Perl CGI 被黑了?但我做的一切都是对的
我刚刚注意到我的一个 Web 目录中有一些奇怪的 PHP 文件。事实证明,它们是垃圾邮件发送者放置的漏洞利用文件。
他们自 2006 年起就一直在那里,当时我正在使用我的 CGI 脚本开展一场备受瞩目的捐款活动。这些文件被放置在脚本的可写目录中,因此我怀疑我的脚本可能已被以某种方式利用。
但我使用 Perl“污点检查”、严格等,并且我从不将查询数据传递到 shell(它从不调用 shell!)或使用查询数据生成 OPEN 的文件路径...我只打开我直接在脚本中指定的文件。我确实将查询数据作为文件内容传递到写入文件中,但据我所知,这并不危险。
我盯着这些脚本看不到任何东西,并且我研究了所有标准 Perl CGI 漏洞。当然,他们可能以某种方式获取了我的托管帐户的密码,但事实上这些脚本被放置在我的 CGI 脚本的数据目录中,这让我怀疑该脚本。 (此外,他们“以某种方式”获取我的密码是一个更可怕的解释。)此外,大约在那个时候,我的日志显示大量“警告,从非 PayPal 地址收到 IPN”消息,这些 IP 来自俄罗斯。所以看起来至少有人试图破解这些脚本。
涉及到两个脚本,我把它们贴在下面。有人看到任何可被利用来写入意外文件的东西吗?
这是第一个脚本(用于接收 PayPal IPN 并跟踪捐款,还跟踪哪个网站产生最多的捐款):
#!/usr/bin/perl -wT
# Created by Jason Rohrer, December 2005
# Copied basic structure and PayPal protocol code from DonationTracker v0.1
# Script settings
# Basic settings
# email address this script is tracking payments for
my $receiverEmail = "receiver\@yahoo.com";
# This script must have write permissions to BOTH of its DataDirectories.
# It must be able to create files in these directories.
# On most web servers, this means the directory must be world-writable.
# ( chmod a+w donationData )
# These paths are relative to the location of the script.
my $pubDataDirectory = "../goliath";
my $privDataDirectory = "../../cgi-data/donationNet";
# If this $privDataDirectory setting is changed, you must also change it below
# where the error LOG is opened
# end of Basic settings
# Advanced settings
# Ignore these unless you know what you are doing.
# where the log of incoming donations is stored
my $donationLogFile = "$privDataDirectory/donationLog.txt";
# location of public data generated by this script
my $overallSumFile = "$pubDataDirectory/overallSum.html";
my $overallCountFile = "$pubDataDirectory/donationCount.html";
my $topSiteListFile = "$pubDataDirectory/topSiteList.html";
# private data tracking which donation total coming from each site
my $siteTrackingFile = "$privDataDirectory/siteTracking.txt";
# Where non-fatal errors and other information is logged
my $logFile = "$privDataDirectory/log.txt";
# IP of notify.paypal.com
# used as cheap security to make sure IPN is only coming from PayPal
my $paypalNotifyIP = "216.113.188.202";
# setup a local error log
use CGI::Carp qw( carpout );
BEGIN {
# location of the error log
my $errorLogLocation = "../../cgi-data/donationNet/errors.log";
use CGI::Carp qw( carpout );
open( LOG, ">>$errorLogLocation" ) or
die( "Unable to open $errorLogLocation: $!\n" );
carpout( LOG );
}
# end of Advanced settings
# end of script settings
use strict;
use CGI; # Object-Oriented CGI library
# setup stuff, make sure our needed files are initialized
if( not doesFileExist( $overallSumFile ) ) {
writeFile( $overallSumFile, "0" );
}
if( not doesFileExist( $overallCountFile ) ) {
writeFile( $overallCountFile, "0" );
}
if( not doesFileExist( $topSiteListFile ) ) {
writeFile( $topSiteListFile, "" );
}
if( not doesFileExist( $siteTrackingFile ) ) {
writeFile( $siteTrackingFile, "" );
}
# allow group to write to our data files
umask( oct( "02" ) );
# create object to extract the CGI query elements
my $cgiQuery = CGI->new();
# always at least send an HTTP OK header
print $cgiQuery->header( -type=>'text/html', -expires=>'now',
-Cache_control=>'no-cache' );
my $remoteAddress = $cgiQuery->remote_host();
my $action = $cgiQuery->param( "action" ) || '';
# first, check if our count/sum is being queried by another script
if( $action eq "checkResults" ) {
my $sum = readTrimmedFileValue( $overallSumFile );
my $count = readTrimmedFileValue( $overallCountFile );
print "$count \$$sum";
}
elsif( $remoteAddress eq $paypalNotifyIP ) {
my $donorName;
# $customField contains URL of site that received donation
my $customField = $cgiQuery->param( "custom" ) || '';
# untaint and find whitespace-free string (assume it's a URL)
( my $siteURL ) = ( $customField =~ /(\S+)/ );
my $amount = $cgiQuery->param( "mc_gross" ) || '';
my $currency = $cgiQuery->param( "mc_currency" ) || '';
my $fee = $cgiQuery->param( "mc_fee" ) || '0';
my $date = $cgiQuery->param( "payment_date" ) || '';
my $transactionID = $cgiQuery->param( "txn_id" ) || '';
