It's funny how some people couldn't bend their minds around this exploit challenge. Well, if you don't know how the function works, it's hard to see. But as the post title said already, str_replace() isn't recursive, so isn't very safe all the time.

When protecting from LFI, sometimes a programmer decides to try to block access to upper directories, by using:

function removeDouble($str)

{

return str_replace('..','.',$str);

}

Assuming there are only two dots in $str, this would work, but the moment you enter "...", and pass it through the string, you get: .., which is excellent for reaching higher directories from the PHP script.

Example:

<?php
function removeDouble($str)
{
return str_replace('..','.',$str);
}
if(file_exists('./'.removeDouble($_GET['page'])))
{
include('./'.removeDouble($_GET['page']));
}
?>

Exploit: index.php?page=.../.../etc/passwd

Companies like Norton and McAfee charge a hell lot of money for software that makes sure your computer is unstable, without performance, ruins your experience whenever you are trying a new application or just blocks you out the moment you try to uninstall it. These companies have the nerve of naming things w32.evilthing.worm or something while their own piece of junk is probably more harmful then the things they attempt to remove.

Let's face it, the software the average computer user buys to "protect" his/her computer is way too primitive and resource demanding. They are known to be full of bugs, extremely easy to hide from as a piece of malware, and best of all: you can't control shit about them (Norton has maybe twenty configuration options, try making it to not start up when Windows does).

But there are more reasons I don't have their junk products: I just don't need it. When I receive a mail from this beautiful Polish lady that would love to chat with me, through her very own chat client, which is of course included as chat.exe, I realise she is just not right for me. Or when someone advices me to go back to Internet Explorer 4 because it has more advanced features, I might question that persons intelligence (for two reasons: recommending Internet Explorer and recommending an older version).

After that, there are still two methods on not getting annoyed by malware or attacks. A good method I use is just misconfiguring your router in such a way it doesn't accept any reverse connections but HTTP and some other protocols. The second method is the one I'd recommend to everyone: try not to make too much enemies, because not all virus mails you get are unsolicited spam mails...

Finally the antispam industry came up with something working, instead of creating an unreadable image with words that go all over the place, create something that only humans can recognize. The most famous example are "The Rapidshare cats". A poll on our homepage showed about 80% hated them, but they have no idea what poor RapidShare is going through with the captcha crackers.

A common question is "why not just add two pictures, cat and dog, and make the human user select which one?". Well, the answer is simple: if spammers have a success rate over 5%, they consider it to being profitable. So, that's why they combined it with the old textbased captcha.

Personally, I believe the idea is awesome, but the realisation could have been done better and as usual: less annoying for the end user. Maybe they should try to implement some sort of rotating system showing different types of captcha's all the time?

This has always been a hot topic on forums and will be one for a long time: how do I make X undetectable for virus scanner Y? This is actually quite simple.

There are two main ways a virus scanner "scans":

1. Checks for a certain string in a file
2. Checks for the behaviour of the file (e.g. specific location in registry or file system)

So, this means you need to protect your program in two ways, by:

1. Changing the encryption of the source code, adding even the slightest piece of code changes the source code if it's a binary file. For scripts, you should add something like base64, as many times as you want.
2. Change its behaviour. This can be done in lots of ways, you can make the install locations random, use different registry settings, bind with other applications..

Does this only apply to malware? Definitely not. Your application or script can get on the blacklist of an antivirus way faster than you might think (Realplayer for example, but they really deserved it), and the process of getting off it again is long and will cost you a lot of users.

I don't feel like writing an exploit but I want to point out these lines in validate.php in AV Arcade v3 script:

$userid = $_REQUEST['id'];
$code = $_REQUEST['code'];

$sql = mysql_query("UPDATE ava_users SET activate='1' WHERE id='$userid' AND password='$code'");

So far for awesome security.

Everyone loves challenges (atleast I do), so here are some for you. They all involve bypassing some sort of filter or doing something very basic, don't expect anything hard here. It's all very obvious, maybe the admin password thing will make you stare at your screen for a couple of minutes, not more if you're used to this kind of things.

Feel free to contact me by commenting on this post about ideas, bugs, bad recognition or solutions you proudly found to the made up problems.

I'm writing too much junk apparently, so here is a idea I had that would solve a lot of SQL injection damage.

Instead of hashing your passwords with md5($password), or instead of the safer md5(md5($password)), or even instead of md5(md5($password).md5($salt)), why not try md5(base64_encode($password))? Not used enough! I'm talking about websites where the source code isn't open for the public (exit: any free PHP CMS that isn't modified on the password storing part).

The scenario I'm talking about is the one where your website gets hacked, owned or roflz0rsyousuckpwned, through a method that doesn't involve executing system commands, but rather stays on the level of the web application. The first two on the top of my head are SQL injection and XSS.

So, the hacker used SQL injection on index.php, like this:

/index.php?id=1' UNION SELECT password FROM userTable

Alright, he has just retrieved a password that is most likely hashed, with SHA1 or md5, in 90% of the occasions. If the attacker is dedicated to his job, he'll open up some sweet cracking tool and start reversing it. Now, if you had a weak password, or your co-administrator had one, the attacker will be able to log in. Now, since the attack didn't involve any source code reading, the attacker will not know what way the password was hashed, md5 was an easy job since it contained 32 chars, a - f and 0 - 9. Double hashing would work good, but thinking on the level of a scriptkiddy: PasswordsPro cracks this. So, here comes the fun: just hash your password like this (play with it, base64_encode(rot13()) in the middle would be fun too :-) ):

md5(base64_encode($password))

Providing your attacker doesn't have your source code, try this method, even after an attack there won't be a way to recover the password.

Note: this method isn't new, just reminding.

All packed up & ready for your enjoyment: PHP Source Auditor 4! So, if you have (most likely) never heard of it, this is the deal:

PSA4 is a Perl script that connects to your local webhost and scans all files (recursively) in the www root, for vulnerabilities. It scans for:

1. Remote File Inclusion
2. Remote Command Execution
3. Remote Code Execution
4. Cross Site Scripting
5. SQL injection (very weak scanning on this though)
6. Local File Inclusion (results sometimes get buggy)

The difference with other scanners is, it actually can tell whether the script is vulnerable or not since it exploits it on the fly by entering weird data into the variables. You can download it right here and (for now) nowhere else :).

No, I'm not talking about ironing cloths, more talking about my very own algorithm. It's not that special and seems to produce a lot of duplicates, and is quite reversable (credits to sraeG for reversing it in a challenge). I might write a completely new one, more advanced maybe. Source code is in PHP:

function iron($nr,$method = 'numeric')
{
$chrs = preg_split('//', $nr, -1, PREG_SPLIT_NO_EMPTY);
$d = '';
foreach($chrs as $c)
{
if(substr($d,-2,2) == round(ord($c)/2))
{
$d .= round(ord($c)/2)*round(ord($c)/2);
}
else
{
$d .= round(ord($c)/2);
}
}
switch($method)
{
case 'ascii':
$char = '';
for($i = strlen($d); $i > 0; $i -= 2)
{
$char .= chr(substr($d,-$i,2));
}
break;
default:
$char = $d;
break;

}
return $char;
}

Usage is as simple as iron("string","ASCII") for ASCII output (recommended only if you hash it with another algorithm after) or iron("string","numeric") for the normal numeric output. Online hasher is here.

Seems like they cracked the Hotmail captcha, or they hired a hell lot of Chinese people to register accounts for spamming purposes, but it sure is annoying.

I can imagine this will be a huge success for the spammers, because of the personal approach style, much more than e-mail spam I guess.