Help Required Immediately - URGENT

I’m having problems with people upload shell hacking scripts on my replay uploader, they are hacking my website each and every time.

Here is my script
http://pastebin.com/JfhBFugN

Currently my website is down until I resolve this issue.

My webhost said : "Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.w3g. "

I don’t know how, please fix my script only to allow the upload of “.w3g” with no way for someone to bypassing it.

Thank you alot !

Just post the code on this site and I will take a look at it. I am not going to create a pastebin account to troubleshoot your code.

[code]<?php

/******************************************************************************

Last revision:

******************************************************************************/

?>

Ranked Gaming Parser Logo
      <td style="height:40px">

	      <a class="menuButtons" href="index.php">Upload Replay</a>

			&nbsp;

          <a class="menuButtons" href="replaydb.php">Replay Database</a>  

                            &nbsp;

          <a class="menuButtons" href="http://www.mymgn.com/board/forumdisplay.php?f=709">RGC Forums</a> 

 

          <a class="menuButtons" href="http://shop.rankedgaming.com/shop/">RGC Shop</a> 

 

          <a class="menuButtons" href="http://stats.rankedgaming.com/stats/channel.php?c=19">RGC Stats</a> 

      </td>

  </tr>

DotA Replay Parser - Upload Replay

<?php $print_info = false; define("MAX_UPLOAD_SIZE", 3000000); // Upload a file if(isset($_POST['uploadReplay'])) { if(!isset($_FILES['replay_file']) || !isset($_POST['replay_title']) || !isset($_POST['replay_winner']) || !isset($_POST['replay_text'])) { echo 'Error: Make sure you\'ve filled out all the fields.'; } else { $title = htmlspecialchars(trim($_POST['replay_title'])); $winner = htmlspecialchars(trim($_POST['replay_winner'])); $text = htmlspecialchars(trim($_POST['replay_text'])); // Check that we have a file $replayUploaded = false; $replayFile = ""; if(( !empty($title) && !empty($winner) && !empty($_FILES["replay_file"])) && ($_FILES['replay_file']['error'] == 0)) { //Check if the file is JPEG image and it's size is less than 350Kb $filename = basename($_FILES['replay_file']['name']); $ext = substr($filename, strrpos($filename, '.') + 1); $uniqueID = time(); if (($ext == "w3g") && $_FILES["replay_file"]["size"] < MAX_UPLOAD_SIZE) { //Determine the path to which we want to save this file $newname = dirname(__FILE__).'/replays/'.$uniqueID.'.'.$ext; //Check if the file with the same name is already exists on the server if (!file_exists($newname)) { //Attempt to move the uploaded file to it's new place if ((move_uploaded_file($_FILES['replay_file']['tmp_name'], $newname))) { $replayFile = $uniqueID.'.'.$ext; $replayUploaded = true; } else { print_message("Error: A problem occurred during file upload!"); } } else { print_message("Error: File ".$_FILES["replay_file"]["name"]." already exists"); } } else { print_message("Error: Only .w3g replays under 3 MB are accepted for upload"); } } else { print_message("Error: Make sure you've filled out all the fields"); } // If the replay was uploadead successfully, process it if( $replayUploaded ) { @require("reshine.php"); require('replay_saver.php'); $replay = new replay('replays/'.$replayFile); $replay->extra['title'] = $title; /* Determine the winner * If the uploader chose "Automatic" then check if the parser was able to determine a winner, * otherwise the winner is set to "Unknown" * Alternatively the uploader can set the winner manually */ if("Automatic" != $winner) { $replay->extra['winner'] = ( $winner == "Sentinel" ? "Sentinel" : "Scourge" ); } else if(isset($replay->extra['parsed_winner'])) { $replay->extra['winner'] = $replay->extra['parsed_winner']; } else { $replay->extra['winner'] = "Unknown"; } $replay->extra['text'] = $text; $replay->extra['original_filename'] = $filename; $txt_file = fopen('replays/'.$replayFile.'.txt', 'a'); flock($txt_file, 2); fputs($txt_file, serialize($replay)); flock($txt_file, 3); fclose($txt_file); if ( $replay->extra['parsed'] == false ) { // Replay not parsed } else { // Replay saved, display the link. //Create replay saver object $replaysaver=new replaysaver($title,$text,$replayFile); //Call save methode $replaysaver->saveData(); print_message('Replay uploaded successfully. View details '); $print_info = true; } } } } function print_message($msg) { echo '
'; echo $msg; echo '
'; } ?>
<div class="content" style="width: 99%;">



