Jump to content
Sign in to follow this  
The Coder

Timestamps - Crons?

Recommended Posts

Hey,

I wanted to know, if someone could re-direct me to a forum thread explaining how to remove all use of your Crons to Timestamps?

On a side note, is there any actual difference other then the obvious one?

Thanks.

Share this post


Link to post
Share on other sites

On a side note, is there any actual difference other then the obvious one?

Yes.

They will only do what they're told when it's requested, for example; when a user is online.

If, however, a user is not online, making requests (clicking links) it will not run - although you can workaround that, with a little math.

Here's a few links:

time() - Return current time

glob() - Used to include all cron files, in my method

Some basic PHP knowledge

& of course, you need to know some math

Share this post


Link to post
Share on other sites
On a side note, is there any actual difference other then the obvious one?

Yes.

They will only do what they're told when it's requested, for example; when a user is online.

If, however, a user is not online, making requests (clicking links) it will not run - although you can workaround that, with a little math.

Here's a few links:

time() - Return current time

glob() - Used to include all cron files, in my method

Some basic PHP knowledge

& of course, you need to know some math

Never do such a thing please.

Share this post


Link to post
Share on other sites

What if i found a loophole (which is quite common on mccode even the patched ones), that allowed me to upload a file? Now his cron system would automatically run my file, correct?

Now, imagine the possibilities allowed to run through that file?

Obviously, if thought through, this can work, with white listing that is. But don't simply tell another person to use glob() to include all the file's, that's just... bad.

 

What I've found that works is something along these lines:

 

CREATE TABLE `crons` (
 `cron_name` varchar(50) COLLATE utf8_unicode_ci NOT NULL DEFAULT '',
 `cron_last_run` int(11) NOT NULL,
 `cron_code` varchar(30) COLLATE utf8_unicode_ci NOT NULL DEFAULT '',
 `cron_minus` int(10) unsigned NOT NULL,
 `cron_enabled` tinyint(1) unsigned NOT NULL DEFAULT '1',
 KEY `cron_name` (`cron_name`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;

 

Example Row:

{
"data":
[
	{
		"cron_name": "1 Minute",
		"cron_last_run": 1347245661,
		"cron_code": "one_minute",
		"cron_minus": 60,
		"cron_enabled": 1
	}
]
}

 

PHP File to run timestamp:

 

<?php
# Do your database includes & setup here

include_once('class/cron.php');

$cron = new Cron;
$crons = mysql_query('SELECT * FROM `crons` WHERE `cron_enabled` = 1');

$executed = array();
while($soc = mysql_fetch_assoc($crons))	{
if((time() - $soc['cron_minus']) > $soc['cron_last_run'])	{
	$multiply = ((time() - $soc['cron_minus']) - $soc['cron_last_run']) / $soc['cron_minus'];
	$multiply = floor($multiply);
	$multiply = ($multiply) ? $multiply : 1;

	eval('$return = $cron->'.$item['cron_code'].'('.$multiply.');');

	if($return)
		$executed[] = $item['cron_code'];
}
}
if(!empty($executed))	{
mysql_query('UPDATE `crons` SET `cron_last_run` = '.time().' WHERE `cron_code` IN("'.implode('","', $executed).'")');
}
?>

 

Then your class as such:

 

Class Cron	{
public function one_minute($multiply = 1)	{
               # Example Query:
               # mysql_query('UPDATE `users` SET `energy` = (`energy` + '.(5 * $multiply).') WHERE `energy` > 0');
	return true;
}
}

 

* UNTESTED AND WILL NEED WORK TO MAKE IT WORK.

Share this post


Link to post
Share on other sites

Well if a player is able to upload a PHP file, you are anyhow f*@! as you could still use remote cron system which would call this file periodically. So for me the security is not different. Sorry. The first thing to do is to patch any vulnerability which would allow a player to send custom code.

  • Like 1

Share this post


Link to post
Share on other sites

HD you're making no sense, if a user is able to upload a PHP script to the website they could easily just run it manually and not even need the cron to run it.

Using glob wouldn't be a security issue, somehow allowing users access to file uploads is.

  • Like 1

Share this post


Link to post
Share on other sites
HD you're making no sense, if a user is able to upload a PHP script to the website they could easily just run it manually and not even need the cron to run it.

Using glob wouldn't be a security issue, somehow allowing users access to file uploads is.

Think outside the box.

I could manually run that script, which on each run will let's say for example give me $1,000,000 or i could let the cron run every minute and do it for me.

I could allow that script to upload a backdoor every minute to a different file each time.

