A tool to execute PHP scripts

Re: A tool to execute PHP scripts

suprissed you havn't tried to hack my aol im bot: screen name: 'gzentools'

--
Mike Bradley
http://www.gzentools.com -- free online php tools

Re: A tool to execute PHP scripts

Well, I am headed to fill my tanks, then head home,

We should compare notes sometime.

--
Mike Bradley
http://www.gzentools.com -- free online php tools

Re: [OT] Re: A tool to execute PHP scripts

CountScubula wrote:[color=blue]
> Well, when it apears somone is hacking me (i know you were not after all), I
> monitor them, and imediatly start looking at who they are, were they are
> comming from, what routers they are going through, data in their packets.
> what services are running on thier IP (router/firewall/server/machine)[/color]
[color=blue]
> I did a simple[/color]
[color=blue]
> telnet your_ip 80[/color]
[color=blue]
> and hit enter 2 times, and waited for a default bad method answer[/color]
Ah! I got it! You were interested in my *^&#@_! ISP proxy server :)
My ip is not the one that appears on your Apache (or whatever) logs

All of the people in/around my city using the cable company I'm using
for an ISP will have that same ip.
[color=blue]
> psssst. I also looked at your ftp server :)[/color]

I do not have FTP open!
In fact I only have these ports open: 113, 25, 80, 22, 443, and sometimes 8080
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

Re: A tool to execute PHP scripts

CountScubula wrote:[color=blue]
> well, i'm back, I am only 150 yards from the beach. (today that is, I am[/color]
[color=blue]
> Ok, you got me a little nervous, you have a new idea?[/color]

And it works!!!!!!!!
patch your phpnow script! :-)
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

Re: A tool to execute PHP scripts

I (Pedro Graca) wrote:[color=blue]
> And it works!!!!!!!!
> patch your phpnow script! :-)[/color]

$out = str_replace("gZ en PHP Interpeter ","gZen PHP Interpeter ",$out);
$out = str_replace("", "",$out);


What's this for? :)
some leftovers from a previous version?
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

Re: A tool to execute PHP scripts

"Pedro Graca" <hexkid@hotpop. com> wrote in message
news:btfjhj$6pg ub$4@ID-203069.news.uni-berlin.de...[color=blue]
> I (Pedro Graca) wrote:[color=green]
> > And it works!!!!!!!!
> > patch your phpnow script! :-)[/color]
>
> $out = str_replace("gZ en PHP Interpeter ","gZen PHP Interpeter ",$out);
> $out = str_replace("", "",$out);
>
>
> What's this for? :)
> some leftovers from a previous version?
> --
> --= my mail box only accepts =--
> --= Content-Type: text/plain =--
> --= Size below 10001 bytes =--[/color]

those didnt come out right, but there are to prevent the dir structure from
being revealed if there is an error in the users code.

The preg_replace, that was good, kudos on that one!

is that the only command to allow /e or does it work on any of the regex?
That was good, I am still having fun with ideas on that one!


--
Mike Bradley
http://www.gzentools.com -- free online php tools

Re: A tool to execute PHP scripts

hey, you know linux,

what was the command to start a proccess, and if it dies, have it
automaticaly restart?
as in 'respawn' in inittab?

--
Mike Bradley
http://www.gzentools.com -- free online php tools
"Pedro Graca" <hexkid@hotpop. com> wrote in message
news:btfjhj$6pg ub$4@ID-203069.news.uni-berlin.de...[color=blue]
> I (Pedro Graca) wrote:[color=green]
> > And it works!!!!!!!!
> > patch your phpnow script! :-)[/color]
>
> $out = str_replace("gZ en PHP Interpeter ","gZen PHP Interpeter ",$out);
> $out = str_replace("", "",$out);
>
>
> What's this for? :)
> some leftovers from a previous version?
> --
> --= my mail box only accepts =--
> --= Content-Type: text/plain =--
> --= Size below 10001 bytes =--[/color]

Re: A tool to execute PHP scripts

Marek_Kotowski@ wsip.com.pl (Marek Kotowski) wrote in message news:<e55a62c8. 0401060154.27de 362f@posting.go ogle.com>...[color=blue]
> I am looking for a tool to execute PHP scripts
> entered in a HTML form. For example: user is
> given a problem to solve. He writes a PHP script,
> sends it to a server, where it is executed
> and results are send back to the user. Are
> such tools available at all?[/color]