    <form enctype="multipart/form-data" action="index.php" method="post">

    <fieldset>

      <label for="replay_title" >Title*: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</label><input name="replay_title" id="replay_title" type="input" />

      <br />

      <label for="replay_winner" >Winner: &nbsp;&nbsp;&nbsp;&nbsp;</label>

        <select name="replay_winner" id="replay_winner"  />

            <option value="Automatic">Automatic </option>

            <option value="Sentinel">Sentinel </option>

            <option value="Scourge">Scourge </option>

        </select>

      <br />

      <label for="replay_text" style="vertical-align: top;" >Description: </label>

      <textarea name="replay_text" id="replay_text" cols="65"></textarea>

      <br />

      <input type="hidden" name="MAX_FILE_SIZE" id="'.MAX_UPLOAD_SIZE.'" value="3000000" />

      <label for="replay_file" >File*: </label><input name="replay_file" id="replay_file" type="file" />

      <input type="submit" value="Upload" name="uploadReplay" />

    </fieldset>

  </form>    


DotA 6.75 is now fully supported !



There are currently

<? $directory = "/home/rgc123/public_html/replays/"; if (glob($directory . "*.w3g") != false) { $filecount = count(glob($directory . "*.w3g")); echo $filecount; } else { echo 0; } ?>

DotA replays in our database and counting!





</div>

© 2012 Made by BitchGotRaped


[/code]

Check the extension using $_FILE[‘replay_file’][‘type’] not the name variable this should eliminate your issues.

The “type” does not exist in the script, help me out please.

http://www.php.net/manual/en/features.file-upload.post-method.php

$_FILES[‘userfile’][‘type’]
The mime type of the file, if the browser provided this information. An example would be “image/gif”. This mime type is however not checked on the PHP side and therefore don’t take its value for granted.

How can I add that to my script ?
I want to just let the uploader upload “.w3g” files so type should be

file/w3g ?

try

application/w3g

I’m not knowing how to add that to my script … ??? :-\

This line [php]if (($ext == “w3g”) && $_FILES[“replay_file”][“size”] < MAX_UPLOAD_SIZE) {
[/php]

should look something like this

[php]if (($_FILES[‘replay_file’][‘type’]) == “application/w3g”) && ($_FILES[“replay_file”][“size”] < MAX_UPLOAD_SIZE)) {
[/php]

arse error: syntax error, unexpected T_BOOLEAN_AND in /home/rgc123/public_html/index.php on line 94

what is on line 94?

This one

if (($_FILES[‘replay_file’][‘type’]) == “application/w3g”) && ($_FILES[“replay_file”][“size”] < MAX_UPLOAD_SIZE)) {

it did not work, caused the error I showed you, listen do you by any chance have skype in which we can chat faster.

You have an error on that line. Remove the bracket after $_FILES[‘replay_file’][‘type’]

if (($_FILES[‘replay_file’][‘type’] == “application/w3g”) && ($_FILES[“replay_file”][“size”] < MAX_UPLOAD_SIZE))

Here it is corrected.
[php]if (($_FILES[‘replay_file’][‘type’] == “application/w3g”) && ($_FILES[“replay_file”][“size”] < MAX_UPLOAD_SIZE)) {
[/php]

I got the following error:

Error: Only .w3g replays under 3 MB are accepted for upload

Good! That is your error message!

What I mean is that is what is supposed to say when you upload a file larger than 3MB. Which apparently you did or there is something wrong with your if if if if if if then statement

nope I’m uploading .w3g file and it gave me that error -,-

If the FILE is larger than 3 MB in size you will get that error! Your script checks file sizes and type remember!

Sponsor our Newsletter | Privacy Policy | Terms of Service