spruch des tages

Oktober 22nd, 2006 by admin

REMEMBER: TRANCE or DiE… that’s all !

Posted in fun | No Comments »

eval gzinflate base64_decode str_rot13 part 2

Oktober 19th, 2006 by admin

on all my servers the php configuration value short_open_tag is disabled. that means i must write < ?php and can not use the short < ? to open the php session. another fact is "quote from php.net/eval):

eval() is used to protect (read: hide) source code. A well known way to encrypt some php code is security through obscurity. Someone used eval(base64_encode(".....")); - which basically had 10-16 nested calls to eval(base64_encode()) inside the data.

the most of these protected scripts use the short version to open php. so i can not execute them. therefor i coded a little function that deals with the problem. but the old function just decrypt "gzinflate(str_rot13(base64_decode(.....)))" and "gzinflate(base64_decode(...))" that is crap an does not work on most scripts (see comments). now i coded a whole class that deals with this problem. the class can recursive "decrypt" these scripts and let you download the original source code. i tested the class with scripts that are protected with the following functions (of couse recursive).

PLAIN TEXT
PHP:

note: the class is really easy to use. look at the source and you know how.

note2: please do not edit the class and ask for help if you get any error (see comments).

note3: THIS IS IMPORTANT -> do NOT use the class to break any license,law or copyright.

the last note: check the decrypted source code and you will see 2 little errors. correct them and you are done.

PLAIN TEXT
PHP:
  1. class decode
  2. {
  3. function __construct($file)
  4. {
  5. $this->org_data = file_get_contents($file);
  6. $this->result = $this->org_data;
  7. $this->done = false;
  8. $this->file = $file;
  9. }
  10.  
  11. function strip_php_tags($str)
  12. {
  13. $str_del = Array('');
  14. return str_replace($str_del,'',$str);
  15. }
  16.  
  17. function strip_what_to_execute()
  18. {
  19. $possible_code = substr($this->result,0,strpos($this->result,"'"));
  20. $possible_code_end = strrpos($this->result,"'");
  21. if($this->test_possible_code($possible_code) && count($this->execute)> 0)
  22. {
  23. $possible_code_start = strlen($possible_code)+1;
  24. $this->result = substr($this->result,$possible_code_start,$possible_code_end-$possible_code_start);
  25. }
  26. }
  27.  
  28. function clean_string($str)
  29. {
  30. $str = trim($str,"\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f");
  31. $str = trim($str,"\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff");
  32. $str = trim($str);
  33. return $str;
  34. }
  35.  
  36. function test_possible_code($str)
  37. {
  38. $str = $this->clean_string($this->strip_php_tags($str));
  39. //echo $str."\n";
  40. $functions = explode('(',$str);
  41. $this->execute = array();
  42. if(!in_array('eval',$functions))
  43. {
  44. $this->done = true;
  45. return false;
  46. }
  47. foreach($functions as $function)
  48. {
  49. if($function!='' && $function!='eval')
  50. {
  51. if(!function_exists($function))
  52. $this->error('sorry but i can not access the function:"'.$function.'"');
  53. else
  54. $this->execute[] = $function;
  55. }
  56. }
  57. return true;
  58. }
  59.  
  60. function execute()
  61. {
  62. $cmd_str = '';
  63. $cmd_end = '';
  64. foreach($this->execute as $cmd)
  65. {
  66. $cmd_str .= $cmd.'(';
  67. $cmd_end .= ')';
  68. }
  69. $eval = $cmd_str."'".$this->result."'".$cmd_end;
  70. eval ("\$this->result = ".$eval.";");
  71. }
  72.  
  73. function error($msg)
  74. {
  75. die($msg);
  76. }
  77.  
  78. function decode()
  79. {
  80. $this->strip_what_to_execute();
  81. if($this->done==false && count($this->execute)> 0)
  82. {
  83. $this->execute();
  84. $this->decode();
  85. }
  86. else
  87. {
  88. //i think this is the "decrypted"
  89. $this->download();
  90. }
  91. }
  92.  
  93. function download()
  94. {
  95. header('Content-Disposition: attachment; filename="decrypted_'.$this->file.'"');
  96. header('Content-Type: application/php');
  97. header('Content-Length: '.strlen($this->result));
  98. die($this->result);
  99. }
  100. }
  101. $decode = new decode('test.php');
  102. $decode->decode();

Posted in coding, php | 43 Comments »

osCommerce multiple Scripts ‘page’ param XSS -> FIX

Oktober 18th, 2006 by admin

Lostmon reported some xss(Cross Site Scripting) for the admin.

also the latest version "osCommerce 2.2 Milestone 2 Update 060817" is VULNERABLE.

here is my fix for the "tep_href_link" function wich is located in "osc-dir/admin/includes/functions/html_output.php" just add after this code:

PLAIN TEXT
PHP:
  1. function tep_href_link($page = '', $parameters = '', $connection = 'NONSSL') {

add:

PLAIN TEXT
PHP:
  1. $parameters = tep_output_string($parameters);

and the xss is gone.

Posted in coding, php | 1 Comment »

php website benchmark script

Oktober 15th, 2006 by admin

wer seine website (shop,forum,homepage,cms,blog...) optimiert kennt das problem.

ist die eine funktion schneller als die andere (for und foreach). soll ich lieber mehr sql abfragen machen oder doch lieber eine große. fragen über fragen. um das ganze zu testen und durchschnittswerte zu erhalten hab ich hier ein benchmark script.