# these are for our private log only, for tech support, etc.
# this information should not be stored in a web-accessible
# directory
my $payerFirstName = $cgiQuery->param( "first_name" ) || '';
my $payerLastName = $cgiQuery->param( "last_name" ) || '';
my $payerEmail = $cgiQuery->param( "payer_email" ) || '';
# only track US Dollars
# (can't add apples to oranges to get a final sum)
if( $currency eq "USD" ) {
my $status = $cgiQuery->param( "payment_status" ) || '';
my $completed = $status eq "Completed";
my $pending = $status eq "Pending";
my $refunded = $status eq "Refunded";
if( $completed or $pending or $refunded ) {
# write all relevant payment info into our private log
addToFile( $donationLogFile,
"$transactionID $date\n" .
"From: $payerFirstName $payerLastName " .
"($payerEmail)\n" .
"Amount: \$$amount\n" .
"Fee: \$$fee\n" .
"Status: $status\n\n" );
my $netDonation;
if( $refunded ) {
# subtract from total sum
my $oldSum =
readTrimmedFileValue( $overallSumFile );
# both the refund amount and the
# fee on the refund are now reported as negative
# this changed as of February 13, 2004
$netDonation = $amount - $fee;
my $newSum = $oldSum + $netDonation;
# format to show 2 decimal places
my $newSumString = sprintf( "%.2f", $newSum );
writeFile( $overallSumFile, $newSumString );
my $oldCount = readTrimmedFileValue( $overallCountFile );
my $newCount = $oldCount - 1;
writeFile( $overallCountFile, $newCount );
}
# This check no longer needed as of February 13, 2004
# since now only one IPN is sent for a refund.
#
# ignore negative completed transactions, since
# they are reported for each refund (in addition to
# the payment with Status: Refunded)
if( $completed and $amount > 0 ) {
# fee has not been subtracted yet
# (fee is not reported for Pending transactions)
my $oldSum =
readTrimmedFileValue( $overallSumFile );
$netDonation = $amount - $fee;
my $newSum = $oldSum + $netDonation;
# format to show 2 decimal places
my $newSumString = sprintf( "%.2f", $newSum );
writeFile( $overallSumFile, $newSumString );
my $oldCount = readTrimmedFileValue(
$overallCountFile );
my $newCount = $oldCount + 1;
writeFile( $overallCountFile, $newCount );
}
if( $siteURL =~ /http:\/\/\S+/ ) {
# a valid URL
# track the total donations of this site
my $siteTrackingText = readFileValue( $siteTrackingFile );
my @siteDataList = split( /\n/, $siteTrackingText );
my $newSiteData = "";
my $exists = 0;
foreach my $siteData ( @siteDataList ) {
( my $url, my $siteSum ) = split( /\s+/, $siteData );
if( $url eq $siteURL ) {
$exists = 1;
$siteSum += $netDonation;
}
$newSiteData = $newSiteData . "$url $siteSum\n";
}
if( not $exists ) {
$newSiteData = $newSiteData . "$siteURL $netDonation";
}
trimWhitespace( $newSiteData );
writeFile( $siteTrackingFile, $newSiteData );
# now generate the top site list
# our comparison routine, descending order
sub highestTotal {
( my $url_a, my $total_a ) = split( /\s+/, $a );
( my $url_b, my $total_b ) = split( /\s+/, $b );
return $total_b <=> $total_a;
}
my @newSiteDataList = split( /\n/, $newSiteData );
my @sortedList = sort highestTotal @newSiteDataList;
my $listHTML = "<TABLE BORDER=0>\n";
foreach my $siteData ( @sortedList ) {
( my $url, my $siteSum ) = split( /\s+/, $siteData );
# format to show 2 decimal places
my $siteSumString = sprintf( "%.2f", $siteSum );
$listHTML = $listHTML .
"<TR><TD><A HREF=\"$url\">$url</A></TD>".
