A function that has been on my ignore-list for quite some time, but not anymore. PHP's function flush() makes sure the output you have generated gets sent to the browser. Now, why is this useful? To make it obvious your script is still running to the end-user for example.

Imagine you have one of those lame "value my site" scripts, that connects to the Google PageRank server, Alexa, Yahoo Backlinks and what not. 99% of all scripts simply connect to the servers in one turn, making the script look frozen for atleast a couple of seconds. Statistics show all users leave if your script is running more than 9.81 seconds (OK, I made that up).

To fix the frozen state, add a flush() line between every connection, example:

<?php

connectToGoogle();

flush();

connectToAlexa();

?>

The moment the script is finished with connectToGoogle(), it will show the output it has already and continue to Alexa. Not clear enough? Here is my little example:

http://iron.randombase.com/flush.php

Solver is invalid actually, guesser is more correct. It just randomly puts words in place of the letters.

For example, it "solved" laser into:

lack anniversary slave enormous regard

And /dev/iron became:

/ distribution experiment vehicle / insist racism overnight nation

I wrote this code for fun but it has turned out to be maybe the most efficient piece of code I have ever written, which is kind of annoying since it doesn't have any real purpose. The magic link:

http://iron.randombase.com/acronym

It's funny how some people couldn't bend their minds around this exploit challenge. Well, if you don't know how the function works, it's hard to see. But as the post title said already, str_replace() isn't recursive, so isn't very safe all the time.

When protecting from LFI, sometimes a programmer decides to try to block access to upper directories, by using:

function removeDouble($str)

{

return str_replace('..','.',$str);

}

Assuming there are only two dots in $str, this would work, but the moment you enter "...", and pass it through the string, you get: .., which is excellent for reaching higher directories from the PHP script.

Example:

<?php
function removeDouble($str)
{
return str_replace('..','.',$str);
}
if(file_exists('./'.removeDouble($_GET['page'])))
{
include('./'.removeDouble($_GET['page']));
}
?>

Exploit: index.php?page=.../.../etc/passwd

It's comparing apples to oranges, I know. But still, this is quite interesting. When you look at the PHP functions list, you see three filled columns. I took the time to count it all (copy, paste in document, count lines) and got to the result of... 5250. That's right, PHP has 5250 documented functions.

Now, let's take a look at the Perl function list. I could have counted this one almost without a text editor, 209 functions.

So, can PHP do a lot more than Perl? Hell no, Perl was smart enough to divide its detailed functions into modules and extensions. PHP has extensions too (a lot of them are included in that 5250, I know), but a lot of them come with the distribution already.

An example: PHP has the built-in function "parse_url()", I'm not kidding. If anyone ever asks me what I believe is the single most useless function in PHP, it's parse_url(). You're not learning anyone to code by spoon-feeding this junk, in Perl you have to write your own functions atleast.

I do agree that writing a complex script is a lot less work in PHP than it is in Perl, but I think they really could miss some of the functions they have now...

I don't feel like writing an exploit but I want to point out these lines in validate.php in AV Arcade v3 script:

$userid = $_REQUEST['id'];
$code = $_REQUEST['code'];

$sql = mysql_query("UPDATE ava_users SET activate='1' WHERE id='$userid' AND password='$code'");

So far for awesome security.

RandomBase.com just received a small upgrade to the comment system for news messages, you can also include your website address now, free backlink!

A free thing, isn't it awesome? This little widget shows the total time spent by your users on your blog, with a precision of about two seconds. Your users also get to see how much time they have spent themselves. A demo + download can be found here.

Tested on Internet Explorer 6 and Firefox 3 (RC1).

(before anyone asks: yes, it is based on my previous posts' code)

Like Javascript? Like AJAX? Like PHP? Well, this application combines them all in one, but it's useless! Awesome!

I'm writing too much junk apparently, so here is a idea I had that would solve a lot of SQL injection damage.

Instead of hashing your passwords with md5($password), or instead of the safer md5(md5($password)), or even instead of md5(md5($password).md5($salt)), why not try md5(base64_encode($password))? Not used enough! I'm talking about websites where the source code isn't open for the public (exit: any free PHP CMS that isn't modified on the password storing part).

The scenario I'm talking about is the one where your website gets hacked, owned or roflz0rsyousuckpwned, through a method that doesn't involve executing system commands, but rather stays on the level of the web application. The first two on the top of my head are SQL injection and XSS.

So, the hacker used SQL injection on index.php, like this:

/index.php?id=1' UNION SELECT password FROM userTable

Alright, he has just retrieved a password that is most likely hashed, with SHA1 or md5, in 90% of the occasions. If the attacker is dedicated to his job, he'll open up some sweet cracking tool and start reversing it. Now, if you had a weak password, or your co-administrator had one, the attacker will be able to log in. Now, since the attack didn't involve any source code reading, the attacker will not know what way the password was hashed, md5 was an easy job since it contained 32 chars, a - f and 0 - 9. Double hashing would work good, but thinking on the level of a scriptkiddy: PasswordsPro cracks this. So, here comes the fun: just hash your password like this (play with it, base64_encode(rot13()) in the middle would be fun too :-) ):

md5(base64_encode($password))

Providing your attacker doesn't have your source code, try this method, even after an attack there won't be a way to recover the password.

Note: this method isn't new, just reminding.

All packed up & ready for your enjoyment: PHP Source Auditor 4! So, if you have (most likely) never heard of it, this is the deal:

PSA4 is a Perl script that connects to your local webhost and scans all files (recursively) in the www root, for vulnerabilities. It scans for:

1. Remote File Inclusion
2. Remote Command Execution
3. Remote Code Execution
4. Cross Site Scripting
5. SQL injection (very weak scanning on this though)
6. Local File Inclusion (results sometimes get buggy)

The difference with other scanners is, it actually can tell whether the script is vulnerable or not since it exploits it on the fly by entering weird data into the variables. You can download it right here and (for now) nowhere else :).