PHP and Website Security

Universal Process File

Introduction

In this article, we’re going to tackle on how to make a universal process file with advanced security. From here, you’ll mostly prevent LFI ( Local File Inclusion ) and RFI ( Remote File Inclusion ). Instead of using the tradinational post action like "usercp.php?action=login". We’re going to make hackers shitbrix everytime when they’re trying to exploit your site. Before we’re going to start I would like to introduce a section of PHP that we’ll be mostly using in the article.

  • Mcrypt Cryptography : This is an interface to the mcrypt library, which supports a wide variety of block algorithms such as DES, TripleDES, Blowfish (default), 3-WAY, SAFER-SK64, SAFER-SK128, TWOFISH, TEA, RC2 and GOST in CBC, OFB, CFB and ECB cipher modes. Additionally, it supports RC6 and IDEA which are considered “non-free”. CFB/OFB are 8bit by default. link

Coding

We’re going to code 2 files, one is for obfuscation of the process code and one is the universal process file which you’re going to utilize in any PHP application you wish to integrate with. First up, we’re going to code the obfuscation file. Just a heads up, I’m not like other writers who write code line by line and explaining the line will do. I’m just gonna put the code up and explain how it works later.

Resources

f.obfuscation.php

session_start();

if(!isset($_SESSION[‘sid’])) {
$_SESSION[‘sid’] = sha1(time());
}

$iv_size = mcrypt_get_iv_size(MCRYPT_SERPENT, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$key = md5($_SESSION[‘sid’]);

function encrypt($string) {
global $iv, $key;
return base64_encode(mcrypt_encrypt(MCRYPT_SERPENT, $key, $string, MCRYPT_MODE_ECB, $iv));
}

function decrypt($string) {
global $iv, $key;
mcrypt_decrypt(MCRYPT_SERPENT, $key, base64_decode($string), MCRYPT_MODE_ECB, $iv);
}

For the obfuscation file we’re going to need a unique key that the script will use to encrypt/decrypt data. I’m not going to consider a predefined key since it can be easily compromised if ever your server is rooted or shelled. We’re going to make it as unique as possible. So we’re going to set up a session id named as “sid”. Then we’re going calculate it’s sha1 hash value and calculate it again with md5 since the cipher I’m using which is “SERPENT” doesn’t support long keys.

For the process file. We’re going to use serialized array data in processing form actions and tasks and encrypting them with the function above; But before that I’m going to show you how it will flow in the application

array -< serialize() array -< encrypt -< to base64 encoded string.

Even though you decode it again with base64, you’ll be left with jiberish jabbers all over the place. Now lets go through on the structure of the process code; it’s only simple serialized array, and now we’re going to disect it.


array [
"file" => "filename.php"
"prc" => array [
"action" => "nameofaction"
]
]

Kinda simple isn’t it? Instead of using somefile.php?action=something we’re going to use the above array to represent the file we’re going to use and what task under the file to be used. Lets start to code the process file! But remember the array must be serialized before encrypting it.

process.php

include "f.obfuscation.php";

if(isset($_GET[‘code’])) {
$prc = unserialize(decrypt(urldecode($_GET[‘code’])));

if(!is_array($prc)) { // End the session if the code above is not an array
die(“Are you fooling me buddy?”);
}

if(!file_exists($prc[‘file’])) { // End the session if the specified file is not found
die(“The file specified cannot be found”);
}

if(!is_array($prc[‘prc’])) { // End the session if the process code is not an array
die(“Invalid process code”);
}

require_once $prc[‘file’];
}

Since we’re using the variable $prc to represent the process, we’re now going to use it in the file we specified to include

filename.php

if($prc['prc']['action'] == 'nameofaction') {
// do something!
}

Simple isn’t it? I’ll leave all the analyzations to you readers on how you’re going to use it. Lol

Cheers!,
~n

4 Comments

Leave a Reply