"<TD ALIGN=RIGHT>\$$siteSumString</TD></TR>\n";
}
$listHTML = $listHTML . "</TABLE>";
writeFile( $topSiteListFile, $listHTML );
}
}
else {
addToFile( $logFile, "Payment status unexpected\n" );
addToFile( $logFile, "status = $status\n" );
}
}
else {
addToFile( $logFile, "Currency not USD\n" );
addToFile( $logFile, "currency = $currency\n" );
}
}
else {
# else not from paypal, so it might be a user accessing the script
# URL directly for some reason
my $customField = $cgiQuery->param( "custom" ) || '';
my $date = $cgiQuery->param( "payment_date" ) || '';
my $transactionID = $cgiQuery->param( "txn_id" ) || '';
my $amount = $cgiQuery->param( "mc_gross" ) || '';
my $payerFirstName = $cgiQuery->param( "first_name" ) || '';
my $payerLastName = $cgiQuery->param( "last_name" ) || '';
my $payerEmail = $cgiQuery->param( "payer_email" ) || '';
my $fee = $cgiQuery->param( "mc_fee" ) || '0';
my $status = $cgiQuery->param( "payment_status" ) || '';
# log it
addToFile( $donationLogFile,
"WARNING: got IPN from unexpected IP address\n" .
"IP address: $remoteAddress\n" .
"$transactionID $date\n" .
"From: $payerFirstName $payerLastName " .
"($payerEmail)\n" .
"Amount: \$$amount\n" .
"Fee: \$$fee\n" .
"Status: $status\n\n" );
# print an error page
print "Request blocked.";
}
##
# Reads file as a string.
#
# @param0 the name of the file.
#
# @return the file contents as a string.
#
# Example:
# my $value = readFileValue( "myFile.txt" );
##
sub readFileValue {
my $fileName = $_[0];
open( FILE, "$fileName" )
or die( "Failed to open file $fileName: $!\n" );
flock( FILE, 1 )
or die( "Failed to lock file $fileName: $!\n" );
my @lineList = <FILE>;
my $value = join( "", @lineList );
close FILE;
return $value;
}
##
# Reads file as a string, trimming leading and trailing whitespace off.
#
# @param0 the name of the file.
#
# @return the trimmed file contents as a string.
#
# Example:
# my $value = readFileValue( "myFile.txt" );
##
sub readTrimmedFileValue {
my $returnString = readFileValue( $_[0] );
trimWhitespace( $returnString );
return $returnString;
}
##
# Writes a string to a file.
#
# @param0 the name of the file.
# @param1 the string to print.
#
# Example:
# writeFile( "myFile.txt", "the new contents of this file" );
##
sub writeFile {
my $fileName = $_[0];
my $stringToPrint = $_[1];
open( FILE, ">$fileName" )
or die( "Failed to open file $fileName: $!\n" );
flock( FILE, 2 )
or die( "Failed to lock file $fileName: $!\n" );
print FILE $stringToPrint;
close FILE;
}
##
# Checks if a file exists in the filesystem.
#
# @param0 the name of the file.
#
# @return 1 if it exists, and 0 otherwise.
#
# Example:
# $exists = doesFileExist( "myFile.txt" );
##
sub doesFileExist {
my $fileName = $_[0];
if( -e $fileName ) {
return 1;
}
else {
return 0;
}
}
##
# Trims any whitespace from the beginning and end of a string.
#
# @param0 the string to trim.
##
sub trimWhitespace {
# trim from front of string
$_[0] =~ s/^\s+//;
# trim from end of string
$_[0] =~ s/\s+$//;
}
##
# Appends a string to a file.
#
# @param0 the name of the file.
# @param1 the string to append.
#
# Example:
# addToFile( "myFile.txt", "the new contents of this file" );
##
sub addToFile {
my $fileName = $_[0];
my $stringToPrint = $_[1];
open( FILE, ">>$fileName" )
or die( "Failed to open file $fileName: $!\n" );
flock( FILE, 2 )
or die( "Failed to lock file $fileName: $!\n" );
print FILE $stringToPrint;
close FILE;
}
##
# Makes a directory file.
#
# @param0 the name of the directory.
# @param1 the octal permission mask.
#
# Example:
# makeDirectory( "myDir", oct( "0777" ) );
##
sub makeDirectory {
my $fileName = $_[0];
my $permissionMask = $_[1];
mkdir( $fileName, $permissionMask );
}
并且,这里有一些冗余(对此感到抱歉......完整性?),但这是第二个脚本(用于生成网站 HTML 按钮,人们可以将其添加到自己的网站):
#!/usr/bin/perl -wT
# Created by Jason Rohrer, December 2005
# Script settings
# Basic settings
my $templateFile = "buttonTemplate.html";
