hi every one How can send data to a page (communicate directly with a web server)whithout using any browsers(opera,firefox,...). I just heared something about telnet and i don't know anymore about it. Example: * * $ telnet example.org 80 Trying 192.0.34.166... Connected to example.org (192.0.34.166). Escape character is '^]'. GET / HTTP/1.1 Host: example.org HTTP/1.1 200 OK Date: Sat, 21 May 2005 12:34:56 GMT Server: Apache/1.3.31 (Unix) Accept-Ranges: bytes Content-Length: 410 Connection: close Content-Type: text/html <html> <head> <title>Example Web Page</title> </head> <body> <p>You have reached this web page by typing "example.com", "example.net", or "example.org" into your web browser.</p> <p>These domain names are reserved for use in documentation and are not available for registration. See <a href="http://www.rfc-editor.org/rfc/rfc2606.txt">RFC 2606</a>, Section 3.</p> </body> </html> Connection closed by foreign host. $ HTML: * * This request can be made with the following PHP code: * * <?php $http_response = ''; $fp = fsockopen('example.org', 80); fputs($fp, "GET / HTTP/1.1\r\n"); fputs($fp, "Host: example.org\r\n\r\n"); while (!feof($fp)) { $http_response .= fgets($fp, 128); } fclose($fp); echo nl2br(htmlentities($http_response, ENT_QUOTES, 'UTF-8')); ?> PHP: * * I really wondered if someone explain examples to me. thank you in advance
Via GET or POST? If GET, then you can just use file_get_contents() and pass the data in the URL. If you want to use POST, then you can use either cURL, fsockopen(), or you can create a stream context and use for example file_get_contents(). Be a bit more specific, and I'll post a more specific example.
With AJAX, you can only communicate with your own host, or better said, the domain where you're currently on. Plus AJAX only works if Javascript is enabled.
thank you... but it is better that you first read this page(OReilly.Essential.PHP.Security) and after that you surely understand my mean. * * 2.7. Spoofed HTTP Requests A more sophisticated attack than spoofing forms is spoofing a raw HTTP request. This gives an attacker complete control and flexibility, and it further proves how no data provided by the user should be blindly trusted. To demonstrate this, consider a form located at http://example.org/form.php: <form action="process.php" method="POST"> <p>Please select a color: <select name="color"> <option value="red">Red</option> <option value="green">Green</option> <option value="blue">Blue</option> </select><br /> <input type="submit" value="Select" /></p> </form> HTML: If a user chooses Red from the list and clicks Select, the browser sends an HTTP request: POST /process.php HTTP/1.1 Host: example.org User-Agent: Mozilla/5.0 (X11; U; Linux i686) Referer: http://example.org/form.php Content-Type: application/x-www-form-urlencoded Content-Length: 9 color=red Seeing that most browsers include the referring URL this way in the request, you may be tempted to write logic that checks $_SERVER['HTTP_REFERER'] to prevent form spoofing. This would indeed prevent an attack that is mounted with a standard browser, but an attacker is not necessarily hindered by such minor inconveniences. By modifying the raw HTTP request, an attacker has complete control over the value of HTTP headers, GET and POST data, and quite literally, everything within the HTTP request. How can an attacker modify the raw HTTP request? The process is simple. Using the telnet utility available on most platforms, you can communicate directly with a remote web server by connecting to the port on which the web server is listening (typically port 80). The following is an example of manually requesting the front page of http://example.org/ using this technique: $ telnet example.org 80 Trying 192.0.34.166... Connected to example.org (192.0.34.166). Escape character is '^]'. GET / HTTP/1.1 Host: example.org HTTP/1.1 200 OK Date: Sat, 21 May 2005 12:34:56 GMT Server: Apache/1.3.31 (Unix) Accept-Ranges: bytes Content-Length: 410 Connection: close Content-Type: text/html <html> <head> <title>Example Web Page</title> </head> <body> <p>You have reached this web page by typing "example.com", "example.net", or "example.org" into your web browser.</p> <p>These domain names are reserved for use in documentation and are not available for registration. See <a href="http://www.rfc-editor.org/rfc/rfc2606.txt">RFC 2606</a>, Section 3.</p> </body> </html> Connection closed by foreign host. $ The request shown is the simplest request possible with HTTP/1.1 because Host is a required header. The entire HTTP response appears on the screen as soon as you enter two newlines because this indicates the end of the request. The telnet utility isn't the only way to communicate directly with a web server, but it's often the most convenient. However, if you make the same request with PHP, you can automate your experimentation. The previous request can be made with the following PHP code: <?php $http_response = ''; $fp = fsockopen('example.org', 80); fputs($fp, "GET / HTTP/1.1\r\n"); fputs($fp, "Host: example.org\r\n\r\n"); while (!feof($fp)) { $http_response .= fgets($fp, 128); } fclose($fp); echo nl2br(htmlentities($http_response, ENT_QUOTES, 'UTF-8')); ?> PHP: There are, of course, multiple ways to do this, but the point is that HTTP is a well-known and open standardany moderately experienced attacker is going to be intimately familiar with the protocol and how to exploit common security mistakes. As with spoofed forms, spoofed HTTP requests are not a concern. My reason for demonstrating these techniques is to better illustrate how easy it is for an attacker to provide malicious input to your applications. This should reinforce the importance of input filtering and the fact that nothing provided in an HTTP request can be trusted. * * I hope you can explain my question
Yes, any user input from the request headers to the post data can be spoofed using many techniques such as the ones in the example, but what's your point or what are you trying to do exactly?
I just want to learn how to create a script like this : $ telnet example.org 80 Trying 192.0.34.166... ... ..... and why am i trying to learn, because i don't know anything about this type of attack but i know a hacker can hack me easily this way. so i first must learn it and then try to stop hackers. if you know any books,any sites,... that can help me tell me.thank you
Your own PHP code above will do this. You just won't see it anywhere. You don't need to see it either. Understanding the principles is sufficient to prevent attacks like this. You have to validate ALL input. If you have for example a select menu like the one above, do something like this to validate it: $allowed_options = array('red', 'green', 'blue'); if (!in_array($_POST['color'], $allowed_options)) { // Throw error and exit } PHP: Have a look at these pages, for examples on how to send data via a script. www.php.net/curl www.php.net/fsockopen www.php.net/stream_context_create Basically, you just have to know how to validate all kind of user input. Scripts can act just like web browsers, and you can't always tell whether it's a script or human. I think the book you're reading should explain it all though.
Thank you nico_swd for responding but i always filter input according the ability of users. for example until few days ago i think that the following code is enough to prevent upload a bad thing : if($_FILES['userfile']['type'] != "image/gif") { echo "Sorry, we only allow uploading GIF images"; exit; } else{ //upload } PHP: because i don't know someone can use a script like this : * * #!/usr/bin/perl # use LWP; use HTTP::Request::Common; $ua = $ua = LWP::UserAgent->new;; $res = $ua->request(POST 'http://localhost/upload2.php', Content_Type => 'form-data', Content => [userfile => ["shell.php", "shell.php", "Content-Type" =>"image/gif"],],); print $res->as_string(); * * So i must find all ways that a user can send data to my page and then filter them.
Yeah, PHP lacks a bit the ability of getting the MIME type of a file. (There'll be major improvements in PHP 6) For images you can for example use getimagesize(). For other files, that are not images it's a bit more complicated. But you should validate the file extension anyway. If the file won't be parsed by PHP then it's pretty safe already. Have a look at this: http://www.scanit.be/uploads/php-file-upload.pdf
you're right and i've alredy seen http://www.scanit.be/uploads/php-file-upload.pdf. but i mean that i must learn about sending data without browser to a page. i have not seen content of your links yet but if you can introduce anything that can teach it me properly i'll be happy. hopes you understand what i want.
So what is your actual question? "Which ways can a user use to send data to my website"? I'm somewhat lost. I don't know what else to tell you. Do you have a specific script that you want to make secure? If you're just collecting general security tips, it's gonna be complicated as there's quite some stuff. Perhaps you want to have a look at this was well: http://www.php.net/security
That prevention doesn't do anything about files uploaded with .php extension. A PHP script can have malicious code and display valid image at the same time.
it was just a example that sometimes somebody can hack me with this type of scripting(sending data without using browser) and because i don't no anything about this approach i must learn about it.
Hi, Coud u not add serverside validation for extensions as well. <?php $allowed = array('gif','jpg','jpeg','png'); $ext = substr( strtolower( $_FILES['the_file']['name'] ),(strrpos($_FILES['the_file']['name'],".") +1) ); if (!in_array($ext,$allowed)){die('see you later');} ?> PHP:
You didn't answer my question: Or have all questions been answered and we're done with this? The links I provided show how to send data via POST/GET and your script shows how to upload files and fake the MIME type. That's pretty much everything about "sending data" via a script. What else do you want to know?
nico_swd, don't be angry.i got answer of my qusetion and last one was for krt and if you can, use simple english statements.my english is not very good. mehdiali's problem is solved.thank you