Follow us on Twitter!
Never in the field of human conflict was so much owed by so many to so few. - Winston Churchill
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 13
Guests Online: 12
Members Online: 1

Registered Members: 82876
Newest Member: bhl1986
Latest Articles

Securing Data with PHP

Arrow Image Lets say you have some files on your site that you don't want users to see.



Lets say you have some files on your site that you don\'t want users to see.
This could be a header or in this case logs.
So first, lets make the log script.
Code

$today = date(\"F j, Y, g:i a\"); //The time down to the minute.
$date = date(\"F, j, Y\");  //each day a new log file will be created.
$lookatlogs = 0;
$code = \"<?php if($\" .\"lookatlogs != 1){ die(\'\'); } ?>\"; //
$location = \"./logs/\"; // location the logs should be created.
$fp = fopen($location .$date .\".php\", \"a\"); // creates the file.
$line = $code .\"IP: $_SERVER[\'REMOTE_ADDR\'] | Time: $today | Agent: $agent | URI: $uri | REF: $ref <br>\" . \"\\n\"; //this is what gets added to the file.
$size = strlen($line);
fputs($fp, $line, $size); //adds $line to the file.
fclose($fp); //closes it.




And now the code to view the logs:
Code

<?php
$lookatlogs = 1;
?>
<textarea cols=\"120\" rows=\"40\" wrap=\"off\">
<?php
include(\"./logs/September, 18, 2006.php\");
?>
</textarea>




The first code will creat a folder in the root directory called logs. Then each day it creates a file in logs. So, since today is 9/18/2006, it will create a log named September, 18, 2006.php. And in the log you will have this code:
Code

<?php if($lookatlogs != 1){ die(\'\'); } ?>127.0.0.1|September 18, 2006, 12:05 am | Agent: Opera/9.01 (Windows NT 5.1; U; en) | URI: /kjl | REF: <br>




And if someone views it in the browser, $lookatlogs will = 0, and 0 != 1.
So it will die. But in the code to view the logs, $lookatlogs = 1, so it will not die.
Enjoy.

--Adlez

Comments

adlezon September 18 2006 - 20:59:16
I messed up. $location = "./logs/"; // location the logs should be created. should be $location = "logs/" unless not in root dir, then its = "../logs/"; same as include("./logs/September, 18, 2006.php"Wink;
system_meltdownon September 18 2006 - 21:14:53
hehe, nice article, one thing though, if someone knows they're being logged, they can set their referer/user agent as a string of html/php depending on how it's saved, if the logs are saved as .php, people could exploit your site with php injection (maybe), or just input some evil html, so yea, you might wanna not keep it in a php/html file and just stick to .txt Wink
chislamon September 18 2006 - 21:25:19
hehe, do i remember you doin this to one of the real chall's system?
adlezon September 19 2006 - 05:44:08
@chislam, I don't believe so. @system_meltdown, ya, but if it was .txt, anyone could view it. But, since you have the logs being viewed in a <textarea>, html is not exicuted. Unless they type in </textarea>. So to stop this, $agent = htmlentities($agent); $uri = htmlentities($uri); $ref = htmlentities($ref); So now, even if they do know that they're viewed in a textarea, they still can't do anything.
godon September 19 2006 - 07:56:26
good article, but i personally like them stored in a text file..
Arto_8000on September 19 2006 - 22:39:57
I agree with god text file is much more simple, you just need to add a htaccess to secure the file and it's done. Also if you still want to do it with a PHP file you can also use my trick to protect the file ... http://www.hellbo. . .cle_id=487
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.