iExploit

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Top Posters

Who's Online (1)

Powered by Vanilla. Made with Bootstrap.
Looking to introduce yourself? Look no further, and click here! We also have IRC! [irc.evilzone.org #iexploit]
Detecting possible hacking attempts
  • chroniccommand
    Posts: 1,389
    Hey just figured I'd show you a simple way to detect possible hacking attempts. I'll be using a page with a text box that echoes input and logs possible XSS,SQLi, LFI and RFI

    First we create a file named ip_logs.txt and chmod it so the other file can append/write to it. Now we create the php file with the input box.


    <?php
    if(isset($_GET['input']))
    {
    $page = $_GET['input'];
    $logfile = \"ip_log.txt\"; //Catch hacking attempts
    $file = fopen($logfile, 'a');
    $ip = $_SERVER['REMOTE_ADDR']; //Get current IP
    $curpage = $_SERVER['PHP_SELF']; //Get the page
    $input = $_SERVER['QUERY_STRING']; //Get the query used
    $writes = \"\nIP: \" . $ip . \"    Page: \" . $curpage . \"    Attempt: \" . $input;
    if(strstr($page, '<')) //Detect possible start of <script> or any other tag
     {
       fwrite($file, $writes); //Write IP,Page and attempt string
       fclose($file);
       die(\"Hacking attempt detected. IP logged\"); //Kill the script
     }
    elseif(strstr($page, \"'\")) //Detect possible SQLi probe
     {
       fwrite($file, $writes);
       fclose($file);
       die(\"Hacking attempt detected. IP logged\");
     }
    elseif(strstr($page, \"../\")) //Detect possible LFI's
     {
       fwrite($file, $writes);
       fclose($file);
       die(\"Hacking attempt detected. IP logged\");
     }
    elseif(strstr($page, \"./\")) //Another possible LFI(Current directory transversal)
     {
       fwrite($file, $writes);
       fclose($file);
       die(\"Hacking attempt detected. IP logged\");
     }
    elseif(strstr($page, \"http://\")) //Detect possible RFI
     {
       fwrite($file, $writes);
       fclose($file);
       die(\"Hacking attempt detected. IP logged\");
     }
    elseif(strstr($page, \"https://\")) //Another possible RFI using secure HTTP
     {
       fwrite($file, $writes);
       fclose($file);
       die(\"Hacking attempt detected. IP logged\");
     }
    else
     {
       echo $page;
     }
    }
    ?>
    <html>
    <body>
    <form name=\"input\" method=\"get\">
    Text: <input type=\"text\" name=\"input\" />
    <input type=\"submit\" value=\"Submit\" />
    </form> 
    </body>
    </html>


    Yes, not the best approach to it. The better approach would be to use an array or regex search. But anyway it's pretty simple. Here is a sample ip_log.txt:

    IP: ::1    Page: /t.php    Attempt: input=%3Cscript%3E
    IP: ::1    Page: /t.php    Attempt: input=%27
    IP: ::1    Page: /t.php    Attempt: input=%27
    IP: ::1    Page: /t.php    Attempt: input=..%2F
    IP: ::1    Page: /t.php    Attempt: input=..%2F..%2F..%2Fetc%2Fshadow
    IP: ::1    Page: /t.php    Attempt: input=http%3A%2F%2Fgoogle.com%2F
  • Xin
    Posts: 3,251
    Interesting script nice share.
    Xin
  • Mr. P-teoMr. P-teo
    Posts: 269
    Very simple but i could adapt this for my personal uses thanks.
    Skype: mrpt3o
    Twitter: MrPteo


    image
  • McKittrick
    Posts: 194
    that color-code makes it a bit hard to read for me (especially the blue section)
Add a Comment