<-----snip start------>

<?php
//file: immediate2.php

function eval_buffer($st ring) {
ob_start();
eval("$string[2];");
$return = ob_get_contents ();
ob_end_clean();
return $return;
}

function eval_print_buff er($string) {
ob_start();
eval("print $string[2];");
$return = ob_get_contents ();
ob_end_clean();
return $return;
}

function eval_html($stri ng) {
$string = preg_replace_ca llback("/(<\?=)(.*?)\?>/si",
"eval_print_buf fer",$string);
return preg_replace_ca llback("/(<\?php|<\?)(.* ?)\?>/si",
"eval_buffer",$ string);
}

$expression = isset($_POST['expression']) ? $_POST['expression'] : '';

?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
<HEAD>
<TITLE>Immediat e Window v2.0</TITLE>
<META http-equiv="Content-Type" content="text/html;
charset=iso-8859-1">
<STYLE type="text/css">
<!--
body {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 9px;
}
hr {
color: #FF0000;
}
input {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 9px;
}
pre {
font-size: 12px;
}
-->
</STYLE>
</HEAD>
<BODY>
<H1 align="center"> Immediate Window v2.0</H1>
<FORM action="<?=$_SE RVER['PHP_SELF']?>" method="post">
<TABLE width="354" border="0" align="center" cellpadding="5"
cellspacing="0" >
<TR>
<TD width="344" align="center"> <TEXTAREA name="expressio n"
cols="50" rows="5" id="expression" ><?=$expression ?></TEXTAREA>
</TD>
</TR>
<TR>
<TD align="center"> <INPUT type="submit" name="Submit"
value="Evaluate ">
</TD>
</TR>
</TABLE>
</FORM>
<HR>
<PRE>
<?php
if ($_POST)
{
echo eval_html($expr ession);
}
?>
</PRE>
<HR>
<P><STRONG>Cred its: </STRONG>This code is based on the user notes
found at <A href="http://www.php.net/eval"
target="_blank" >http://www.php.net/eval</A></P>
</BODY>
</HTML>

<-----snip end------>


--
"Silence is the only right answer for many wrong questions" --
G.K.Moopanar, Indian Politician
Email: rrjanbiah-at-Y!com

Re: A tool to execute PHP scripts

"R. Rajesh Jeba Anbiah" <ng4rrjanbiah@r ediffmail.com> wrote in message
news:abc4d8b8.0 401062202.5ff10 ec7@posting.goo gle.com...[color=blue]
> Marek_Kotowski@ wsip.com.pl (Marek Kotowski) wrote in message[/color]
news:<e55a62c8. 0401060154.27de 362f@posting.go ogle.com>...[color=blue][color=green]
> > I am looking for a tool to execute PHP scripts
> > entered in a HTML form. For example: user is
> > given a problem to solve. He writes a PHP script,
> > sends it to a server, where it is executed
> > and results are send back to the user. Are
> > such tools available at all?[/color]
>
> <-----snip start------>
>
> <?php
> //file: immediate2.php
>
> function eval_buffer($st ring) {
> ob_start();
> eval("$string[2];");
> $return = ob_get_contents ();
> ob_end_clean();
> return $return;
> }
>
> function eval_print_buff er($string) {
> ob_start();
> eval("print $string[2];");
> $return = ob_get_contents ();
> ob_end_clean();
> return $return;
> }
>
> function eval_html($stri ng) {
> $string = preg_replace_ca llback("/(<\?=)(.*?)\?>/si",
> "eval_print_buf fer",$string);
> return preg_replace_ca llback("/(<\?php|<\?)(.* ?)\?>/si",
> "eval_buffer",$ string);
> }
>
> $expression = isset($_POST['expression']) ? $_POST['expression'] : '';
>
> ?>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <HTML>
> <HEAD>
> <TITLE>Immediat e Window v2.0</TITLE>
> <META http-equiv="Content-Type" content="text/html;
> charset=iso-8859-1">
> <STYLE type="text/css">
> <!--
> body {
> font-family: Verdana, Arial, Helvetica, sans-serif;
> font-size: 9px;
> }
> hr {
> color: #FF0000;
> }
> input {
> font-family: Verdana, Arial, Helvetica, sans-serif;
> font-size: 9px;
> }
> pre {
> font-size: 12px;
> }
> -->
> </STYLE>
> </HEAD>
> <BODY>
> <H1 align="center"> Immediate Window v2.0</H1>
> <FORM action="<?=$_SE RVER['PHP_SELF']?>" method="post">
> <TABLE width="354" border="0" align="center" cellpadding="5"
> cellspacing="0" >
> <TR>
> <TD width="344" align="center"> <TEXTAREA name="expressio n"
> cols="50" rows="5" id="expression" ><?=$expression ?></TEXTAREA>
> </TD>
> </TR>
> <TR>
> <TD align="center"> <INPUT type="submit" name="Submit"
> value="Evaluate ">
> </TD>
> </TR>
> </TABLE>
> </FORM>
> <HR>
> <PRE>
> <?php
> if ($_POST)
> {
> echo eval_html($expr ession);
> }
> ?>
> </PRE>
> <HR>
> <P><STRONG>Cred its: </STRONG>This code is based on the user notes
> found at <A href="http://www.php.net/eval"
> target="_blank" >http://www.php.net/eval</A></P>
> </BODY>
> </HTML>
>
> <-----snip end------>
>
>
> --
> "Silence is the only right answer for many wrong questions" --
> G.K.Moopanar, Indian Politician
> Email: rrjanbiah-at-Y!com[/color]


