WWW.UNKNOWNS.RO
WWW.UNKNOWNS.RO
|
Lista Forumurilor Pe Tematici
|
WWW.UNKNOWNS.RO | Reguli | Inregistrare | Login
POZE WWW.UNKNOWNS.RO
Nu sunteti logat.
|
Nou pe simpatie:
bellisima19 din Bucuresti
 | Femeie
19 ani
Bucuresti
cauta Barbat
29 - 43 ani |
|
VIRUS
WWW.UNKNOWNS.RO
 Din: WWW.UNKNOWNS.RO
Inregistrat: acum 16 ani
Postari: 3176
|
|
Here is some Easy Ways To protecting Your website .. from Different Type of Security Holes.
A. SQL INJECTIONS
How to Use.
1. download the file , put in the same folder as the php file
2. Below are the how to use.. Put these on the top of the page just after <?
Code:
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect); |
3. THis is the Sql Injection Checker
Code:
$sqlinject->test($your_sql_data); |
Explaination:
require_once "sql_inject.php"; < calls the file protector file
$bDestroy_session = TRUE; < this stops any session they on
$url_redirect = 'index.php'; < if they do a sql injection they are moved to this page
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect) ; < this to start the sql injection protection ( also ./log_file_sql.log is the file wer all the attempt are put in.. for u to ban later on ... hehehehhe)
$sql_inject->test($your_sql_data); < this is the implementation of the anti sql injector. where $your_sql_data is the mssql query string.
Thats my best explaination.. im too lazy now.. if u made it work.. try to explain to the others.
Dont pm me about this please..
Additional Info:
Code:
<?
require_once "sql_inject.php";
$bDestroy_session = TRUE;
$url_redirect = 'index.php';
$sqlinject = new sql_inject('./log_file_sql.log',$bDestroy_session,$url_redirect);
// some line here
// more lines here.. blah blah blah
//below is a little trick to do a post variable on this page.. as u can see the post variable [b]login[/b] is already been injected with a drop table on memb_info and clevel = 350
$_POST['login'] = "%%'; drop table memb_info ; update character set clevel = 350ere name = '%%";
// this type of sql injection is trying to execute more SQL data
// then like any normal page.. u read the $login variable (we can even try to stripslashes it)
$login = stripslashes($_POST['login']);
//your sql query string
[color=DarkRed]$query[/color] = "Select Name From Character where name = '$login'";
//normally you would check $something for sql injection, but in this case, due to the new anti sql injection the entire query string can be analysed..
// to analyse query string we do this
$sqlinject->test([color=DarkRed]$query[/color]);
//now that we checked it.. we can query it
$result = mssql_query([color=DarkRed]$query[/color]);
// more lines here.. blah blaah
?> |
--- above would make a new file in ur folder called. log_file_sql.log make sure u make ur folder writable 
--- now i test the sample php file above.. it works like a charm.
UPDATE FOR SOME TYPOS!
B. STOPING OFF DOMAIN TRANSACTIONS
- one of the bigger holes in any website is forms.. cause when u make them.. it doesnt really mean they that way always.. people can just download the form.. edit the action, and send anything they want to your server. This is widely used by the sql injectors.
How to Stop. The Idea is On the Other side of ur Forms... U will have Referral Check. Referal Means the last page that was used before the current one.
Put this on ur a File Ur targeting as an Action on a form.
Code:
if (stristr($_SERVER['HTTP_REFERER'], 'http://www.supamu.info') === FALSE ) {
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
** |
-- above is checking if the last referral was from the domain. if not it stop the entire page from loading any further. wat u can also do is add a logging system to this, which ill do in the next tutorial.
C. Adding a Simple Auto File Logger To your Website
This is to catch those hacking attempts on a FILE! The anti Sql Injector already has it's Own Logging system.. but this is for those other stuff u want to log. like for example. The Referral Check.
here is the main function for the logger (u need to put this somewer on ur php file a global insert file)
Code:
function filelogs($type, $info, $muser) {
$agent = $_SERVER['HTTP_USER_AGENT'];
$uri = $_SERVER['REQUEST_URI'];
$ip = $_SERVER['REMOTE_ADDR'];
$ref = $_SERVER['HTTP_REFERER'];
$dtime = date('r');
if($ref == ""){
$ref = "None";
**
if($user == ""){
$user = "None";
**
$location = "/";
$type = $location . $type . ".txt";
$entry_line = "$dtime - IP: $ip | Agent: $agent | URL: $uri | Referrer: $ref | Username: $muser | Query : $info \n";
$fp = fopen("$type", "a");
fputs($fp, $entry_line);
fclose($fp);
** |
How to Use is like Simple Like this
Code:
filelogs('filename', $additionalinfo, $theusername); |
filename = just to separate from one kind of logs to another
$additionalinfo = this is some info u wanna include in the logs like queries or the current referrer's address
$theusername = if u have cookies.. u can put them here.. so ull know who to ban for this acts.
A sample script.. this is combined with the the Referral Filter on B
Code:
if (stristr($_SERVER['HTTP_REFERER'], 'http://www.supamu.info') === FALSE ) {
filelogs('account-creat', $_SERVER['HTTP_REFERER'], $_POST['Member_ID']);
die ( 'Hacking attempt. Your are such a Nooby!.. ' );
** |
http://rapidshare.de/files/39576394/sql_inject.zip.html
_______________________________________
|
|
| pus acum 16 ani |
|