über parameter im script kann man die url der seite eingeben, parameter festlegen und zusätzlich noch einstellen wie oft die seite geladen werden soll. als ergebniss bekommt man dann:

- durchschnittliche seitengröße und die vergangene latenzzeit zeit seit dem http request
- benötigte gesamtzeit
- maximale bzw. minimale zeit für den seitenaufruf

und zum schluß wird dann noch die letzte meldung von webserver angezeigt. das ganze sollte dan aufschuß geben welche funktion schneller ist und welche man lieber löschen sollte.
parameter im script:

$host = 'host.de';
$url = '/osc-22/index.php';
$data = 'products_id=7&test=2636';
$rand = 30;
PS: bitte das script nicht mißbrauchen und fremde server mit anfragen bombardieren. es dient NUR zum optiemieren der eigenen website.

PLAIN TEXT
PHP:
  1. class http_request
  2. {
  3. var $data = Array();
  4. function __construct($type,$host,$file,$port = 80,$http_v = 'HTTP/1.1')
  5. {
  6. $this->host = $host;
  7. $this->port = $port;
  8. if(!$this->set_type($type))
  9. die('sorry: please set a request type');
  10. $this->file = $file;
  11. $this->http_v = $http_v;
  12. $this->add_header('Host',$host);
  13. $this->add_header('Connection','Close');
  14. }
  15. function proxy($host,$port)
  16. {
  17. $this->con = @$this->connect($host,$port);
  18. if(!$this->con)
  19. die('sorry: the proxy on host "'.$host.'" did not response on port '.$port);
  20. $this->proxy_con = true;
  21. }
  22. function connect($host,$port)
  23. {
  24. if(!is_numeric($port))
  25. die('sorry: but this is not a port');
  26. preg_match('@^(?:(?:25[0-5]|2[0-4]\d|[01]\d\d|\d?\d)(?(?=\.?\d)\.)){4}$@i', $host, $ip);
  27. if($ip[0]!='')
  28. return fsockopen($host,$port);
  29. else
  30. return fsockopen(gethostbyname($host),$port);
  31. }
  32. function get_ascii_file_content($file)
  33. {
  34. $content = @file_get_contents($file);
  35. if($content=='')
  36. die('sorry: can not access file or file is empty');
  37. return $content;
  38. }
  39.  
  40. function get_bin_file_content($file)
  41. {
  42. $handle = @fopen($file, "rb");
  43. if(!$handle)
  44. die('sorry: can not access file');
  45. $content = fread ($handle, filesize($file));
  46. fclose ($handle);
  47. return $content;
  48. }
  49.  
  50. function send($set_ct = true)
  51. {
  52. if($set_ct==true)
  53. $this->set_content_type();
  54. if($this->proxy_con != true)
  55. {
  56. $this->con = @$this->connect($this->host,$this->port);
  57. if(!$this->con)
  58. die('sorry: "'.$this->host.'" did not response on port '.$this->port);
  59. }
  60. $this->send_data = '';
  61. $contentlength = 0;
  62. if($this->type=='GET')
  63. {
  64. $get_str='';
  65. foreach($this->data as $name => $value)
  66. {
  67. $get_str .=  $name.'='.$value.'&';
  68. }
  69. if($get_str !='')
  70. $this->get_str ='?'.substr($get_str,0,-1);
  71. }
  72. else //// all other request types (POST, CONNECT ...)
  73. {
  74. $this->send_data ='';
  75. if($this->boundary)
  76. {
  77. foreach($this->data as $name => $value)
  78. {
  79. $contentlength += strlen("--".$this->boundary."\nContent-Disposition: form-data; name=\"".$name."\"\n\n".$value."\n");
  80. $this->send_data.=("--".$this->boundary."\nContent-Disposition: form-data; name=\"".$name."\"\n\n".$value."\n");
  81. }
  82. $contentlength += strlen($this->boundary)+3;
  83. $this->add_header('Content-length',$contentlength);
  84. $this->send_data.= "--".$this->boundary."--\n";
  85. }
  86. else
  87. {
  88. foreach($this->data as $name => $value)
  89. {
  90. $this->send_data.= $name.'='.$value.'&';
  91. }
  92. $this->send_data = substr($this->send_data,0,-1);
  93. $contentlength = strlen($this->send_data);
  94. $this->add_header('Content-length',$contentlength);
  95. }
  96. }
  97. if($this->proxy_con==true)
  98. $this->send_header = $this->type.' '.'http://'.$this->host.$this->file.$this->get_str.' '.$this->http_v."\r\n";
  99. else
  100. $this->send_header = $this->type.' '.$this->file.$this->get_str.' '.$this->http_v."\r\n";
  101. foreach($this->header as $head_name => $head_value)
  102. $this->send_header .= $head_name.': '.$head_value."\r\n";
  103. $this->send_header .= "\n";
  104. $this->packet = $this->send_header.$this->send_data;
  105. $this->send_to_host($this->packet);
  106. }
  107.  
  108. function send_to_host($packet)
  109. {
  110. if(get_resource_type($this->con)!='stream')
  111. die('sorry: no connection');
  112. fputs($this->con,$packet);
  113. if($this->proxy_con==true)
  114. {
  115. $this->response='';
  116. while (!feof($this->con)) {
  117. $this->response.=fgets($this->con);
  118. }
  119. }
  120. else
  121. {
  122. $this->response='';
  123. while ((!feof($this->con)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$this->response))) {
  124. $this->response.=fread($this->con,1);
  125. }
  126. }
  127. fclose($this->con);
  128. }
  129.  
  130. function set_content_type()
  131. {
  132. if($this->files> 0)
  133. {
  134. $this->boundary = '---------------------------'.rand(1,9999999999);
  135. $this->add_header('Content-Type','multipart/form-data; boundary='.$this->boundary);
  136. }
  137. elseif($this->type!='GET')
  138. $this->add_header('Content-Type','application/x-www-form-urlencoded');