# end of Basic settings
# Advanced settings
# Ignore these unless you know what you are doing.
# setup a local error log
use CGI::Carp qw( carpout );
BEGIN {
# location of the error log
my $errorLogLocation = "../../cgi-data/donationNet/errors.log";
use CGI::Carp qw( carpout );
open( LOG, ">>$errorLogLocation" ) or
die( "Unable to open $errorLogLocation: $!\n" );
carpout( LOG );
}
# end of Advanced settings
# end of script settings
use strict;
use CGI; # Object-Oriented CGI library
# create object to extract the CGI query elements
my $cgiQuery = CGI->new();
# always at least send an HTTP OK header
print $cgiQuery->header( -type=>'text/html', -expires=>'now',
-Cache_control=>'no-cache' );
my $siteURL = $cgiQuery->param( "site_url" ) || '';
print "Paste this HTML into your website:<BR>\n";
print "<FORM><TEXTAREA COLS=40 ROWS=10>\n";
my $buttonTemplate = readFileValue( $templateFile );
$buttonTemplate =~ s/SITE_URL/$siteURL/g;
# escape all tags
$buttonTemplate =~ s/&/&/g;
$buttonTemplate =~ s/</</g;
$buttonTemplate =~ s/>/>/g;
print $buttonTemplate;
print "\n</TEXTAREA></FORM>";
##
# Reads file as a string.
#
# @param0 the name of the file.
#
# @return the file contents as a string.
#
# Example:
# my $value = readFileValue( "myFile.txt" );
##
sub readFileValue {
my $fileName = $_[0];
open( FILE, "$fileName" )
or die( "Failed to open file $fileName: $!\n" );
flock( FILE, 1 )
or die( "Failed to lock file $fileName: $!\n" );
my @lineList = <FILE>;
my $value = join( "", @lineList );
close FILE;
return $value;
}
##
# Reads file as a string, trimming leading and trailing whitespace off.
#
# @param0 the name of the file.
#
# @return the trimmed file contents as a string.
#
# Example:
# my $value = readFileValue( "myFile.txt" );
##
sub readTrimmedFileValue {
my $returnString = readFileValue( $_[0] );
trimWhitespace( $returnString );
return $returnString;
}
##
# Writes a string to a file.
#
# @param0 the name of the file.
# @param1 the string to print.
#
# Example:
# writeFile( "myFile.txt", "the new contents of this file" );
##
sub writeFile {
my $fileName = $_[0];
my $stringToPrint = $_[1];
open( FILE, ">$fileName" )
or die( "Failed to open file $fileName: $!\n" );
flock( FILE, 2 )
or die( "Failed to lock file $fileName: $!\n" );
print FILE $stringToPrint;
close FILE;
}
##
# Checks if a file exists in the filesystem.
#
# @param0 the name of the file.
#
# @return 1 if it exists, and 0 otherwise.
#
# Example:
# $exists = doesFileExist( "myFile.txt" );
##
sub doesFileExist {
my $fileName = $_[0];
if( -e $fileName ) {
return 1;
}
else {
return 0;
}
}
##
# Trims any whitespace from the beginning and end of a string.
#
# @param0 the string to trim.
##
sub trimWhitespace {
# trim from front of string
$_[0] =~ s/^\s+//;
# trim from end of string
$_[0] =~ s/\s+$//;
}
##
# Appends a string to a file.
#
# @param0 the name of the file.
# @param1 the string to append.
#
# Example:
# addToFile( "myFile.txt", "the new contents of this file" );
##
sub addToFile {
my $fileName = $_[0];
my $stringToPrint = $_[1];
open( FILE, ">>$fileName" )
or die( "Failed to open file $fileName: $!\n" );
flock( FILE, 2 )
or die( "Failed to lock file $fileName: $!\n" );
print FILE $stringToPrint;
close FILE;
}
##
# Makes a directory file.
#
# @param0 the name of the directory.
# @param1 the octal permission mask.
#
# Example:
# makeDirectory( "myDir", oct( "0777" ) );
##
sub makeDirectory {
my $fileName = $_[0];
my $permissionMask = $_[1];
mkdir( $fileName, $permissionMask );
}
I just noticed some strange PHP files in one of my web directories. They turned out to be spammer-placed exploit files.
They've been there since 2006, around the time that I was running a high-profile donation campaign using a CGI script of mine. And the files were placed in the script's writeable directory, so I suspect that my script might have been exploited somehow.
But I'm using Perl "taint checking", strict, etc, and I'm never passing query data to the shell (it never invokes the shell!) or using query data to generate a file path for OPEN... I only OPEN files that I specify directly in the script. I do pass query data INTO written files as file content, but as far as I'm aware, that's not dangerous.
I've stared at these scripts and cannot see anything, and I've studied all the standard Perl CGI holes. Of course, they could have gotten the password to my hosting account somehow, but the fact that these scripts were placed in my CGI script's data directory makes me suspect the script. (Also, them getting my password "somehow" is a much scarier explanation.) Also, around that time, my logs show lots of "Warning, IPN received from a non-PayPal address" messages, with those IPs coming from Russia. So it seems like someone was at least TRYING to hack these scripts.
