aah my head hurts :(
Forcing Code To Work !
This code is awesome, it allows me to overwrite all files on your server that the php process has rights on.
Author
This code is awesome, it allows me to overwrite all files on your server that the php process has rights on.
If you can do that in 12 characters, I would like to see it.
<form action="' . $_SERVER['PHP_SELF'] . '" method="POST">
Game Name: <input type="text" name="gn" maxlength="12"><br>
User Name: <input type="text" name="un" maxlength="12"><br>
Password : <input type="text" name="pw" maxlength="12"><br>
<button type="submit">Submit !</button><br>
</form>
This code is awesome, it allows me to overwrite all files on your server that the php process has rights on.
If you can do that in 12 characters, I would like to see it.
Err... you are aware that this is just a hint to the browser, right? Nothing prevents one from posting 200 characters when you make an input field 12 characters. Apache or PHP don't care either, as long as you don't exceed the maximum post size which is something around 4 kilobytes by default (or maybe more in the mean time, used to be 4kb in the 1990s... probably is something like 256k nowadays).
Author
I did not realize that ... The size limit for PHP $_POST is 8mb by default ( which is handy for loading maps into JavaScript ).
The browser doesn't let you type those extra characters, but you can either post from a separate file/page or use Javascript to alter the form settings.
I did not realize that ... The size limit for PHP $_POST is 8mb by default ( which is handy for loading maps into JavaScript ).
That's why I called opening and writing to a file with an user-supplied, non-validated name "courageous" earlier. An attacker who knows that your script works that way can write a simple socket program (or just use telnet!) to send you a string that is much longer than your anticipated 12 characters. Or even if they don't know, they might just try to see what happens.
Besides, even short strings can be dangerous if unvalidated: /etc/passwd is 11 characters long. *cough* Hopefully, the web server doesn't run as root.
You should always, no exceptions, assume that anything that comes from the user is malicious, and never, no exceptions use any user input without validating it and making sure that there is no way, even theoretically, that it could be abused, and you should never, no exceptions, let the user choose such a thing as a filename, a script name, a command to execute, or a table name or a SQL command. Even if validated, this is still a possible danger since you might forget one special case.
There is no such thing as harmless user input.
You should always, no exceptions, assume that anything that comes from the user is malicious, and never, no exceptions use any user input without validating it and making sure that there is no way, even theoretically, that it could be abused, and you should never, no exceptions, let the user choose such a thing as a filename, a script name, a command to execute, or a table name or a SQL command. Even if validated, this is still a possible danger since you might forget one special case.
There is no such thing as harmless user input.
This.
Just wanted to add, in case that is also not clear, cookie data is also not safe, its easy to modify,
so i could very easily go into the following code branch and let your server give me any file the php process has access to.
if (file_exists("u/".$_COOKIE["a"]) ){
$co = file_get_contents("u/".$_COOKIE["a"]);
$co2 = explode("|", $co);
echo "Hello: " . $co2[0] . "<br>";
}
Author
I have been working on the code, and here is the second generation 
After I tweak this, It will get turned into an actual login page !