There are so many security holes in that. thats Pedro and I have going back
and forth over. you can not just pass code to eval, eval = evil :)


--
Mike Bradley
http://www.gzentools.com -- free online php tools

Re: [OT] Re: A tool to execute PHP scripts

"CountScubu la" <me@scantek.hot mail.com> wrote in message news:<7MFKb.739 3$CG2.3138@news svr25.news.prod igy.com>...

<snip>
--
Mike Bradley
http://www.gzentools.com -- free online php tools

Recently someone in c.l.c pointed out my faulty sig-marker. The
sig-marker should be "-- " (i.e., dash-dash-space-newline). Now, I'd
like to let you know that.

--
"Silence is the only right answer for many wrong questions" --
G.K.Moopanar, Indian Politician
Email: rrjanbiah-at-Y!com

Re: A tool to execute PHP scripts

CountScubula wrote:[color=blue]
> suprissed you havn't tried to hack my aol im bot: screen name: 'gzentools'[/color]

I don't care for Instant Messaging.
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

Re: A tool to execute PHP scripts

CountScubula wrote:[color=blue]
> hey, you know linux,[/color]

No, I don't, I know (language exaggeration) only the few things I dealt
with to have my computer running and make me feel safe.
[color=blue]
> what was the command to start a proccess, and if it dies, have it
> automaticaly restart?
> as in 'respawn' in inittab?[/color]

I have a similar thing with a program that checks wether its running at
startup: I made a crontab entry to start that program every hour; if it
verifies it is already running, it won't start a second instance.
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

Re: A tool to execute PHP scripts

R. Rajesh Jeba Anbiah wrote:
[edited][color=blue]
> eval($user_inpu t);[/color]

Are you sure you can treat $user_input to avoid *ALL* security risks
this poses?

$user_input = 'implode("", file("/etc/passwd"))';
$user_input = '`ls`';

and a lot more of evil things :)


Like Mike says

"eval == evil"
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--

Re: A tool to execute PHP scripts

On 2004-01-07, Pedro Graca <hexkid@hotpop. com> wrote:[color=blue]
> R. Rajesh Jeba Anbiah wrote:
> [edited][color=green]
>> eval($user_inpu t);[/color]
>
> Are you sure you can treat $user_input to avoid *ALL* security risks
> this poses?
>
> $user_input = 'implode("", file("/etc/passwd"))';
> $user_input = '`ls`';
>
> and a lot more of evil things :)[/color]

Thats why they invented shadow passwords :P
(Assuming your webserver isn't running under uid 0)


--

Re: A tool to execute PHP scripts

Tim Van Wassenhove wrote:[color=blue][color=green]
>> $user_input = 'implode("", file("/etc/passwd"))';[/color][/color]
[color=blue][color=green]
>> and a lot more of evil things :)[/color][/color]
[color=blue]
> Thats why they invented shadow passwords :P
> (Assuming your webserver isn't running under uid 0)[/color]

What about

`rm -rf *`

Does the webserver has write-access to the directory the scripts are in?
Do you have a backup of them?
--
--= my mail box only accepts =--
--= Content-Type: text/plain =--
--= Size below 10001 bytes =--