-1

I got a big problem with a Botnet...I think it is a botnet... What happens? The bot fills out the form and spams the database.

Here is the form:

<form method="POST" action="">
    <textarea name="text2" style="width: 290px; margin-bottom: 10px;"></textarea>
    <center>
    <img id="captcha" alt="Captcha" src="http://www.mysite.de/php/captcha/Captcha_show.php?sid='2d7dd1256d06a724c34b9d703f3733e9">
    <br>
    <a onclick="document.getElementById('captcha').src = 'php/captcha/Captcha_show.php?' + Math.random(); return false" href="#">
    <br>
    <input id="mod" class="inputbox" type="text" alt="Bitte die Zeichen des Bildes eingeben." style="width: 280px" maxlength="15" name="captcha_code" value="">
    <sub>Bitte die Zeichen des Bildes abschreiben</sub>
    <br>
    <br>
    <input class="button" type="submit" value="Hinzufügen" name="submit">
    </center>
    </form>

Here is an array with words that can´t be inserted:

$badWords = array("/delete/i","/deleted/i","/deletee/i", "/update/i", "/updateu/i", "/updateup/i","/union/i","/unionu/i","/unionun/i", "/insert/i","/inserti/i","/insertin/i","/drop/i","/dropd/i","/dropdr/i","/http/i","/httph/i","/httpht/i","/--/i", "/url/i", "/urlu/i", "/urlur/i", "/true/i", "/truet/i", "/truetr/i", "/false/i", "/falsef/i", "/falsefa/i","/!=/i","/==/i", "/insurance/i", "/eating/i", "/viagra/i");


$text3 = preg_replace($badWords, "a12", $text2);

if($text3 != $text2){
    echo "<center><b>No valid data!</b></center> <meta http-equiv=\"refresh\" content=\"2; URL=http://www.mysite.de\">";
    exit;
}

So normally the user should not be able to post any text with e.g. "viagra" in it.

I can´t understand how someone or a bot could insert a text with some of these bad words?

I am using PDO and functions like htmlspecialchars() stripslashes() strip_tags() htmlspecialchars() to prevent the hack...

Any ideas?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
Janine Kroser
  • 444
  • 2
  • 6
  • 23
  • If you're using "PDO functions like htmlspecialchars()", I have a suspicion that your general design may turn out to be lacking quality in the little details... – Kerrek SB Oct 30 '11 at 17:34
  • Hm...but the $badwordsarray should work wihtout problems, but the bot is able to insert stupid messages with words like "viagra" in it. It could be that there were little details which do not work correctly, but because of this i am asking my question. So do you have any ideas? What else could I do to prevent a botnet attack? The attackers must have the url to the file that manages the form (action=""). He could not see where the file is so how could he post anything? – Janine Kroser Oct 30 '11 at 17:46
  • 1
    Preventing words like "delete" to be inserted into your database looks like you're really afraid of user input. You shouldn't be afraid of it, but simply properly escape it. – CodeCaster Oct 30 '11 at 23:44

1 Answers1

0

Your script can be hacked by HTML entities:

Example:
The input is "Hello" but in code it is &#72;&#101;&#108;&#108;&#111;. If you now run a preg_match you will not find anything

var_dump(preg_match('/Hello/i','&#72;&#101;&#108;&#108;&#111;'));    
// returns int 0

If you want to prevent SQL injections: Use prepared statements.
If you not want to be spammed, you have also to look for an other way, as long as I could simply insert a valid string many times.

Notice: I think you can prevent my hack by using html_entity_decode

var_dump(preg_match('/Hello/i',html_entity_decode('&#72;&#101;&#108;&#108;&#111;'))); 
// returns int 1
AbcAeffchen
  • 14,400
  • 15
  • 47
  • 66