Two scripts are involved, and I'm pasting them below. Anyone see anything that could be exploited to write unexpected files?
Here's the first script (for receiving PayPal IPN and tracking the donations, and also tracking which site is generating the most donations):
#!/usr/bin/perl -wT
# Created by Jason Rohrer, December 2005
# Copied basic structure and PayPal protocol code from DonationTracker v0.1
# Script settings
# Basic settings
# email address this script is tracking payments for
my $receiverEmail = "receiver\@yahoo.com";
# This script must have write permissions to BOTH of its DataDirectories.
# It must be able to create files in these directories.
# On most web servers, this means the directory must be world-writable.
# ( chmod a+w donationData )
# These paths are relative to the location of the script.
my $pubDataDirectory = "../goliath";
my $privDataDirectory = "../../cgi-data/donationNet";
# If this $privDataDirectory setting is changed, you must also change it below
# where the error LOG is opened
# end of Basic settings
# Advanced settings
# Ignore these unless you know what you are doing.
# where the log of incoming donations is stored
my $donationLogFile = "$privDataDirectory/donationLog.txt";
# location of public data generated by this script
my $overallSumFile = "$pubDataDirectory/overallSum.html";
my $overallCountFile = "$pubDataDirectory/donationCount.html";
my $topSiteListFile = "$pubDataDirectory/topSiteList.html";
# private data tracking which donation total coming from each site
my $siteTrackingFile = "$privDataDirectory/siteTracking.txt";
# Where non-fatal errors and other information is logged
my $logFile = "$privDataDirectory/log.txt";
# IP of notify.paypal.com
# used as cheap security to make sure IPN is only coming from PayPal
my $paypalNotifyIP = "216.113.188.202";
# setup a local error log
use CGI::Carp qw( carpout );
BEGIN {
# location of the error log
my $errorLogLocation = "../../cgi-data/donationNet/errors.log";
use CGI::Carp qw( carpout );
open( LOG, ">>$errorLogLocation" ) or
die( "Unable to open $errorLogLocation: $!\n" );
carpout( LOG );
}
# end of Advanced settings
# end of script settings
use strict;
use CGI; # Object-Oriented CGI library
# setup stuff, make sure our needed files are initialized
if( not doesFileExist( $overallSumFile ) ) {
writeFile( $overallSumFile, "0" );
}
if( not doesFileExist( $overallCountFile ) ) {
writeFile( $overallCountFile, "0" );
}
if( not doesFileExist( $topSiteListFile ) ) {
writeFile( $topSiteListFile, "" );
}
if( not doesFileExist( $siteTrackingFile ) ) {
writeFile( $siteTrackingFile, "" );
}
# allow group to write to our data files
umask( oct( "02" ) );
# create object to extract the CGI query elements
my $cgiQuery = CGI->new();
# always at least send an HTTP OK header
print $cgiQuery->header( -type=>'text/html', -expires=>'now',
-Cache_control=>'no-cache' );
my $remoteAddress = $cgiQuery->remote_host();
my $action = $cgiQuery->param( "action" ) || '';
# first, check if our count/sum is being queried by another script
if( $action eq "checkResults" ) {
my $sum = readTrimmedFileValue( $overallSumFile );
my $count = readTrimmedFileValue( $overallCountFile );
print "$count \$sum";
}
elsif( $remoteAddress eq $paypalNotifyIP ) {
my $donorName;
# $customField contains URL of site that received donation
my $customField = $cgiQuery->param( "custom" ) || '';
# untaint and find whitespace-free string (assume it's a URL)
( my $siteURL ) = ( $customField =~ /(\S+)/ );
my $amount = $cgiQuery->param( "mc_gross" ) || '';
my $currency = $cgiQuery->param( "mc_currency" ) || '';
my $fee = $cgiQuery->param( "mc_fee" ) || '0';
my $date = $cgiQuery->param( "payment_date" ) || '';
my $transactionID = $cgiQuery->param( "txn_id" ) || '';
# these are for our private log only, for tech support, etc.
# this information should not be stored in a web-accessible
# directory
my $payerFirstName = $cgiQuery->param( "first_name" ) || '';
my $payerLastName = $cgiQuery->param( "last_name" ) || '';
my $payerEmail = $cgiQuery->param( "payer_email" ) || '';
# only track US Dollars
# (can't add apples to oranges to get a final sum)
if( $currency eq "USD" ) {
my $status = $cgiQuery->param( "payment_status" ) || '';
my $completed = $status eq "Completed";
my $pending = $status eq "Pending";
my $refunded = $status eq "Refunded";
if( $completed or $pending or $refunded ) {
# write all relevant payment info into our private log
addToFile( $donationLogFile,
"$transactionID $date\n" .