<html>
<title>Landing Page</title>
<head></head>
<?php
include "sql.php";
$me = $_SERVER['PHP_SELF'];
function check($v){
return isset($_POST[$v]);
}
function test($col,$val){
global $sql, $table;
$tst = mysqli_query($sql,"SELECT ".$col." FROM ".$table." WHERE ".$col."='".$val."'");
if (mysqli_fetch_array($tst) ){
return true;
}
else{
return false;
}
}
function verify ($imp){
$imp1 = preg_replace('/[^A-Za-z0-9_]/', " ", trim($imp) );
if ($imp == $imp1){
return true;
}
else{
return false;
}
}
function button ($txt,$set){
global $me;
echo '<form action="' . $me . '" method="POST">
<input type="submit" name="'.$txt.'" value="'.$set.'">
</form>';
}
if (isset($_COOKIE["ID"])){
$result = mysqli_query($sql,"SELECT ID FROM ".$table." WHERE ID='".$_COOKIE["ID"]."'");
if (mysqli_fetch_array($result)){
$temp = mysqli_fetch_assoc(mysqli_query($sql,"SELECT Game_Name FROM ".$table." WHERE ID='".$_COOKIE["ID"]."'") );
echo "Welcome " . $temp["Game_Name"] . " !<br>";
}
else{
unset($_COOKIE["ID"]);
}}
if (!check("Sign_Up") and !check("Sign_In") and !check("Su_User_Name") and !check("Si_User_Name")){
echo "<center><b>Welcome! Please sign in or sign up !<br></b></ceter>";
button("Sign_In","Sign In");
button("Sign_Up","Sign Up");
}
if (check("Sign_In") ) {
echo '<center><b>Please sign in here.</b></cemter><br><form action="' . $me . '" method="POST">
<br>User Name: <input type="text" name="Si_User_Name">
Password: <input type="text" name="Si_Password">
<button type="submit">Submit !</button>
</form><br>';
}
if (check("Sign_Up") ) {
echo '<center><b>Please do not use special characters.<br>Letters, numbers and _ allowed.<br>Lenght must be longer than 4 characters.<br></b></center><form action="' . $me . '" method="POST">
<br>User Name: <input type="text" name="Su_User_Name">
Game Name: <input type="text" name="Su_Game_Name">
Password: <input type="text" name="Su_Password">
<button type="submit">Submit !</button>
</form><br>';
}
if (check("Su_User_Name") and check("Su_Game_Name") and check("Su_Password") ){
if (!verify($_POST["Su_User_Name"]) or !verify($_POST["Su_Game_Name"]) or !verify($_POST["Su_Password"]) or strlen($_POST["Su_User_Name"]) < 5 or strlen($_POST["Su_Game_Name"]) < 5 or strlen($_POST["Su_Password"]) < 5 ) {
echo "<center><h3><b>Letters, numbers and _ only. Lenght must be greater than 4 characters.</b></h1><br>";
button("x","<-- Back");
}
else{
if (test("Login_Name",$_POST["Su_User_Name"]) ){
echo "<center><b>User name taken.<br></b></center>";
button("x","<-- Back");
}
elseif(test("Game_Name",$_POST["Su_Game_Name"]) ){
echo "<center><b>Game name taken.<br></b></center>";
button("x","<-- Back");
}
else{
$x = "1234567890abcdefghijklmnopqrstuvwxyABCDEFGHIJKLMNOPQRSTUVWXYZ";
$x2 = '';
for ($i = 0; $i < 21; $i++) {
$x2 .= $x[rand(0, strlen($x) - 1)];
}
mysqli_query($sql,"INSERT INTO ".$table." (Game_Name,Login_Name,Blarg,ID)VALUES('".$_POST["Su_Game_Name"]."','".$_POST["Su_User_Name"]."','" .$_POST["Su_Password"]."','".$x2."')");
echo "<center><b>Account created !<br></b></center>";
$temp = mysqli_fetch_assoc(mysqli_query($sql,"SELECT * FROM ".$table." WHERE ID='".$x2."'") );
setcookie("ID",$temp["ID"], time()+3600);
button("x","<-- Back");
}
}
}
if (check("Si_User_Name") and check("Si_Password") ) {
$tmp1 = preg_replace('/[^A-Za-z0-9_]/', " ", trim($_POST["Si_User_Name"] ) );
$tmp2 = preg_replace('/[^A-Za-z0-9_]/', " ", trim($_POST["Si_Password"] ) );
if (test("Login_Name",$tmp1) and test("Blarg",$tmp2) ){
echo "<center><b>Logged in !<br></b></center>";
$temp = mysqli_fetch_assoc(mysqli_query($sql,"SELECT * FROM ".$table." WHERE Login_Name='".$tmp1."'") );
setcookie("ID",$temp["ID"], time()+3600);
button("x","<-- Back");
}
else{
echo "<center><b>Bad name or password. Please try again.<br></b></center>";
button("x","<-- Back");
}
}
?>
</html>
This topic is closed to new replies.
Advertisement
Popular Topics
Advertisement
