Protection

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Protection

    We put here some ways to protect yourself against heckarilor using shell and different ways
    PHP Code:
    ///////////////////// Anti SQL injection through the Browser
    function connectdb()
     {
     global 
    $dbname$dbuser$dbhost$dbpass;
     
    $conms = @mysql_connect($dbhost,$dbuser,$dbpass); //connect mysql
     
    if(!$conms) return false;
     
    $condb = @mysql_select_db($dbname);
     if(!
    $condb) return false;

    global 
    $_SERVER$HTTP_USER_AGENT$HTTP_X_DEVICE_USER_AGENT;
     
    $HTTP_USER_AGENT mysql_real_escape_string($HTTP_USER_AGENT);
     
    $HTTP_X_DEVICE_USER_AGENT mysql_real_escape_string($HTTP_X_DEVICE_USER_AGENT);
     
    $_SERVER["HTTP_USER_AGENT"] = mysql_real_escape_string($_SERVER["HTTP_USER_AGENT"]);
     
    $_SERVER["HTTP_X_DEVICE_USER_AGENT"] = mysql_real_escape_string($_SERVER["HTTP_X_DEVICE_USER_AGENT"]);

    return 
    true;


    PHP Code:
    ///////////////////// Anti-Shell
    class secure
    {
        function 
    secureSuperGlobalGET(&$value$key)
        {
            
    $_GET[$key] = htmlspecialchars(stripslashes($_GET[$key]));
            
    $_GET[$key] = str_ireplace("shell""blocked"$_GET[$key]);
            
    $_GET[$key] = mysql_real_escape_string($_GET[$key]);
            return 
    $_GET[$key];
        }
        
        function 
    secureSuperGlobalPOST(&$value$key)
        {
            
    $_POST[$key] = htmlspecialchars(stripslashes($_POST[$key]));
            
    $_POST[$key] = str_ireplace("schell""blocked"$_POST[$key]);
            
    $_POST[$key] = mysql_real_escape_string($_POST[$key]);
            return 
    $_POST[$key];
        }
            
        function 
    secureGlobals()
        {
            
    array_walk($_GET, array($this"secureSuperGlobalGET"));
            
    array_walk($_POST, array($this"secureSuperGlobalPOST"));
        }

    PHP Code:
    ///////////////////////// Browser & IP Injection
    $brws explode(" / ",$HTTP_USER_AGENT);
    $cerere_server  $_SERVER["REQUEST_URI"];
    if( ( 
    ciuflea_injection_2($brws[0])) || (ciuflea_injection_2($cerere_server)) || ( (ciuflea_injection_2(getip())))   ){require("detectare_injectii_sql.html");
    exit();
    }
      function 
    ciuflea_injection_2($cerere)
      {
      
    $text "$cerere";
      
    $sfil[0] = "drop";
      
    $sfil[1] = "perm";
      
    $sfil[2] = "'";
      
    $sfil[3] = "validated";
      
    $sfil[4] = "update";
      
    $sfil[5] = "drop";
      
    $sfil[6] = "empty";
      
    $sfil[7] = "union";
      
    $sfil[8] = "md665";
      
    $sfil[9] = "plusses";
      
    $sfil[10] = "_users";
      
    $sfil[11] = "ciufleachat_";
      
    $text str_replace(" """$text);
      
    $text strtolower($text);
      for(
    $i=0;$i<count($sfil);$i++)
      {
        
    $nosf substr_count($text,$sfil[$i]);
        if(
    $nosf>0)
        {
        return 
    true;
      }
      }

    I hope to be useful these little protection

    #2
    Nice share.

    This is my share.

    PHP Code:
    $GET_KEY array_keys($_GET);
    $POST_KEY array_keys($_POST);
    $COOKIE_KEY array_keys($_COOKIE);
    $SERVER_KEY array_keys($_SERVER);
    $SESSION_KEY array_keys($_SESSION);
    for(
    $i=0;$i<count($GET_KEY);$i++) {
    $_GET[$GET_KEY[$i]] = clean($_GET[$GET_KEY[$i]]);
    }
    for(
    $i=0;$i<count($POST_KEY);$i++) {
    $_POST[$POST_KEY[$i]] = clean($_POST[$POST_KEY[$i]]);
    }
    for(
    $i=0;$i<count($COOKIE_KEY);$i++) {
    $_COOKIE[$COOKIE_KEY[$i]] = clean($_COOKIE[$COOKIE_KEY[$i]]);
    }
    for(
    $i=0;$i<count($SERVER_KEY);$i++) {
    $_SERVER[$SERVER_KEY[$i]] = clean($_SERVER[$SERVER_KEY[$i]]);
    }
    for(
    $i=0;$i<count($SESSION_KEY);$i++) {
    $_SESSION[$SESSION_KEY[$i]] = clean($_SESSION[$SESSION_KEY[$i]]);
    }

    function 
    clean($str) {
    $str = @trim($str);
    if(
    get_magic_quotes_gpc()) {
    $str stripslashes($str);
    }
    return 
    mysql_real_escape_string($str);
    }

