
			}
			if ($counter < $numberofpages){
				$next = $counter+1;
			}
			break;
		}
	$counter++;
	}
	
	include $currentpage;
	
	echo "<center><font size=5>";

/*
		echo "<a href=\"{$_SERVER['PHP_SELF']}?filename=$pagefiles[$previous]\">&lt;&lt; prev</a> ";
		echo "&nbsp;";
		
		echo "| <a href=\"http://www.RobotsAndComputers.com/robots/personal.htm\">
		      Back to Collection</a> |";
	
		echo "&nbsp;";
		echo "<a href=\"{$_SERVER['PHP_SELF']}?filename=$pagefiles[$next]\">next &gt;&gt; </a>";
*/

		echo "<a href=\"{$_SERVER['PHP_SELF']}?filename=$pagefiles[$previous]\">
		      <img src=\"images/previous.png\"></a> ";
		
		echo "<a href=\"http://www.RobotsAndComputers.com/robots/personal.htm\">
		      <img src=\"images/back.png\"></a> ";
	
		echo "<a href=\"{$_SERVER['PHP_SELF']}?filename=$pagefiles[$next]\">
		      <img src=\"images/next.png\"></a>";

	echo "</font></center>";

?>
2

Well for one, make sure you check the get filename against your pagefiles array to make sure what is passed at least has a valid name otherwise define currentpage as a valid default file.

$currentpage = (isset($_GET['filename']) && in_array($_GET['filename'],$pagefiles) ? $_GET['filename'] : "dogcom.htm");

A better way would be to pass the pagefiles array KEY of the page as the get filename value and so if this array_key_exisits you include the array value (file) for that KEY instead of ANYTHING that was passed with GET.
You would simply be passing KEYs which you can check against your array.


?filename=0
?filename=1
?filename=2
1 Like
3

Is it possible to replace $_GET with $_POST?

Check out the differences by searching for $_GET vs $_POST

Also have a hidden input text box which could only be populated by robots that populate all fields.

4

Have you looked at the PHP documentation page for include?

http://php.net/manual/en/function.include.php

Warning
Security warning

Remote file may be processed at the remote server (depending on the file extension and the fact if the remote server runs PHP or not) but it still has to produce a valid PHP script because it will be processed at the local server. If the file from the remote server should be processed there and outputted only, readfile() is much better function to use. Otherwise, special care should be taken to secure the remote script to produce a valid and desired code.

NOTE, just because a file ends with the .htm extension does not mean that the file returned isn’t a PHP file.

1 Like
5

I appreciate all of the replies. I am by no means a PHP programmer. I learned this just long enough to write this code a few years ago and I have forgotten everything I knew about it. I am going to have to read and re-read the responses to see if I can understand them. Thanks, guys…

2 Likes
6

In case you are not clear about the answers, these are the two lines that I see a potential for exploit:-

$currentpage = $_GET['filename'];

A user can type absolutely anything they like into a URL variable.
Then:-

include $currentpage;

You include whatever it was that they put into the URL.
So a hacker could put in a URL to their own malicious code, which you then include in your script. :grimacing:

So because the content of $_GET['filename'] is expected to match an entry in your array, do as they say and use the entry from the array (something you wrote yourself, not what a user wrote) that matches $_GET['filename'].
And if $_GET['filename'] does not match anything in the array (it was tampered with by a user) then do something else, like set a default page or a 404 or whatever you think appropriate.

7

Thank you. That does help a lot!

8

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.