"From: $payerFirstName $payerLastName " .
"($payerEmail)\n" .
"Amount: \$amount\n" .
"Fee: \$fee\n" .
"Status: $status\n\n" );
my $netDonation;
if( $refunded ) {
# subtract from total sum
my $oldSum =
readTrimmedFileValue( $overallSumFile );
# both the refund amount and the
# fee on the refund are now reported as negative
# this changed as of February 13, 2004
$netDonation = $amount - $fee;
my $newSum = $oldSum + $netDonation;
# format to show 2 decimal places
my $newSumString = sprintf( "%.2f", $newSum );
writeFile( $overallSumFile, $newSumString );
my $oldCount = readTrimmedFileValue( $overallCountFile );
my $newCount = $oldCount - 1;
writeFile( $overallCountFile, $newCount );
}
# This check no longer needed as of February 13, 2004
# since now only one IPN is sent for a refund.
#
# ignore negative completed transactions, since
# they are reported for each refund (in addition to
# the payment with Status: Refunded)
if( $completed and $amount > 0 ) {
# fee has not been subtracted yet
# (fee is not reported for Pending transactions)
my $oldSum =
readTrimmedFileValue( $overallSumFile );
$netDonation = $amount - $fee;
my $newSum = $oldSum + $netDonation;
# format to show 2 decimal places
my $newSumString = sprintf( "%.2f", $newSum );
writeFile( $overallSumFile, $newSumString );
my $oldCount = readTrimmedFileValue(
$overallCountFile );
my $newCount = $oldCount + 1;
writeFile( $overallCountFile, $newCount );
}
if( $siteURL =~ /http:\/\/\S+/ ) {
# a valid URL
# track the total donations of this site
my $siteTrackingText = readFileValue( $siteTrackingFile );
my @siteDataList = split( /\n/, $siteTrackingText );
my $newSiteData = "";
my $exists = 0;
foreach my $siteData ( @siteDataList ) {
( my $url, my $siteSum ) = split( /\s+/, $siteData );
if( $url eq $siteURL ) {
$exists = 1;
$siteSum += $netDonation;
}
$newSiteData = $newSiteData . "$url $siteSum\n";
}
if( not $exists ) {
$newSiteData = $newSiteData . "$siteURL $netDonation";
}
trimWhitespace( $newSiteData );
writeFile( $siteTrackingFile, $newSiteData );
# now generate the top site list
# our comparison routine, descending order
sub highestTotal {
( my $url_a, my $total_a ) = split( /\s+/, $a );
( my $url_b, my $total_b ) = split( /\s+/, $b );
return $total_b <=> $total_a;
}
my @newSiteDataList = split( /\n/, $newSiteData );
my @sortedList = sort highestTotal @newSiteDataList;
my $listHTML = "<TABLE BORDER=0>\n";
foreach my $siteData ( @sortedList ) {
( my $url, my $siteSum ) = split( /\s+/, $siteData );
# format to show 2 decimal places
my $siteSumString = sprintf( "%.2f", $siteSum );
$listHTML = $listHTML .
"<TR><TD><A HREF=\"$url\">$url</A></TD>".
"<TD ALIGN=RIGHT>\$siteSumString</TD></TR>\n";
}
$listHTML = $listHTML . "</TABLE>";
writeFile( $topSiteListFile, $listHTML );
}
}
else {
addToFile( $logFile, "Payment status unexpected\n" );
addToFile( $logFile, "status = $status\n" );
}
}
else {
addToFile( $logFile, "Currency not USD\n" );
addToFile( $logFile, "currency = $currency\n" );
}
}
else {
# else not from paypal, so it might be a user accessing the script
# URL directly for some reason
my $customField = $cgiQuery->param( "custom" ) || '';
my $date = $cgiQuery->param( "payment_date" ) || '';
my $transactionID = $cgiQuery->param( "txn_id" ) || '';
my $amount = $cgiQuery->param( "mc_gross" ) || '';
my $payerFirstName = $cgiQuery->param( "first_name" ) || '';
my $payerLastName = $cgiQuery->param( "last_name" ) || '';
my $payerEmail = $cgiQuery->param( "payer_email" ) || '';
my $fee = $cgiQuery->param( "mc_fee" ) || '0';
my $status = $cgiQuery->param( "payment_status" ) || '';
# log it
addToFile( $donationLogFile,
"WARNING: got IPN from unexpected IP address\n" .
"IP address: $remoteAddress\n" .
"$transactionID $date\n" .
"From: $payerFirstName $payerLastName " .
"($payerEmail)\n" .
"Amount: \$amount\n" .