    $get ereg_replace("[^0-9]"""$_GET["get"]); <-- to get number only
    $get 
    ereg_replace("[^a-zA-Z]"""$_GET["get"]); <-- to get word only 
    .htaccess

    PHP Code:
    <Files 403.shtml>
    order allow,deny
    allow from all
    </Files>

    #REWRITE MOD
    Options +FollowSymlinks
    RewriteEngine on

    # Rule #3a - Redirect to www
    RewriteCond %{HTTP_HOST} ^aspirewap.net [NC]
    RewriteRule ^(.*)$ http://www.aspirewap.net/$1 [R=301,L] 

    # Rule #4a - Block out any script trying to base64_encode crap to send via URL
    RewriteCond %{QUERY_STRINGbase64_encode.*(.*) [OR]

    # Rule #4b - Block out any script that includes a <script> tag in URL
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

    # Rule #4c - Block out any script trying to set a PHP GLOBALS variable via URL
    RewriteCond %{QUERY_STRINGGLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]

    # Rule #4d - Block out any script trying to modify a _REQUEST variable via URL
    RewriteCond %{QUERY_STRING_REQUEST(=|[|%[0-9A-Z]{0,2})

    # Rule #4e - Send all blocked request to homepage with 403 Forbidden error!
    RewriteRule ^(.*)$ index.php [F,L]

    #
    # Prevent XSS attacks
    #

    RewriteCond %{QUERY_STRINGhttp://([a-zA-Z0-9_\-]*) [NC,OR]
    RewriteCond %{QUERY_STRINGhttp:/([a-zA-Z0-9_\-]*) [NC,OR]
    RewriteCond %{QUERY_STRINGcmd= [NC,OR]
    RewriteCond %{QUERY_STRING} &cmd [NC,OR]
    RewriteCond %{QUERY_STRINGexec [NC,OR]
    RewriteCond %{QUERY_STRINGexecu [NC,OR]
    RewriteCond %{QUERY_STRINGconcat [NC]
    RewriteRule ^.* - [F]

    #
    # Prevent SQL injections
    #

    RewriteCond %{QUERY_STRINGUNION([%20\ /\*+]*)ALL([%20\ /\*+]*)SELECT [NC,OR]
    RewriteCond %{QUERY_STRINGUNION([%20\ /\*+]*)SELECT [NC,OR]
    RewriteCond %{QUERY_STRING} /\* [NC,OR]
    RewriteCond %{QUERY_STRING} \*/ [NC]
    RewriteRule ^.* - [F
    I'm still newbie. hope this code can be use.
    sigpic
    Visit my WEBSITE Project: http://www.aspirewap.net

    Comment


      #3
      Good code but a code. Htaccess Anti upload shell without control panel you have, as I have tried many codes but not good.
      If you have any code that you please post here

      Added after 11 minutes:

      Thanks for the code to be put in htaccess is quite useful
      Last edited by ionutz; 16.02.12, 08:39.

      Comment


        #4
        Originally posted by ionutz View Post
        Good code but a code. Htaccess Anti upload shell without control panel you have, as I have tried many codes but not good.
        If you have any code that you please post here

        Added after 11 minutes:

        Thanks for the code to be put in htaccess is quite useful
        shell? just save upload file outside root. shell can't be execute there.
        sigpic
        Visit my WEBSITE Project: http://www.aspirewap.net

        Comment


          #5
          Thanks but I put the code you put in htaccess file;)

          Comment


            #6
            Originally posted by ionutz View Post
            Thanks but I put the code you put in htaccess file;)
            But shell execute outside from your code :D

            for uploaded file.. try rename it. and download through php file.

            PHP Code:
            header("Pragma: public"); // required 
            header("Expires: 0"); 
            header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 
            header("Cache-Control: private",false); // required for certain browsers 
            header("Content-Type: $ext"); 
            header("Content-Disposition: attachment; filename=".basename($name).";" ); 
            header("Content-Transfer-Encoding: binary"); 
            header("Content-Length: ".@filesize("download/$file[source]"));  
            @
            readfile("download/$file[source]") or die("file not found."); 
            die(); 
            keep your download folder and filename unknown.
            Last edited by m4ster_v4; 16.02.12, 11:38.
            sigpic
            Visit my WEBSITE Project: http://www.aspirewap.net

            Comment


              #7
              So you need to put php code that you put in the htaccess tab?

              Comment

              Working...
              X