To whoever hacked into my Database

Νίκος Αλεξόπουλος nikos.gr33k at gmail.com
Sat Nov 9 09:31:28 CET 2013


Στις 9/11/2013 9:54 πμ, ο/η Νίκος Αλεξόπουλος έγραψε:
> Στις 9/11/2013 9:05 πμ, ο/η Νίκος Αλεξόπουλος έγραψε:
>> Στις 9/11/2013 8:37 πμ, ο/η Chris Angelico έγραψε:
>>> On Sat, Nov 9, 2013 at 5:32 PM, Νίκος Αλεξόπουλος
>>> <nikos.gr33k at gmail.com> wrote:
>>>> I'am not saying out of arrogance but i was really under the
>>>> impression i had
>>>> secure my script.
>>>>
>>>> And i had until i made some new changes last night, which i think i
>>>> have
>>>> corrected now as we speak.
>>>
>>> In other words, you closed off whatever you could see as being a
>>> problem, and then boasted that the script was secure... until someone
>>> proved to you that it wasn't. Your script is insecure by default, and
>>> you're band-aid patching everything you happen to be made aware of.
>>> What makes you think that it's now secure?
>>>
>>> ChrisA
>>>
>>
>>
>> Its probably unwise to post the following snippet of code that validates
>> user input so an attacker wouldn't pass arbitrary values to my script
>> but what the heck.....
>>
>> ==================================
>> # initiate some local variables
>> htmlvalid = pyvalid = False
>> path = '/home/nikos/public_html/'
>> cgi_path = '/home/nikos/public_html/cgi-bin/'
>>
>> # define how the .html or .python pages are called
>> file = form.getvalue('file')            # this value should come only
>> from .htaccess and not as http://superhost.gr/~nikos/cgi-bin/metrites.py
>> page = form.getvalue('page')            # this value comes from
>> 'index.html' or from within 'metrites.py'
>>
>> # is it a python file or an html template?
>> if page and os.path.exists( cgi_path + page ):
>>      pyvalid = True
>> elif os.path.exists( file ):
>>      page = file.replace( path, '' )
>>      htmlvalid = True
>> else:
>>      file = 'forbidden'
>>
>> .....
>> .....
>>
>> if 'forbidden' in file:
>>      print( '''<h2><font color=red>Δεν επιτρέπεται η απευθείας πρόσβαση
>> στο script παρά μόνον μέσω της αρχικής σελίδας!    Ανακατεύθυνση σε
>> 5...''' )
>>      print( '''<meta http-equiv="REFRESH"
>> content="5;URL=http://superhost.gr">''' )
>>      sys.exit(0)
>> ==================================
>>
>>
>> Now, when it comes to database insertions i use this check to prevent
>> bogus data:
>>
>> ==================================
>> if cookieID != 'some_secret_here' and ( htmlvalid or pyvalid ) and
>> re.search(
>> r'(amazon|google|proxy|cloud|reverse|fetch|msn|who|spider|crawl|ping)',
>> host ) is None:
>> ==================================
>>
>> Even if i get re-hacked i'll find a security alternative.
>>
>>
>
>
>
> How on earth did the hacker managed to alter the database again:
>
> http://superhost.gr/?show=stats
>
> i can't ****ing believe it!
>
> He is actually trying to read sensitive stuff from my linux server by
> passing arguments into 'page' variable like '../../../../etc/passwd'
>
> How was he able to pass that info again....?!?!

Okey mighty one!

Try to do the same thing again and be successfull.

i know what you did last summer!

You took advantage of this is statemnt:

if page and os.path.exists( cgi_path + page ):

and manages to pass arbitrary values to page by giving input

of '../../../../etc/passwd' ehich is actually translated as:


if page and os.path.exists( '/home/nikos/public_html/cgi-bin/' + 
'../../../../etc/passwd' ):

So

1. you actually are passign a value to page
2. you passed value is in fact exist as a 
'pathname/to/a/linux/sensitive/file'


I know what i have to do now:

Alter the if to soemthing like:

if page and os.path.isfile( cgi_path + page ) and page should only 
allowed to be an actual file but only from within the 'cgi-bin' directory.

Hence, i altered the code to this:

if page and os.path.isfile( cgi_path + page ) in os.listdir( cgi_path ):

Try pass bogus values again into my database!




More information about the Python-list mailing list