I could create that script to add one line of php to each of your pages each time it runs to auto download malware onto your pc.

Or better yet, why don't i just create a simple script, that add's a simple line of php to every php page on your system, and every load to that page, will send me the user's cookie data.

The options are endless, not just the fact that the website owner has left an open vulnerability on the site. But let's move on.

Ok, i find a hole that i can upload my malicious script. I have to then run it manually. What happens? It gets logged into the access-logs, if it's included on the other hand, there is no log of my IP hitting that script.

Now, you say "File uploads" are insecure. While i agree with you on that, but pulling an image from a source is also insecure. Let's say for example, the very well known exploit on WordPress (Timthumb)

Timthumb get's hit with a url as such:

http://url.com/wp-content/../../timthumb.php?url=.......&x=360&y=400

What if the url landed on a php script, that looks to be an image:

GIF89a�����ÿÿÿ!ù����,�������D�;�<?php
...malicious script to follow here...

 

Follow Murphys Law

"Anything that can go wrong, will go wrong".

Share this post


Link to post
Share on other sites

You don't need to run them manually, you can use remote-cron systems, proxy and much more. As soon as you find a way to upload some custom made PHP file, you can basically do all what you want. No need to be executed by cron or not.

Well the image upload can be handled in different ways:

- If you don't allow code execution (PHP or any other) on the image uploaded directory I hardly see how you could be vulnerable

- If you load the image from another script and serves it only as content as the image upload is not directly visible, then again I hardly see the vulnerability.

Overall, your cron statement is for me a non sense. If you can upload a script you are vulnerable. No need to be run by cron or not. And actually running by cron changes nothing.

Share this post


Link to post
Share on other sites

A way to protect against malicious code in images - so I've read - is to output them using GD.

Anyway, that's off topic.

@HD - Some good points raised, however, have you found a backdoor to upload a file to the server? I understand to take Murphys Law into consideration. (May be a dumb moment) - Also, this isn't a war starter question. :)

Share this post


Link to post
Share on other sites
@HD - Some good points raised, however, have you found a backdoor to upload a file to the server? I understand to take Murphys Law into consideration. (May be a dumb moment) - Also, this isn't a war starter question. :)

To answer your question directly. No, not on the current release of MCCode's. However, many many people just upload already made script's from here, which do entail the vulnerability to do such exploit, or any other exploit for that matter.

"What can go wrong, will go wrong."

"Assume" => Making an "ass" out of "u" & "me".

So, never assume you are secure, for that day come's that you are attacked, you'll feel like an ass.

Share this post


Link to post
Share on other sites
To answer your question directly. No, not on the current release of MCCode's. However, many many people just upload already made script's from here, which do entail the vulnerability to do such exploit, or any other exploit for that matter.

"What can go wrong, will go wrong."

"Assume" => Making an "ass" out of "u" & "me".

So, never assume you are secure, for that day come's that you are attacked, you'll feel like an ass.

 

Yeah! I remember watching a film - forgot the title - and it's main line was "Assuming is the mother of all f*ck ups". (Perhaps DJK will know the film :p They were on a train)

Share this post


Link to post
Share on other sites
(Perhaps DJK will know the film :p They were on a train)

I do actually, however I do not wish to say, for fear of being called names. :p

Okay you win: Under Siege 2 (not as good as number 1, but pretty solid Seagal film, if there is one) - You could just google the quote you know?

Share this post


Link to post
Share on other sites
I do actually, however I do not wish to say, for fear of being called names. :p

Okay you win: Under Siege 2 (not as good as number 1, but pretty solid Seagal film, if there is one) - You could just google the quote you know?

You never fail to amaze! haha, I know, but DJK's brain is better than the internet for searching movie quotes ;)

Share this post


Link to post
Share on other sites
You never fail to amaze! haha, I know, but DJK's brain is better than the internet for searching movie quotes ;)

Only certain movies, ala ones I've watched. >_<

Anyway off topic now, so I'll be leaving. :P

Share this post


Link to post
Share on other sites
A way to protect against malicious code in images - so I've read - is to output them using GD.

Anyway, that's off topic.

I will kill you, that's not even remotely close to the correct method.

It's been discussed on this forum already, the best way to validate any file is though it's mime type.

And to those debating about crons..

If your application needs crontabs to be able to function, you're doing it wrong.

Timers should be treated as a luxury in any piece of software.

Share this post


Link to post
Share on other sites
I will kill you, that's not even remotely close to the correct method.

It's been discussed on this forum already, the best way to validate any file is though it's mime type.

My last words - before you kill me - I read it somewhere :p

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...