To whoever hacked into my Database
Νίκος Αλεξόπουλος
nikos.gr33k at gmail.com
Sat Nov 9 03:31:28 EST 2013
Στις 9/11/2013 9:54 πμ, ο/η Νίκος Αλεξόπουλος έγραψε:
> Στις 9/11/2013 9:05 πμ, ο/η Νίκος Αλεξόπουλος έγραψε:
>> Στις 9/11/2013 8:37 πμ, ο/η Chris Angelico έγραψε:
>>> On Sat, Nov 9, 2013 at 5:32 PM, Νίκος Αλεξόπουλος
>>> <nikos.gr33k at gmail.com> wrote:
>>>> I'am not saying out of arrogance but i was really under the
>>>> impression i had
>>>> secure my script.
>>>>
>>>> And i had until i made some new changes last night, which i think i
>>>> have
>>>> corrected now as we speak.
>>>
>>> In other words, you closed off whatever you could see as being a
>>> problem, and then boasted that the script was secure... until someone
>>> proved to you that it wasn't. Your script is insecure by default, and
>>> you're band-aid patching everything you happen to be made aware of.
>>> What makes you think that it's now secure?
>>>
>>> ChrisA
>>>
>>
>>
>> Its probably unwise to post the following snippet of code that validates
>> user input so an attacker wouldn't pass arbitrary values to my script
>> but what the heck.....
>>
>> ==================================
>> # initiate some local variables
>> htmlvalid = pyvalid = False
>> path = '/home/nikos/public_html/'
>> cgi_path = '/home/nikos/public_html/cgi-bin/'
>>
>> # define how the .html or .python pages are called
>> file = form.getvalue('file') # this value should come only
>> from .htaccess and not as http://superhost.gr/~nikos/cgi-bin/metrites.py
>> page = form.getvalue('page') # this value comes from
>> 'index.html' or from within 'metrites.py'
>>
>> # is it a python file or an html template?
>> if page and os.path.exists( cgi_path + page ):
>> pyvalid = True
>> elif os.path.exists( file ):
>> page = file.replace( path, '' )
>> htmlvalid = True
>> else:
>> file = 'forbidden'
>>
>> .....
>> .....
>>
>> if 'forbidden' in file:
>> print( '''<h2><font color=red>Δεν επιτρέπεται η απευθείας πρόσβαση
>> στο script παρά μόνον μέσω της αρχικής σελίδας! Ανακατεύθυνση σε
>> 5...''' )
>> print( '''<meta http-equiv="REFRESH"
>> content="5;URL=http://superhost.gr">''' )
>> sys.exit(0)
>> ==================================
>>
>>
>> Now, when it comes to database insertions i use this check to prevent
>> bogus data:
>>
>> ==================================
>> if cookieID != 'some_secret_here' and ( htmlvalid or pyvalid ) and
>> re.search(
>> r'(amazon|google|proxy|cloud|reverse|fetch|msn|who|spider|crawl|ping)',
>> host ) is None:
>> ==================================
>>
>> Even if i get re-hacked i'll find a security alternative.
>>
>>
>
>
>
> How on earth did the hacker managed to alter the database again:
>
> http://superhost.gr/?show=stats
>
> i can't ****ing believe it!
>
> He is actually trying to read sensitive stuff from my linux server by
> passing arguments into 'page' variable like '../../../../etc/passwd'
>
> How was he able to pass that info again....?!?!
Okey mighty one!
Try to do the same thing again and be successfull.
i know what you did last summer!
You took advantage of this is statemnt:
if page and os.path.exists( cgi_path + page ):
and manages to pass arbitrary values to page by giving input
of '../../../../etc/passwd' ehich is actually translated as:
if page and os.path.exists( '/home/nikos/public_html/cgi-bin/' +
'../../../../etc/passwd' ):
So
1. you actually are passign a value to page
2. you passed value is in fact exist as a
'pathname/to/a/linux/sensitive/file'
I know what i have to do now:
Alter the if to soemthing like:
if page and os.path.isfile( cgi_path + page ) and page should only
allowed to be an actual file but only from within the 'cgi-bin' directory.
Hence, i altered the code to this:
if page and os.path.isfile( cgi_path + page ) in os.listdir( cgi_path ):
Try pass bogus values again into my database!
More information about the Python-list
mailing list