mobilezonez uploader issue fixed

**Pavan** · 31.05.11, 09:30

Originally posted by ozziemale31 View Post

http://magikfonez.com/uploader.rar
ok ive re made the uploader script for the mobile zonez community script
this new version will stop any attempts to upload php files more file types can be added
php upload attempt is blocked reported to mod cp
all staff are sent a inbox from id 1 in the users database warning them to deal with it
php file extension is also renamed as it is uploaded to be hidden from the hacker if the file succeeds
(WHICH IT WONT)
-------------------------------------
If u like my work please say thanks and i might provide more updates soon

if u give in .zip i am very happy.

**ozziemale31** · 31.05.11, 13:52

inbox me yr email id and ill zip it 4 u to yr email

**m4ster_v4** · 31.05.11, 16:49

Originally posted by ozziemale31 View Post

http://magikfonez.com/uploader.rar

ok ive re made the uploader script for the mobile zonez community script
this new version will stop any attempts to upload php files more file types can be added
php upload attempt is blocked reported to mod cp
all staff are sent a inbox from id 1 in the users database warning them to deal with it
php file extension is also renamed as it is uploaded to be hidden from the hacker if the file succeeds
(WHICH IT WONT)
-------------------------------------
If u like my work please say thanks and i might provide more updates soon

thnx m8..

but who want upload php directly with extension php or else execute ext? noob hacker.. :D
sure they will upload it wif deffrn name. try hide your file location. rename file using random name and change header file with other name.

make sure they don't know where the file and what their name.

Good Luck.

**Pavan** · 01.06.11, 07:30

I downloaded it. Is it 3kb only ?

**woody** · 01.06.11, 07:38

Originally posted by Pavan View Post

I downloaded it. Is it 3kb only ?

yeah its just the /share folder, upload.php & php.ini file

**ozziemale31** · 01.06.11, 13:02

like i said it can be modded to hide other file types

PHP Code:


//example line 98 moddify it here
 ,'',str_replace(array(' ','%20',"'","php"),array('_','_', "","imahackeridiotwhotriedtouploadaphpfile"),$superdat_name)); 
 ,'',str_replace(array(' ','%20',"'","xhtml"),array('_','_', "","imahackeridiotwhotriedtouploadaphpfile"),$superdat_name));
 ,'',str_replace(array(' ','%20',"'","wml"),array('_','_', "","imahackeridiotwhotriedtouploadaphpfile"),$superdat_name));
 ,'',str_replace(array(' ','%20',"'","asp"),array('_','_', "","imahackeridiotwhotriedtouploadaphpfile"),$superdat_name));
 ,'',str_replace(array(' ','%20',"'","jar.php"),array('_','_', "","imahackeridiotwhotriedtouploadaphpfile"),$superdat_name));

as u can see u can modd it to stop any of those file types being executed

**m4ster_v4** · 01.06.11, 16:12

Originally posted by ozziemale31 View Post

like i said it can be modded to hide other file types

PHP Code:


//example line 98 moddify it here

 ,'',str_replace(array(' ','%20',"'","php"),array('_','_', "","imahackeridiotwhotriedtouploadaphpfile"),$superdat_name)); 

 ,'',str_replace(array(' ','%20',"'","xhtml"),array('_','_', "","imahackeridiotwhotriedtouploadaphpfile"),$superdat_name));

 ,'',str_replace(array(' ','%20',"'","wml"),array('_','_', "","imahackeridiotwhotriedtouploadaphpfile"),$superdat_name));

 ,'',str_replace(array(' ','%20',"'","asp"),array('_','_', "","imahackeridiotwhotriedtouploadaphpfile"),$superdat_name));

 ,'',str_replace(array(' ','%20',"'","jar.php"),array('_','_', "","imahackeridiotwhotriedtouploadaphpfile"),$superdat_name));

as u can see u can modd it to stop any of those file types being executed

that's not what i mean actually... the point is at that filename..

not extension...

but it's okay if u did it like that..

nice work m8..

thx for the idea..

**ozziemale31** · 02.06.11, 01:07

riders

reason for that if u find a file with the extension changed u know it is a shell script that got thru but not executed. which u can re use to attack back lol so unknowingly the hacker or noob hacker who uses shell is giving u the tools to take revenge back on their site

Added after 5 minutes:

here u go riders the orig zonez script from the last remake includes sql

Attached Files

mobilezonez.zip (3.66 MB, 137 views)

**tamucq** · 02.06.11, 09:46

agree with masterv4 theres many other ways to upload shell..
Try this

$ext = getext($file_name);
$md5 = md5($file_name);
$new_file_name = $md5.".$ext.";

Uploaded image will be s0mething like ---> 1d4b49eb8c15955d6fd83d8d137a9f68.jpg

**ozziemale31** · 02.06.11, 10:29

ive merged a shell into a actual jpg file all the ppl see is the image but not what the shell is doing. so there is a loop hole in any script to grab a session id
theres ways of doing it using linux

**pichiriche** · 03.06.11, 21:25

Is not 100% secure dear, u can use random string and add the function unlink to all else upload

**ozziemale31** · 03.06.11, 23:00

ive yet to see it be hacked its secure against the noobs who use shell its mostly noobs who do it anyway.a few of u are just making assumptions your theory will work put it into practice then come back and post the results if u think u can use the random string try it and see how far u get on the script b4 making such comments on ppls work.simply if u dnt like it dont use it.and if u say u can hack it post the proof b4 making your comments untill such proof isnt provided your words are just theories

**~~rockman~~** · 25.06.11, 15:15

i nid a zip uploader t0o thx

mobilezonez uploader issue fixed

mobilezonez uploader issue fixed

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment