Iframe Injection

**subzero** · 19.10.09, 02:44

Code:

if(preg_match("(<script|<about|<applet|<iframe|<activex|<chrome|<object|>|<|<a|<img|/>|;|')", $message)) {  
$message = 'Contains illegal tags.';  
}

**Mysterio** · 19.10.09, 06:56

How to use this code, SubZero (may i call you UnderZero :p ) ?

**subzero** · 19.10.09, 13:59

change $message with your text or main script

**CreativityKills** · 19.10.09, 16:11

Gud stuff sub bt in reality those regular expression can be bypassd easy by a lil sense. Just use htmlentities or htmlspecialchars or to be completely sure strip_tags. If u must use regex or sumtin wateva, specify whitelist NEVER blacklist.

**ewanz** · 19.10.09, 18:02

Originally posted by subzero View Post

Code:

if(preg_match("(<script|<about|<applet|<iframe|<activex|<chrome|<object|>|<|<a|<img|/>|;|')", $message)) {  
$message = 'Contains illegal tags.';  
}

Just put these codes in part for shout, chat, pm, and post forum.. is it true?

**ewanz** · 19.10.09, 18:04

Originally posted by mobileGIGS View Post

Gud stuff sub bt in reality those regular expression can be bypassd easy by a lil sense. Just use htmlentities or htmlspecialchars or to be completely sure strip_tags. If u must use regex or sumtin wateva, specify whitelist NEVER blacklist.

This iframe injection were posted by some malwares or malicious codes bypass ftp from the pc.. is it true?

**ewanz** · 19.10.09, 18:09

i clear all my scripts in file manager.. then i changed the ftp, database n cpanel password, that iframe not come again in my script...

**subzero** · 19.10.09, 18:25

you can use it for file host or anything to do with input

**ewanz** · 19.10.09, 20:39

you mean put anywhere in part of text post?

**subzero** · 19.10.09, 21:35

as long you change $message to you want it to be

**ewanz** · 19.10.09, 21:48

$shtxt = $shtxt;
if(preg_match("(<script|<about|<applet|<iframe|<ac tivex|<chrome|<object|>|<|<a|<img|/>|;|')", $shtxt)) {
$shtxt = 'Contains illegal tags.';
}
//$uid = getuid_sid($sid);
$shtm = time();
$res = mysql_query("INSERT INTO ibwf_shouts SET shout='".$shtxt."', shouter='".$uid."', shtime='".$shtm."'");
if($res)

i change it... is it right?

**blackhowk** · 20.10.09, 08:20

Preventing SQL Injection with PHP

When you start working with dynamic websites, and therefore the use of data retreaved from a database, you always want to make sure your script is safe. $_POST and $_GET variables are simply to adjust in scripts and url's. Prevent SQL Injection by using a script like thisone. It checks whether the magic_quotes_gpc is enabled or not. If it is, it won't have to add the escaping slashes in front of each qoute or double quote. You don't want 2 slashes in front of it when it is enabled.

Code:

function:
[COLOR=#000000][COLOR=#0000BB]?php 
    [/COLOR][COLOR=#007700]function [/COLOR][COLOR=#0000BB]mysql_prepare[/COLOR][COLOR=#007700]( [/COLOR][COLOR=#0000BB]$value [/COLOR][COLOR=#007700]) { 
        [/COLOR][COLOR=#0000BB]$magic_quotes_active [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]get_magic_quotes_gpc[/COLOR][COLOR=#007700](); 
        [/COLOR][COLOR=#0000BB]$new_enough_php [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]function_exists[/COLOR][COLOR=#007700]( [/COLOR][COLOR=#DD0000]"mysql_real_escape_string" [/COLOR][COLOR=#007700]);  
        if( [/COLOR][COLOR=#0000BB]$new_enough_php [/COLOR][COLOR=#007700]) { [/COLOR][COLOR=#FF8000]// PHP v4.3.0 or higher 
            [/COLOR][COLOR=#007700]if( [/COLOR][COLOR=#0000BB]$magic_quotes_active [/COLOR][COLOR=#007700]) { [/COLOR][COLOR=#0000BB]$value [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]stripslashes[/COLOR][COLOR=#007700]( [/COLOR][COLOR=#0000BB]$value [/COLOR][COLOR=#007700]); } 
            [/COLOR][COLOR=#0000BB]$value [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]mysql_real_escape_string[/COLOR][COLOR=#007700]( [/COLOR][COLOR=#0000BB]$value [/COLOR][COLOR=#007700]); 
        } else { [/COLOR][COLOR=#FF8000]// before PHP v4.3.0 
            [/COLOR][COLOR=#007700]if( ![/COLOR][COLOR=#0000BB]$magic_quotes_active [/COLOR][COLOR=#007700]) { [/COLOR][COLOR=#0000BB]$value [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]addslashes[/COLOR][COLOR=#007700]( [/COLOR][COLOR=#0000BB]$value [/COLOR][COLOR=#007700]); } 
        } 
        return [/COLOR][COLOR=#0000BB]$value[/COLOR][COLOR=#007700];  
    } 
[/COLOR][COLOR=#0000BB]?>[/COLOR][/COLOR]

Code:

 example:
[COLOR=#000000][COLOR=#0000BB]<?php 
$id [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#0000BB]mysql_prepare[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]$_GET[/COLOR][COLOR=#007700][[/COLOR][COLOR=#DD0000]'id'[/COLOR][COLOR=#007700]]); 
[/COLOR][COLOR=#0000BB]$query [/COLOR][COLOR=#007700]= [/COLOR][COLOR=#DD0000]"SELECT * FROM pages WHERE id = "[/COLOR][COLOR=#007700].[/COLOR][COLOR=#0000BB]$id[/COLOR][COLOR=#007700]; 
[/COLOR][COLOR=#0000BB]mysql_query[/COLOR][COLOR=#007700]([/COLOR][COLOR=#0000BB]$query[/COLOR][COLOR=#007700]); 
[/COLOR][COLOR=#0000BB]?>[/COLOR][/COLOR]

use this idea, works fine.

**CreativityKills** · 20.10.09, 16:47

Originally posted by ewanz View Post

i clear all my scripts in file manager.. then i changed the ftp, database n cpanel password, that iframe not come again in my script...

check ur db, myt have bin injected ages ago. And blackhowk ure wrng to use magic quotes in place of mysql escape. Magic q is by all means bypassable. Magic should be last resort. Check dis.

PHP Code:


function dbParse($input){

if(magic_quotes_gpc())$input=stripslashes($input);

if(function_exists('mysql_real_escape_string')){

$input=mysql_real_escape_string($input);

}elseif(function_exists('mysql_escape_string')){

$input=mysql_escape_string($input);

}else{

$input=addslashes($input);

}

return $input;

}

**blackhowk** · 22.10.09, 06:39

you're right, Gigs I think I rushed the explanation.

Iframe Injection

Iframe Injection

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment