For free time that I don’t have

explode() and preg_replace() functions are recommended

Sc0rpion — Thu, 02 Sep 2010 15:40:07 +0000

Hi , I wanna indicate to two small and petty serious notes I reached and experiences gotten in php programming , however each programmer has his manner but it’s necessary to read php changelogs .

1 . split() or explode()

I start within split() and explode() functions , my blog followers are agreed to my sentence that I’ve either briefly or fully explained these functions by source example before , so I add addition notes today .
If you’ll be in selection between functions mentioned , which one do you prefer ?
My recommendation is avoiding to use split() ,
As php.net say , split() function has been deprecated as of PHP 5.3.0 , and I liked it since split() is sensitive to regular expression which I’m not really comfortable with !
another reason to have the explode() is that you encounter a problem with the split() when splitting the large string .
for instance to better concept of large word :


$var = "One. Two.";
echo '' , var_dump( split (".", $var) );
echo '
' , var_dump( explode (".", $var) );
?>

I refer to see this link or this link for extra details .

2 . preg_replace() or ereg_replace()

The ereg_replace() has also been deprecated as of PHP 5.3.0 .
It has been a long since I started php programming , I’ve often preg_replace() function which is kind of PCRE functions .
ereg_replace() is not compatible with latest versions of php , change your way to preg_replace() instead of it .
a simple code example I’ve taken from google :


  function sanitize_string($string) {
        $string = ereg_replace(' +', ' ', trim($string));
 
        return preg_replace("/[<>]/", '_', $string);
  }
?>


  function sanitize_string($string) {
        $string = preg_replace('{ +}', ' ', trim($string));
 
        return preg_replace("/[<>]/", '_', $string);
  }
?>

In next update I’ll write about bot-net php system I’ve written few months ago , I hope find it useful :]

Up again !

Sc0rpion — Mon, 30 Aug 2010 18:21:01 +0000

Hi , I’ve been thinking around ten minutes and I couldn’t fine any appropriate title , it doesn’t matter since I want to say my words :]

It’s long time my blog hasn’t been updated so I’ve fairly expected decreasing my blog views , such a dead place , but still I have my visitors and their comments which I never imagined .

Because of few server problems , I changed my server yesterday and during this movement the site had been down , I feel to tell the reason of this unavailability . I restored the buck ups , but it comes natural if some links are inaccessible and I’m gonna fix them all in coming three days .

I leaned valuable techniques in web designing and and accepted two projects … also I designed my own personal website which is visible within link below :

http://y-shahinzadeh.ir

Here I would appreciate Mohsen for his fantasy photography which shines there , about designing , it took a day to be completely made . about my status , I’d been out of internet access in six months ago while now I’m trying to establish it in my home , and it helps me update here faster as I can

Lifeway

Sc0rpion — Sat, 17 Apr 2010 12:33:11 +0000

Hi everybody , I’m ashamed to admit that the phrase just came across my lips … I know it’s long time that my blog hasn’t been updated , three months I think , because of career and student life that I would be out of free time which I indicated in my blog title . I’ve recently ( around two months ) been joined up into Sharif university of technology CERT team . This occupation would be nice for this phase of my life , I have to say thanks for the warm reception to my work . I never imagined it would come out this interesting and it’s going fine , my new mail address is ,

shahinzadeh [at] cert.sharif.edu

And I’ll have my own visit card as soon as possible .
It was for my status , and what’s new ? I’ve newly reached the important notes in php , as you know in a simple sentence , php doesn’t support multithreading however it can be just simulated within complicated ways and sort of codes . since the I’ve confidentiality signed the non-disclosure agreement paper , I can’t say the reason made me fall into this research ( it has definitely been linked to my job ) but like always the most useful function helped me , curl() .
I’m not sure but maybe I put few part of my results here . I’m keep trying to update here faster , till summer that I’ve a lot of free time !

Magic of programing

Sc0rpion — Sun, 31 Jan 2010 21:01:23 +0000

Today I’ve been accidentally paying attention to a php code that reminds me a issue that it ain’t totally important how long has somebody been in programing world , just his ability to reduction and maintenance !
As indicated in my old publishing to seclude the usernames from passwd file , you would see the code I’ve inaccurately been satisfied with , so why and what’s the point ?
See this piece of php code :


$fp = fopen('passwd.txt','r');
$fr = fread( $fp , filesize( 'passwd.txt' ) );
preg_match_all('/(.+?):x:(.+?)/',$fr,$explode);
print_r($explode);
$fp2 = fopen('data.txt','w+');
$fw2 = fwrite($fp2,$content);
fclose($fp);
fclose($fp2);
?>

Which is exactly doing all what my damn 53 lined php code does by neither more extensively nor less so !
That time I didn’t identify preg_match_all() function as well as I do now , however it doesn’t matter at all !
If you had a new idea leave comment and if not … be safe !

Cpanel Bypass Safe mode [ extract tar.gz by Cpanel ]

Sc0rpion — Sat, 30 Jan 2010 21:05:34 +0000

Hello everybody , after a insufferable weak that I complain with , I’m here to post up the blog , I’ve recently been occupied by penetration test on some web applications , while these days I’ve frequently seen several bypasses for php and I just wondered , the vulnerabilities are advancing coming out faster than I thought they would , see the change log of php 5.2.12 :

# Fixed a safe_mode bypass in tempnam()
# Fixed a open_basedir bypass in posix_mkfifo()

By the way the php’s quote ,

All users of PHP 5.2 are encouraged to upgrade to this release

However the story didn’t end here , we would see a new bypass in latest version , PHP 5.2.12/5.3.1 symlink() open_basedir bypass !
Meanwhile , two days ago , new bug has been found in cPanel which allows somebody to bypass the safe mode or any impermissible file .
Allocated link due this security hole :

http://securityreason.com/exploitalert/7740

If you take a look , you realize that it’s such a cryptic text ( because of his bad English and explanation ( his speech ain’t specifically clear ) .
Considering to the article at securityreason.com at beginning these two commands have to be executed :

ln -s /etc/passwd t.xt
tar -zcf red.tar.gz t.txt

Note that it doesn’t make any difference that where has the command been executed , we need to that gz file containing the t.txt which linked to the file we aimed to read , at this case passwd file .
During this article the passwd file is supposed to be an inaccessible by any owner in shell script , so after creating the file mentioned above , we have to gain the cPanel password of the any user located on the server . I ain’t gonna throw this subject and assume that the access is granted !
All have to be done is just logging into cPanel by the valid credential you’ve gotten , uploading the red.tar.gz and extracting it by cPanel , when you open the t.txt you will see the passwd file loaded there !
I recorded tutorial clip for the better concept , loading here , I hope you find it useful , be safe !

Sc0rpion.ir hacked

Sc0rpion — Wed, 27 Jan 2010 16:39:18 +0000

You may be announced of my web site hacked few days ago , it was around five O’clock , I was received an instant message of defacement of the sc0rpion.ir , I knew that it’s not an imbalance , each site has approximately been hacked one time till today .
I was curious of the procedure of the attacking since I had word press and my own portal installed in my host , so I suspected of any probable vulnerability in them , after a while I confidently reached the point that it couldn’t be right !
I asked Mehrdad ( server administrator ) to give me the logs , after reading the logs , I found the hole , the hacker had gotten the web shell from a site located in server and read the passwd file because it was permissible inaccurately . hacker had connected to database and changed my Email address then he used the forgot pass trick !
And it went till defacement , it’s not clear to my yet since I had charily fixed the permissions of directories and files !
This was the story of my site hacked , I hope I don’t see another page in future , Yashar .

Bypassing the mysql_real_escape_string()

Sc0rpion — Fri, 22 Jan 2010 16:32:04 +0000

This publishing is around bonus stuff which I’ve considered ,MySQL injection , I had written a query :

/page.php?id=-1 union select table_name,2 from from information_schema.tables
where TABLE_SCHEMA='Sc0rpion'

As you see we used a single quote in query , in some cases , when either the magic_quote is on , or the programmer has secured the dynamic query by mysql_real_escape_string() function , you will see the prevention of executing your injection query .
I will preface two techniques that could be used in various queries of injection , they can’t be named security holes , just obfuscation ! ( for instance remember how the mod_security module is bypassed by variant tricks ) .

