PHP SAFE UPLOAD: New anti-shell ideea (maybe)

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    PHP SAFE UPLOAD: New anti-shell ideea (maybe)

    I had an ideea to secure the upload via php code. Can you try to broke my test site (no httacces protection): Upload Here Shells:>, to let me know if this protectection actually works.


    Protection Class Source Code:

    PHP Code:
    <?php

    //@package Simple safe-upload
    //@author: Ionutxp
    //@email: ionut_gerrard@yahoo.com

    class SafeUpload
    {
       const     upload_to 'safe';

       private     $disalowed_tags = array('<html>''<head>''href''<td>''<table>',
              '<div''<b>''function');
       public     $curent_location null;

       public function     __construct($location)
       {
              $this->curent_location $location;
          if (    count($_FILES) > 0)
          {
             foreach (    $_FILES as & $file)
             {
                    $goto self::upload_to '/' mt_rand(10000009999999) . '.php';
                if (    copy($file['tmp_name'], $goto))
                {
                       self::check_file($goto);
                }
             }
             return;
          }
       }
       private function     call_curl($goto)
       {
              $curl curl_init();
              curl_setopt($curlCURLOPT_URL$goto);
              curl_setopt($curlCURLOPT_RETURNTRANSFER1);
              $webrep curl_exec($curl);
              curl_close($curl);
          return     $webrep;
       }
       private function     check_file($url)
       {
              $content $this->call_curl($this->curent_location '/' $url);
          foreach (    $this->disalowed_tags as $val)
          {
             if (    substr_count($content$val) > && substr_count($content'syntax error') ==
                    0)
             {
                echo     'This site is protected.';
                unset(    $_FILES);
                break;
             }
          }
              unlink($url);
       }
    }

    $safe = new SafeUpload('http://mytester.host.org/'); // path to your uploader
    ?>
    And a demo in attachment.
    Attached Files
    <?php unlink('World/Europe/Romania.country'); ?>
    Tags: None
    #2
    Originally posted by i0nutzxp View Post
    I had an ideea to secure the upload via php code. Can you try to broke my test site (no httacces protection): Upload Here Shells:>, to let me know if this protectection actually works.


    Protection Class Source Code:

    PHP Code:
    <?php

    //@package Simple safe-upload
    //@author: Ionutxp
    //@email: ionut_gerrard@yahoo.com

    class SafeUpload
    {
       const     upload_to 'safe';

       private     $disalowed_tags = array('<html>''<head>''href''<td>''<table>',
              '<div''<b>''function');
       public     $curent_location null;

       public function     __construct($location)
       {
              $this->curent_location $location;
          if (    count($_FILES) > 0)
          {
             foreach (    $_FILES as & $file)
             {
                    $goto self::upload_to '/' mt_rand(10000009999999) . '.php';
                if (    copy($file['tmp_name'], $goto))
                {
                       self::check_file($goto);
                }
             }
             return;
          }
       }
       private function     call_curl($goto)
       {
              $curl curl_init();
              curl_setopt($curlCURLOPT_URL$goto);
              curl_setopt($curlCURLOPT_RETURNTRANSFER1);
              $webrep curl_exec($curl);
              curl_close($curl);
          return     $webrep;
       }
       private function     check_file($url)
       {
              $content $this->call_curl($this->curent_location '/' $url);
          foreach (    $this->disalowed_tags as $val)
          {
             if (    substr_count($content$val) > && substr_count($content'syntax error') ==
                    0)
             {
                echo     'This site is protected.';
                unset(    $_FILES);
                break;
             }
          }
              unlink($url);
       }
    }

    $safe = new SafeUpload('http://mytester.host.org/'); // path to your uploader
    ?>
    And a demo in attachment.
    this is secured against uploading shell, etc...
    how bout against execution ?
    It's better to keep your mouth shut and give the impression that you're stupid, than to open it and remove all doubt.
    ⓣⓗⓔ ⓠⓤⓘⓔⓣⓔⓡ ⓨⓞⓤ ⓑⓔ©ⓞⓜⓔ, ⓣⓗⓔ ⓜⓞⓡⓔ ⓨⓞⓤ ⓐⓡⓔ ⓐⓑⓛⓔ ⓣⓞ ⓗⓔⓐⓡ !
    ιη тнєσяу, тнє ρяα¢тι¢є ιѕ α яєѕυℓт σƒ тнє тнєσяу, вυт ιη ρяα¢тι¢є ιѕ тнє σρρσѕιтє.
    キノgんイノ刀g 4 ア乇ムc乇 ノ丂 レノズ乇 キucズノ刀g 4 √ノ尺gノ刀ノイリ!

    Comment

      #3
      I found some holes ... tomorow i'll post a updated version:D ( and If you can stop uploading a virused file , you wont need to disalow executing that files..)
      <?php unlink('World/Europe/Romania.country'); ?>

      Comment

        #4
        its not safe for shell. . maybe try to recode that uploader

        Comment

          #5
          i had made anti hack uploader
          Visit: Chat4u.mobi - The New Lay Of being a site of your dreams!
          Visit: WapMasterz Coming Back Soon!
          _______
          SCRIPTS FOR SALE BY SUBZERO
          Chat4u Script : coding-talk.com/f28/chat4u-mobi-script-only-150-a-17677/ - > Best Script for your site no other can be hacked by sql or uploaders.
          FileShare Script : coding-talk.com/f28/file-wap-share-6596/ -> Uploader you will never regret buying yeah it mite be old now but it still seems to own others...
          _______
          Info & Tips
          php.net
          w3schools.com

          Comment

          Previous template Next
          Working...
          X