topmorpg Posted February 3, 2008 Posted February 3, 2008 I posted this in another thread but thought to make it easier found by name. This will go over shells and upload folders. Shells can be named whatever the posing hacker (attempted hacker) wants to call them. Its normally due to a include setting in the file that is exploited. Or an upload script is most common. They call an outside file to run script to install a file located on a remote server. then can use the shell to exploit your cpanel if they are good enough or other areas of your site (mysql, script, etc..) In any folders you allow uploads place in a htaccess file to disable any script execution as well secure down your php script on the statements with mysql_real_escape example: <?php // Connect $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password') OR die(mysql_error()); // Query $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'", mysql_real_escape_string($user), mysql_real_escape_string($password)); ?> htaccess file to disable all script execution. Secure directories by disabling execution of scripts [ ^ ] Prevent malicious brainiacs from actively scripting secure directories by adding the following rules to the representative htaccess file (edit file types to suit your needs): # secure directory by disabling script execution AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI hope this helps to secure more of your sites. TJ Quote
hamster01 Posted February 3, 2008 Posted February 3, 2008 Re: Secure your script (lock it down from outsiders) chmod 0566 uploads/ Quote
topmorpg Posted February 3, 2008 Author Posted February 3, 2008 Re: Secure your script (lock it down from outsiders) chmod 0566 uploads/ while doing that someone with knowledge could still inject your script and call an outside file to be uploaded and then executed from where they move the file. Quote
HITMAN 17 Posted February 13, 2008 Posted February 13, 2008 Re: Secure your script (lock it down from outsiders) wats this v2 I posted this in another thread but thought to make it easier found by name. This will go over shells and upload folders. Shells can be named whatever the posing hacker (attempted hacker) wants to call them. Its normally due to a include setting in the file that is exploited. Or an upload script is most common. They call an outside file to run script to install a file located on a remote server. then can use the shell to exploit your cpanel if they are good enough or other areas of your site (mysql, script, etc..) In any folders you allow uploads place in a htaccess file to disable any script execution as well secure down your php script on the statements with mysql_real_escape example: <?php // Connect $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password') OR die(mysql_error()); // Query $query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'", mysql_real_escape_string($user), mysql_real_escape_string($password)); ?> htaccess file to disable all script execution. Secure directories by disabling execution of scripts [ ^ ] Prevent malicious brainiacs from actively scripting secure directories by adding the following rules to the representative htaccess file (edit file types to suit your needs): # secure directory by disabling script execution AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI hope this helps to secure more of your sites. TJ Quote
Isomerizer Posted February 13, 2008 Posted February 13, 2008 Re: Secure your script (lock it down from outsiders) Not every bloody piece of code on this forums is made specifically for mccode. Quote
mdshare Posted February 13, 2008 Posted February 13, 2008 Re: Secure your script (lock it down from outsiders) nice script, simple and usable and like iso says, mccode style of scripting is based on uhmmm how to call it real php like this tiny script (mccoders should learn to use sprintf) Quote
hamster01 Posted February 14, 2008 Posted February 14, 2008 Re: Secure your script (lock it down from outsiders) chmod 0566 uploads/ while doing that someone with knowledge could still inject your script and call an outside file to be uploaded and then executed from where they move the file. They would be able to upload it, but nothing would execute, and since the directory is set only for files to be created by group, it won't be able to be moved. A file is just a plain text file, unless it has the ability to do something. Edit: A sql injection would be able to overwrite a apache config file. Quote
james-w Posted March 17, 2008 Posted March 17, 2008 Re: Secure your script (lock it down from outsiders) Well in my framework (modulargaming.com) every request gets passed through index.php which looks up the jump_pages table for a page slug (term borrowed from wordpress) Permissions etc are checked through that. I prevent SQL injection by using ActiveTables. XSS is prevented by use of HTMLpurifer (a lot better than simple str_replace) as it works as whitelist rather than a blacklist. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.