1 . ASCII equivalent to bypass

I accidentally faced a similar situation last night and it was main reason made me post up here , all has to be done is substituting the string by equivalent decimal ASCII value , for example in link above , the ‘Sc0rpion’ should exactly be converted , my online string converter :

http://sc0rpion.ir/converter.php

The hex values must be understood in an URL yielded , our new query would be like example below and there won’t any resistance from neither mysql_real_escape_string() function nor magic_quote ,

/page.php?id=-1 union select table_name,2 from from information_schema.tables
where TABLE_SCHEMA=char(83,99,48,114,112,105,111,110)

Query is executed without any disturbance , the tables lists will be appeared in front of your face . ( by using group_concat() function )

1 . HEX equivalent to bypass

There is another bypass method to load any file by load_file() function , if the magic_quote supposed to be enabled you will see the following query returns the fail of injection :

/page.php?id=-1 union select 1,load_file('etc/passwd')--

Since we used single quote , for conducting this attack to the success , the file which has specifically been chosen to be loaded , must be converted into hex format :

load_file(0xHEX);

As you see the is instruction which has to be observed ( 0x prefix before the hex code ) . for converting the string you can do it by script I accented already , http://sc0rpion.ir/converter.php , or easily by MySQL command line :

SELECT CONCAT(HEX('c:\\boot.ini'));

Our manufactured hex code is ready :

'etc/passwd' = 0x6574632f706173737764

So , we would change our query :

/page.php?id=-1 union select 1,load_file(0x6574632f706173737764)--

And the file will be loaded . I hope you enjoy this article , Yashar .

Current status

Sc0rpion — Tue, 22 Dec 2009 10:31:17 +0000

Finally after a couple of unfortunate events that led me to be away from virtual world , I’m here with a tolerable home and internet connection , I’ve fixed up my most of my problems such as changing server and .. I think I can continue just like before .
I’m student now and have a nice time here , by the way we started new project ( ISCN team ) … and I’m gonna write a rest of my new portal . I’m trying to join up into Sharif university of technology to make up money ( with mort ) .
This publishing is just such an announcement of my status , always be safe , Yashar .

6th International ISC Conference on Information Security and Cryptology

Sc0rpion — Mon, 12 Oct 2009 17:06:13 +0000

6th International ISC Conference on Information Security and Cryptology was successfully held in Isfahan . I went because of invitation I’d received from Ali Abbasi ( black_ice ) . there wasn’t only me but also we were a team formed from four people and we appeared as ” vulnerability analysis & penetration testing group - computer security incident response team - Sharif university of technology ” .
I was absorbed when I heard of hacking competition ( war game ) covered and organized by Isfahan university . we divided to two team . the war game for my team had been consisted from three phrases . at beginning we should have crack the WEP ( 128 bit ) and hack into the system . in the second part we faced a vulnerable PHP application which had directory traveling and LFI bug . we succeed to access to the proxy server passwords by this hole and we read configuration file , then we connected to last target by proxy server ( it was impossible to do it without proxy server ) .
As I said we passed two stages in 23 minutes . the second team did it in 293 minutes ! it became more interesting when nobody could pass the 3th stage . there was a damn blind SQL injection , in SQL server . the time ends for all 13 teams and since we done the stages in minimum possible time , we won rarely .
some pictures : ( I’ll update it when I got all pictures ) :

http://sc0rpion.ir/images/sh/1.jpg
http://sc0rpion.ir/images/sh/2.jpg
http://sc0rpion.ir/images/sh/3.jpg
http://sc0rpion.ir/images/sh/4.jpg

And few lines about myself , my life divided into two parts , internet life and studying life , I have access to the internet by me own computer nearly 2 days in week , although it is not gonna be continue in future I think I’ve to endure this situation around three months or lesser . the comfortability of my internet connection isn’t like before in another word I should pay a lot of money for a little online working in places such as coffee net and I wish if all things end here . this is another problem in my life and you will face of my miss activity in this blog , however , I’ll spend my time as well as I can , Yashar .

Ward class

Sc0rpion — Tue, 29 Sep 2009 11:28:43 +0000

In the present paper there will be a speech about one of safety ways of the programming language PHP . in each web application you surely must care about any processing data obtained from the user and operating for their storage the database MySQL .
today I wanna introduce a useful class currently used in my new CMS which I’m working on . one way or another , you always have to try to make secure your portal or any small script or etc . the following code defines a class named ward that consists of an four associative functions to validate the incoming strings and remove unacceptable characters from them .

