mIRC Home    About    Download    Register    News    Help

Print Thread
Page 1 of 2 1 2
#185954 16/09/07 02:46 PM
Joined: Oct 2005
Posts: 827
P
pouncer Offline OP
Hoopy frood
OP Offline
Hoopy frood
P
Joined: Oct 2005
Posts: 827
Code:
on *:TEXT:!page*:#:{ 
  write page.txt Page By $nick $+ : $2- 
  msg $chan Page added $nick
} 


i don't really output the result of the page.txt to the channel at all, but i just want to make sure im safe

Joined: Dec 2002
Posts: 2,031
R
Hoopy frood
Offline
Hoopy frood
R
Joined: Dec 2002
Posts: 2,031
Someone could type...

edited by author

That could cause you some problems. smirk

Last edited by RoCk; 16/09/07 03:03 PM.
Joined: Jan 2006
Posts: 111
N
Vogon poet
Offline
Vogon poet
N
Joined: Jan 2006
Posts: 111
No, this text event (or better: this write statement) cannot be exploited. But, in another event where you're gonna read the page, you MUST use the n parameter (like in $read(page.txt, n, ....) to prevent any commands in the page text being evaluated.

Edit: I just read Rock's reply. I am not sure whether $findfile is being eveluated during a write operation, but if so he is right that it can be dangerous! Test this one carefully, but replace the remove command in the timer by some echo command, otherwise you're in trouble.

Last edited by noMen; 16/09/07 02:55 PM.
Joined: Oct 2005
Posts: 827
P
pouncer Offline OP
Hoopy frood
OP Offline
Hoopy frood
P
Joined: Oct 2005
Posts: 827
hmm wow rock, i will test that fr the exploit

Joined: Dec 2002
Posts: 2,031
R
Hoopy frood
Offline
Hoopy frood
R
Joined: Dec 2002
Posts: 2,031
I just tested it and it did not work, he would have to use $eval for it to work that way I guess...

write page.txt Page By $nick $+ : $eval($2-,2)

Joined: Oct 2004
Posts: 8,330
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
Like RoCk said, that could easily remove your files.

**Be careful NOT to test what he showed you. If you want to test it, change "remove" to "echo".

You may want to prevent problems by automatically removing $'s, but I'm not sure of a better solution or if that catches all possible problems.


Invision Support
#Invision on irc.irchighway.net
Joined: Oct 2004
Posts: 8,330
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
Originally Posted By: RoCk
I just tested it and it did not work, he would have to use $eval for it to work that way I guess...

write page.txt Page By $nick $+ : $eval($2-,2)


I tested it by just changing "remove" to "echo" to make sure nothing was removed and it did echo all of the found files.


Invision Support
#Invision on irc.irchighway.net
Joined: Oct 2005
Posts: 827
P
pouncer Offline OP
Hoopy frood
OP Offline
Hoopy frood
P
Joined: Oct 2005
Posts: 827
ok guys, thanks

so this seems perfectly safe. just wanted to make sure!

Joined: Oct 2004
Posts: 8,330
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
I didn't say it was safe...


Invision Support
#Invision on irc.irchighway.net
Joined: Oct 2005
Posts: 827
P
pouncer Offline OP
Hoopy frood
OP Offline
Hoopy frood
P
Joined: Oct 2005
Posts: 827
rock why did you remove that code, i wanted to test it for exploit

can someone please paste the $findfile thing again?

Joined: Sep 2005
Posts: 2,881
H
Hoopy frood
Offline
Hoopy frood
H
Joined: Sep 2005
Posts: 2,881
That can't be exploited.

The main things you have to watch out for are $readini, $read, /scon, /scid, /flash and /timer. If you $read() that file without using the 'n' flag, then identifiers within the file will be evaluated, which means people could use $findfile() to execute commands.

Joined: Oct 2004
Posts: 8,330
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
Then why did it work with changing remove to echo?


Invision Support
#Invision on irc.irchighway.net
Joined: Sep 2005
Posts: 2,881
H
Hoopy frood
Offline
Hoopy frood
H
Joined: Sep 2005
Posts: 2,881
Eh? There isn't a remove command in his original post confused

Joined: Oct 2005
Posts: 827
P
pouncer Offline OP
Hoopy frood
OP Offline
Hoopy frood
P
Joined: Oct 2005
Posts: 827
riamus can you please put that $findfile line up again? so i can test it myself?

Joined: Oct 2004
Posts: 8,330
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
RoCk gave an example of how it can be exploited.

Last edited by Riamus2; 16/09/07 03:34 PM.

Invision Support
#Invision on irc.irchighway.net
Joined: Oct 2005
Posts: 827
P
pouncer Offline OP
Hoopy frood
OP Offline
Hoopy frood
P
Joined: Oct 2005
Posts: 827
PM me the exploit please, thanks. he edited his post to remove it and when i didnt have it pasted before

Joined: Sep 2005
Posts: 2,881
H
Hoopy frood
Offline
Hoopy frood
H
Joined: Sep 2005
Posts: 2,881
Nothing in the user's text is evaluated, so it cannot be exploited. IF he was using $eval($2-,2), then of course people would be able to exploit it by using $findfile(), but as it is now it's perfectly now.

Joined: Oct 2004
Posts: 8,330
Hoopy frood
Offline
Hoopy frood
Joined: Oct 2004
Posts: 8,330
Then why did it work for me? Or is that just because of doing it from the editbox?

**EDIT: which it probably is now that I'm thinking about it.

Last edited by Riamus2; 16/09/07 03:13 PM.

Invision Support
#Invision on irc.irchighway.net
Joined: Sep 2005
Posts: 2,881
H
Hoopy frood
Offline
Hoopy frood
H
Joined: Sep 2005
Posts: 2,881
Just to show you..

Quote:
(16:12:58) * Now talking in #hixxytest
(16:13:26) <hixxy_> !page $findfile(c:,*,1,msg #hixxytest t!)
(16:13:28) <@hixxy> Page added hixxy_


No 't!' there.

Edit:

Originally Posted By: Riamus2
Then why did it work for me? Or is that just because of doing it from the editbox?

**EDIT: which it probably is now that I'm thinking about it.


Are you using Rock's version? Which uses $eval($2-,2) instead of just $2-?

Last edited by hixxy; 16/09/07 03:14 PM.
Joined: Oct 2005
Posts: 827
P
pouncer Offline OP
Hoopy frood
OP Offline
Hoopy frood
P
Joined: Oct 2005
Posts: 827
i just tried

!page $findfile($left($mircdir,3),*,0,.timer -io 1 0 echo -a $qt($1-))


it didnt echo anything on my script

Page 1 of 2 1 2

Link Copied to Clipboard