To whoever hacked into my Database

Νίκος Αλεξόπουλος nikos.gr33k at gmail.com
Sat Nov 9 08:54:29 CET 2013


Στις 9/11/2013 9:05 πμ, ο/η Νίκος Αλεξόπουλος έγραψε:
> Στις 9/11/2013 8:37 πμ, ο/η Chris Angelico έγραψε:
>> On Sat, Nov 9, 2013 at 5:32 PM, Νίκος Αλεξόπουλος
>> <nikos.gr33k at gmail.com> wrote:
>>> I'am not saying out of arrogance but i was really under the
>>> impression i had
>>> secure my script.
>>>
>>> And i had until i made some new changes last night, which i think i have
>>> corrected now as we speak.
>>
>> In other words, you closed off whatever you could see as being a
>> problem, and then boasted that the script was secure... until someone
>> proved to you that it wasn't. Your script is insecure by default, and
>> you're band-aid patching everything you happen to be made aware of.
>> What makes you think that it's now secure?
>>
>> ChrisA
>>
>
>
> Its probably unwise to post the following snippet of code that validates
> user input so an attacker wouldn't pass arbitrary values to my script
> but what the heck.....
>
> ==================================
> # initiate some local variables
> htmlvalid = pyvalid = False
> path = '/home/nikos/public_html/'
> cgi_path = '/home/nikos/public_html/cgi-bin/'
>
> # define how the .html or .python pages are called
> file = form.getvalue('file')            # this value should come only
> from .htaccess and not as http://superhost.gr/~nikos/cgi-bin/metrites.py
> page = form.getvalue('page')            # this value comes from
> 'index.html' or from within 'metrites.py'
>
> # is it a python file or an html template?
> if page and os.path.exists( cgi_path + page ):
>      pyvalid = True
> elif os.path.exists( file ):
>      page = file.replace( path, '' )
>      htmlvalid = True
> else:
>      file = 'forbidden'
>
> .....
> .....
>
> if 'forbidden' in file:
>      print( '''<h2><font color=red>Δεν επιτρέπεται η απευθείας πρόσβαση
> στο script παρά μόνον μέσω της αρχικής σελίδας!    Ανακατεύθυνση σε
> 5...''' )
>      print( '''<meta http-equiv="REFRESH"
> content="5;URL=http://superhost.gr">''' )
>      sys.exit(0)
> ==================================
>
>
> Now, when it comes to database insertions i use this check to prevent
> bogus data:
>
> ==================================
> if cookieID != 'some_secret_here' and ( htmlvalid or pyvalid ) and
> re.search(
> r'(amazon|google|proxy|cloud|reverse|fetch|msn|who|spider|crawl|ping)',
> host ) is None:
> ==================================
>
> Even if i get re-hacked i'll find a security alternative.
>
>



How on earth did the hacker managed to alter the database again:

http://superhost.gr/?show=stats

i can't ****ing believe it!

He is actually trying to read sensitive stuff from my linux server by 
passing arguments into 'page' variable like '../../../../etc/passwd'

How was he able to pass that info again....?!?!







More information about the Python-list mailing list