"Fee: \$fee\n" .
"Status: $status\n\n" );
# print an error page
print "Request blocked.";
}
##
# Reads file as a string.
#
# @param0 the name of the file.
#
# @return the file contents as a string.
#
# Example:
# my $value = readFileValue( "myFile.txt" );
##
sub readFileValue {
my $fileName = $_[0];
open( FILE, "$fileName" )
or die( "Failed to open file $fileName: $!\n" );
flock( FILE, 1 )
or die( "Failed to lock file $fileName: $!\n" );
my @lineList = <FILE>;
my $value = join( "", @lineList );
close FILE;
return $value;
}
##
# Reads file as a string, trimming leading and trailing whitespace off.
#
# @param0 the name of the file.
#
# @return the trimmed file contents as a string.
#
# Example:
# my $value = readFileValue( "myFile.txt" );
##
sub readTrimmedFileValue {
my $returnString = readFileValue( $_[0] );
trimWhitespace( $returnString );
return $returnString;
}
##
# Writes a string to a file.
#
# @param0 the name of the file.
# @param1 the string to print.
#
# Example:
# writeFile( "myFile.txt", "the new contents of this file" );
##
sub writeFile {
my $fileName = $_[0];
my $stringToPrint = $_[1];
open( FILE, ">$fileName" )
or die( "Failed to open file $fileName: $!\n" );
flock( FILE, 2 )
or die( "Failed to lock file $fileName: $!\n" );
print FILE $stringToPrint;
close FILE;
}
##
# Checks if a file exists in the filesystem.
#
# @param0 the name of the file.
#
# @return 1 if it exists, and 0 otherwise.
#
# Example:
# $exists = doesFileExist( "myFile.txt" );
##
sub doesFileExist {
my $fileName = $_[0];
if( -e $fileName ) {
return 1;
}
else {
return 0;
}
}
##
# Trims any whitespace from the beginning and end of a string.
#
# @param0 the string to trim.
##
sub trimWhitespace {
# trim from front of string
$_[0] =~ s/^\s+//;
# trim from end of string
$_[0] =~ s/\s+$//;
}
##
# Appends a string to a file.
#
# @param0 the name of the file.
# @param1 the string to append.
#
# Example:
# addToFile( "myFile.txt", "the new contents of this file" );
##
sub addToFile {
my $fileName = $_[0];
my $stringToPrint = $_[1];
open( FILE, ">>$fileName" )
or die( "Failed to open file $fileName: $!\n" );
flock( FILE, 2 )
or die( "Failed to lock file $fileName: $!\n" );
print FILE $stringToPrint;
close FILE;
}
##
# Makes a directory file.
#
# @param0 the name of the directory.
# @param1 the octal permission mask.
#
# Example:
# makeDirectory( "myDir", oct( "0777" ) );
##
sub makeDirectory {
my $fileName = $_[0];
my $permissionMask = $_[1];
mkdir( $fileName, $permissionMask );
}
And, there's some redundancy here (sorry about that... completeness?), but here's the second script (for generating website HTML buttons that people can add to their own site):
#!/usr/bin/perl -wT
# Created by Jason Rohrer, December 2005
# Script settings
# Basic settings
my $templateFile = "buttonTemplate.html";
# end of Basic settings
# Advanced settings
# Ignore these unless you know what you are doing.
# setup a local error log
use CGI::Carp qw( carpout );
BEGIN {
# location of the error log
my $errorLogLocation = "../../cgi-data/donationNet/errors.log";
use CGI::Carp qw( carpout );
open( LOG, ">>$errorLogLocation" ) or
die( "Unable to open $errorLogLocation: $!\n" );
carpout( LOG );
}
# end of Advanced settings
# end of script settings
use strict;
use CGI; # Object-Oriented CGI library
# create object to extract the CGI query elements
my $cgiQuery = CGI->new();
# always at least send an HTTP OK header
print $cgiQuery->header( -type=>'text/html', -expires=>'now',
-Cache_control=>'no-cache' );
my $siteURL = $cgiQuery->param( "site_url" ) || '';
print "Paste this HTML into your website:<BR>\n";
print "<FORM><TEXTAREA COLS=40 ROWS=10>\n";
my $buttonTemplate = readFileValue( $templateFile );
$buttonTemplate =~ s/SITE_URL/$siteURL/g;
# escape all tags
$buttonTemplate =~ s/&/&/g;
$buttonTemplate =~ s/</</g;
$buttonTemplate =~ s/>/>/g;
print $buttonTemplate;
print "\n</TEXTAREA></FORM>";
