[WARNING]Don't use Vsro Reg page v2

LastThief* · 03/09/2012, 07:50

Hey guys title said it all don't even try to use reg page mentioned in that link.

I've just checked the security of it actually the thing with ctype_alnum is that it isn't an escape function to prevent sql injection. It is a function to validate alphanumeric strings. To escape strings for using in queries you need anti injection function.

An important distinction you have to understand is the one between input validation and escaping of data for use in a database query.

You can even execute shells through it.

Don't say that my server is hacked and you're using this register page because you will get ****** with it anyway.

Ciao,
Thief

™_Bassm_™ · 03/09/2012, 09:59

Thx alot

~~Last Hell~~ · 03/09/2012, 12:12

thanks for warrning us

PortalDark · 03/09/2012, 12:18

thnx for the warn

~~•ᵔBeGodOfWarᵔ•~~ · 03/09/2012, 13:01

Quote:

Originally Posted by PortalDark

thnx for the warn

press thanks button better than ( thnx / thx / awesome / etc. )
btw ThEliteEyes you should update your webpage

PortalDark · 03/09/2012, 13:31

Quote:

Originally Posted by •ᵔBeGodOfWarᵔ•

press thanks button better than ( thnx / thx / awesome / etc. )
btw ThEliteEyes you should update your webpage

im not expressing a thnx that pressing the thnx button can express
i dont have server or webpage based on this one, im just saying thnx for the tip
nothing more
but i press thnx button, if that makes you feel better

ThElitEyeS · 03/09/2012, 22:28

maybe show us example and i will release hotfix

LastThief* · 03/09/2012, 22:35

Quote:

Originally Posted by ThElitEyeS

maybe show us example and i will release hotfix

Not maybe I'm sure ofc I won't say how to exploit it in public but trust me ctype_alnum is not for cleaning variable use better anti injection function

PortalDark · 03/09/2012, 22:38

Quote:

Originally Posted by LastThief*

Not maybe I'm sure ofc I won't say how to exploit it in public but trust me ctype_alnum is not for cleaning variable use better anti injection function

talk in pm with him, is better, at least to avoid this going out public
you already said you can execute shells via this, so thats a tip, ppl, consider the basic part XD

Schickl · 03/09/2012, 22:44

...

ThElitEyeS · 03/09/2012, 22:44

you can use only a-z A-Z also there add slashes.
show me example and as i said ill release hotfix

LastThief* · 03/09/2012, 22:48

Quote:

Originally Posted by ThElitEyeS

you can use only a-z A-Z also there add slashes.
show me example and as i said ill release hotfix

it seems like some one told people before me and I didn't even notice but yea shickl explained it well

Schickl · 03/09/2012, 22:48

Quote:

Originally Posted by ThElitEyeS

you can use only a-z A-Z also there add slashes.
show me example and as i said ill release hotfix

and as I said in my post the query i posted there is always executed and backslashes don't escape ' in mssql

LastThief* · 03/09/2012, 22:52

ctype_alnum is actually fail use something like this

PHP Code:



    function ms_escape_string($data)
    {
        if (!isset($data) or empty($data))
            return '';
        if (is_numeric($data))
            return $data;
        
        $non_displayables = array(
            '/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15
            '/%1[0-9a-f]/', // url encoded 16-31
            '/[\x00-\x08]/', // 00-08
            '/\x0b/', // 11
            '/\x0c/', // 12
            '/[\x0e-\x1f]/' // 14-31
        );
        foreach ($non_displayables as $regex)
            $data = preg_replace($regex, '', $data);
        $data = str_replace("'", "''", $data);
        return $data;
    }

to escape the data before sending it

Schickl · 03/09/2012, 23:13

Quote:

Originally Posted by LastThief*

ctype_alnum is actually fail use something like this

PHP Code:

function ms_escape_string($data) { if (!isset($data) or empty($data)) return ''; if (is_numeric($data)) return $data; $non_displayables = array( '/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15 '/%1[0-9a-f]/', // url encoded 16-31 '/[\x00-\x08]/', // 00-08 '/\x0b/', // 11 '/\x0c/', // 12 '/[\x0e-\x1f]/' // 14-31 ); foreach ($non_displayables as $regex) $data = preg_replace($regex, '', $data); $data = str_replace("'", "''", $data); return $data; }

to escape the data before sending it

Nice function, but urls are decoded by the server and shouldn't do any harm at all

And writing a function that just replaces invalid chars isn't really good imo
Easiest thing would be to use a regex(or create 2 loops and one array with the valid chars and check every single character yourself; could be a little faster) to check if it only contains the chars you want and if it doesn't, the query isn't even executed to avoid some random data in the db