/*
| -------------------------------------------------------------------
| Ward Class , Consists Of Four Functions
| Coded by Sc0rpion <> http://www.sc0rpion.ir
| |
| |
| + -> filtering() 
| + -> valid_str()
| + -> clear_str()
| + -> scape()
| -------------------------------------------------------------------
*/
 
class ward
{
        var $input;
        function filtering ( $str )
        {
        $this -> input = $str;
        if (
        strstr ( strtolower ( $this -> input ) , ';' ) != ''
        or strstr ( strtolower ( $this -> input ) , "'" ) != ''
        or strstr ( strtolower ($this -> input ) , "*" ) != ''
        or strstr ( strtolower ( $this -> input ) , "/" ) != ''
        or strstr ( strtolower ( $this -> input ) , "*" ) != ''
        or strstr ( strtolower ( $this -> input ) , "union" ) != ''
        or strstr ( strtolower ( $this -> input ) , "order" ) != ''
        or strstr ( strtolower ( $this -> input ) , "+" ) != ''
        or strstr ( strtolower ( $this -> input ) , "http" ) != ''
        or strstr ( strtolower ( $this -> input ) , "ftp" ) != ''
        or strstr ( strtolower ( $this -> input ) , "`" ) != ''
        or strstr ( strtolower ( $this -> input ) , "-" ) != ''
        or strstr ( strtolower ( $this -> input ) , ")" ) != ''
        or strstr ( strtolower ( $this -> input ) , "(" ) != ''
        or strstr ( strtolower ( $this -> input ) , ".." ) != ''
        or strstr ( strtolower ( $this -> input ) , "concat" ) != ''
        )
                {
                        return TRUE;
                }
        }
 
/*
| -------------------------------------------------------------------
| Checking The Validation Of String ( URL )
| -------------------------------------------------------------------
*/
 
        function valid_str ( $this -> input )
        {
        $this -> input = $str;
        if ( eregi ( "^[0-9a-zA-Z_-]*$" , $this -> input ) ) return TRUE; else return FALSE;
        }
/*
| -------------------------------------------------------------------
| Clean Special Chars And Code Tags From The String
| -------------------------------------------------------------------
*/
 
        function clear_str ( $str )
        {
        $this -> input = $str;
        $str = strip_tags( $this -> input ); // Cleaning HTML
        $str = eregi_replace( "[<>/\?&`~@#\$%\^*;']" , "" , $this -> input ); // Cleaning
        if( !get_magic_quotes_gpc() ) $str = mysql_real_escape_string( $this -> input );
        return $str;
        }
 
/*
| -------------------------------------------------------------------
| Scaping Special Characters
| -------------------------------------------------------------------
*/
 
        function scape( $str )
        {
        $this -> input = $str;
        if( !get_magic_quotes_gpc() ) $this -> input = mysql_real_escape_string( $this -> input );
        return $this -> input;
        }
 
}
 
/*
| -------------------------------------------------------------------
| End Of Ward Class
| -------------------------------------------------------------------
*/

I point out to each function quickly and brief explanation to each of them .
filtering() function : eliminates the sensitive expressions that I defined , they can simply be added , deleted or modified and the structure is very simple :

1	or strstr ( strtolower ( $this -> input ) , " your char " ) != ''

As determining the specific character defined in function it returns true . simple example of usage :

1 2	$ward = new ward(); if ( $ward -> filtering( $input ) ) die(' you are a good hacker ');

valid_str() function : it checks whether if the input string has an unnecessary characters or not , returns true as if it is :

$ward = new ward();
if ( $ward -> valid_str( $input ) ) {
die(' your username must only be chosen between letters or numbers ');
}

clear_str() function : this function has a little difference from two previous functions , and it belongs to amount returning from this function . it returns the input string but not completely just washes all the dangerous characters such as HTML tags , some defined keywords and special characters in a string for use in a SQL statement , in the simple word it mostly provide the safe string and it can be trusted . just try it to get better concept of that :

1
2
3

$ward = new ward();
$input = "
 hu I'm a string ' ' ' link";
echo $ward -> clear_str( $input );

scape() function : I think I can leave it without any extra comment .

Here was my ward class which I wrote before , you can edit and use it on your road . another future of using this class is saving your maintainability and little performance but a major safety . I hope find it useful , Yashar .