##
# Reads file as a string.
#
# @param0 the name of the file.
#
# @return the file contents as a string.
#
# Example:
# my $value = readFileValue( "myFile.txt" );
##
sub readFileValue {
my $fileName = $_[0];
open( FILE, "$fileName" )
or die( "Failed to open file $fileName: $!\n" );
flock( FILE, 1 )
or die( "Failed to lock file $fileName: $!\n" );
my @lineList = <FILE>;
my $value = join( "", @lineList );
close FILE;
return $value;
}
##
# Reads file as a string, trimming leading and trailing whitespace off.
#
# @param0 the name of the file.
#
# @return the trimmed file contents as a string.
#
# Example:
# my $value = readFileValue( "myFile.txt" );
##
sub readTrimmedFileValue {
my $returnString = readFileValue( $_[0] );
trimWhitespace( $returnString );
return $returnString;
}
##
# Writes a string to a file.
#
# @param0 the name of the file.
# @param1 the string to print.
#
# Example:
# writeFile( "myFile.txt", "the new contents of this file" );
##
sub writeFile {
my $fileName = $_[0];
my $stringToPrint = $_[1];
open( FILE, ">$fileName" )
or die( "Failed to open file $fileName: $!\n" );
flock( FILE, 2 )
or die( "Failed to lock file $fileName: $!\n" );
print FILE $stringToPrint;
close FILE;
}
##
# Checks if a file exists in the filesystem.
#
# @param0 the name of the file.
#
# @return 1 if it exists, and 0 otherwise.
#
# Example:
# $exists = doesFileExist( "myFile.txt" );
##
sub doesFileExist {
my $fileName = $_[0];
if( -e $fileName ) {
return 1;
}
else {
return 0;
}
}
##
# Trims any whitespace from the beginning and end of a string.
#
# @param0 the string to trim.
##
sub trimWhitespace {
# trim from front of string
$_[0] =~ s/^\s+//;
# trim from end of string
$_[0] =~ s/\s+$//;
}
##
# Appends a string to a file.
#
# @param0 the name of the file.
# @param1 the string to append.
#
# Example:
# addToFile( "myFile.txt", "the new contents of this file" );
##
sub addToFile {
my $fileName = $_[0];
my $stringToPrint = $_[1];
open( FILE, ">>$fileName" )
or die( "Failed to open file $fileName: $!\n" );
flock( FILE, 2 )
or die( "Failed to lock file $fileName: $!\n" );
print FILE $stringToPrint;
close FILE;
}
##
# Makes a directory file.
#
# @param0 the name of the directory.
# @param1 the octal permission mask.
#
# Example:
# makeDirectory( "myDir", oct( "0777" ) );
##
sub makeDirectory {
my $fileName = $_[0];
my $permissionMask = $_[1];
mkdir( $fileName, $permissionMask );
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我以前见过类似的东西。在我们的例子中,我非常确定黑客在尚未更新的库中使用了缓冲区溢出。然后他们能够使用 PHP shell 将文件写入服务器。
问题很可能不在您的代码中。更频繁地更新软件会降低攻击的可能性,但不幸的是,不可能完全防止黑客攻击。他们很可能正在扫描旧版本软件中的常见漏洞。
I've seen something similar before. In our case, I'm pretty sure the hackers used a buffer overflow in a library that hadn't been updated. They were then able to use a PHP shell to write files the server.
It's quite likely the problem wasn't in your code. Updating your software more often would make attacks less likely but unfortunately it's impossible to be completely hack-proof. Chances are that they were scanning for a common vulnerability in an old version of software.
自从我使用 perl 的 CGI 模块以来已经有一段时间了,但是你确定 CGI::param 转义了这些值吗?从我所在的位置来看,这些值可能包含反引号,因此将被扩展和执行。
Been a while since I played with perl's CGI module, but are you sure CGI::param escapes the values? From where I'm sitting, the values may contain backticks and thus will be expanded and executed.
您可以重构代码,使用
constantpragma:处理常量很痛苦,因为它们不会被
qq插值,而且你必须不断无休止地使用(s)printf或很多连接运算符。 但是这应该会让ne'erdowells更难改变作为文件路径传递的任何参数。You could refactor your code to make all the filepath references into compile-time constants with the
constantpragma:Dealing with constants is a pain because they don't get interpolated by
qq, and you've got toconstantlyendlessly be using(s)printfor a lot of concatenation operators. But it should make it a lot harder for ne'erdowells to alter any arguments that are being passed as filepaths.你的代码对我来说似乎很安全。我只是稍微反对使用文件的相对路径,这让我有点不舒服,但很难想象其中存在一些安全风险。我敢打赌这个漏洞就在下面的某个地方(perl、apache ...)
Your code seems quite safe to me. I would only slightly object to the use of relative paths for the files, that makes me a little uncomfortable, but it's hard to imagine some security risk in that. I'd bet the vulnerability was somewhere below (perl, apache ...)