If you are a newcomer to PHP programming but an experienced programmer overall, chances are that you find PHP pretty simple to program with. PHP is actually a combination of C++ and Perl, created so that we can write our websites along with database management and more.

In PHP, there is a very important difference between writing code and writing good code. Of course, this is true for every programming language, let alone PHP. Knowing how to properly design your website’s index page is the first and important step towards creating a solid website.

The Amateur Way to Write Your Index Page

The typical way to write your index page, if you are not really that knowledgeable in PHP, is just go about coding whatever there is for the index page. For instance, suppose that our index page has a login form and some introductory text. Our approach would be to just write the code for the index page and then, for every link on that page, create another page. This would mean that we now have an index.php page, a contact.php page, a mail.php page and more.

Don’t feel bad if you do it this way. I’ve done it myself and every new PHP programmer has done so as well. However, it’s time to learn of a more efficient way to code in PHP.

The “index.php?page=home” Way

Have you noticed that many websites follow this pattern ? Instead of having a home.php page, you see something like “index.php?page=home”. The same happens for every page of the website. What happens is that the index.php page includes the code of the other webpages, as asked. The variable page that you notice in the url is actually a typical $_GET type global variable that you can read in order to identify what is the page that the browser asks for. Here is the actual code of a typical index page :

$page = isset($_REQUEST['page']) ? $_REQUEST['page'] : 'home';

switch($page)
{
    case 'home':           break;
    case 'mail':           break;
    case 'contact':        break;
    default:
        $page = 'home';
}

include("$page.php");

This is a very basic example as you see. The index page just gets the $_REQUEST['page'] global variable ($_REQUEST is a union of $_GET and $_POST, retrieves whatever is available). Now the switch starts. But why have a switch and not just include the php page ? Well, this is actually a security measure against file inclusion attacks. It is always good to handle unexpected input. If an attacker somehow manages to upload a new php page, say hello.php, this index page, without the switch structure, would execute it normally when instructed with index.php?page='hello'. However, if the switch is there, hello.php never gets executed. Instead, the default home.php gets executed. This is always a very good practice and you should really stick to it. Of course, there is much more in protecting PHP code, but this is a small addition as well.

You could now go about creating your own template for writing websites. Remember that it is very important that you know of the essential PHP requirements in order to write much more efficiently than usual. Also, if you are not familiar with it, pay special attention to Smarty and learn to use it to create your templates.

One of the very important things that Python offers to programmers, is the great lists handling functions. Lists are one great data type that you can utilize for lots of different tasks. Since Python is a high level language, it makes our handling lists a real breeze.

What is a Python List ?

A Python list is simply a data type containing values of the same type that can be changed dynamically. It can be initialized having just two elements and then we can go on adding more elements or delete some elements as well. On the other hand, the other important Python data structure, tuples, is the same as lists only immutable. Thus, it cannot be changed on runtime.

Why Do You Need to Filter Lists ?

What happens with standard Python programming is that we tend to create lists all the time. We could be either reading a file and creating a list with its words, or maybe getting a list of the files of our current directory. Whatever the case, lists are used quite a lot and if you have been programming in Python for just a small period of time, chances are that you have already used them at least once. The problem is that lists alone are not enough. Most times we need some time of filtering in order to throw out some elements and only keep the important ones. A good example could be the case of getting a list of files. Then, we just want to keep the ones that are of *.mp3 filetype. This is where Python starts to become really versatile, as you will see below.

How to Filter Lists in Python ?

The simplest way to filter a list is the one show below. We just have a list of filenames and we want to recreate that list so that it does not contain the files that do not have “mp3″ as their filetype.

list = ["1.mp3","2.txt", "3.mp3", "4.wmv","5.mp4" ]
temp = []

for item in list:
    if item.find(".mp3") != -1:
        temp.append(item)

for item in temp:
    print item

In this example, we have a list that we traverse using a simple for. Then, we have another temporary list and whenever we locate an element having “.mp3″ as a substring, we add it to our new list. In the end we just print the new list and get the filenames we opted for.

Sometimes, we just need to quickly create a sublist of our starting list. Say that we just need the first two elements of our list. This can be done like this :

list = ["1.mp3","2.txt", "3.mp3", "4.wmv","5.mp4" ]

list = list[:2]

for item in list:
    print item

The syntax [starting:ending] determines the sublist we need to create. If no starting index is specified, it defaults to the first element. If you specify the ending index as n, you get the n-1 elements. So, li[:2] gets you elements li[0] and li[1].

The Elegant Way to Filter Lists

def isMp3(s):
    if s.find(".mp3") == -1:
        return False
    else:
        return True

list = ["1.mp3","2.txt", "3.mp3", "4.wmv","5.mp4" ]
temp = filter(isMp3,list)

for item in temp:
    print item

This is probably the best and most elegant way to filter a list in Python. We utilize the python function filter() here. What this does is take a function and our list to be filtered as its 2 parameters. For each element of the list, this function is executed and the parameter is the next element of the list. If this function returns true, the item is added to the resulting list, else it is not. Once finished, filter() returns the new list, which we print out as you see in the example above. If you want, you can also check the map() function as well.

This concludes this small post about filtering lists in Python. I reckon these techniques pretty important in writing efficient code. Python is mostly about doing things fast. Hence, using the built in functions can save you time (and money?) and also transform your code to an elegant state of the art (or at least make it bearable )

This one is another tutorial that i’ve written for Krobar’s website and that you can find here. I believe that it has some good value, especially if you are into reverse engineering cd protections.

SOME IMPORTANT INFO ABOUT THE GAME

Dark Omen is a strategy game produced by Electronic Arts (EA).This might sound a bit frustrating, if we take into consideration their current protections in year 2001.However,this game was published in year 1997,so I don’t think it will be difficult for us.

WHAT WILL I NEED IN ORDER TO FOLLOW THIS TUTORIAL?

To follow this tut without having any problem,you will have to possess these three tools,or at least the first two of them.

*W32DASM (NEEDED)
*HIEW EDITOR (NEEDED)
*SOFTICE (OPTIONAL,but it will make you understand better how the protection works).

You will also need to have a fair knowledge of how these tools work.To obtain this knowledge,you could read my first tutorial on cracking two games with W32DASM and HIEW.If this won’t help you, you can always grab other tuts from Krobar’s site(http://zor.org/krobar).My tut is also located there. Moreover,you will have to obtain some knowledge on Softice,which is a great Numega tool,a wonderful debugger.To do this i would highly advise you to read Krobar’s tuts,at least the 8 first ones,about cracking two easy crackme’s.There are also other tuts from good crackers that will give you a fair
idea on how to use SoftIce.

WE MAY START…

As always install the game,(maximum install) and double-click on the Dark Omen shortcut to play the game,without the cd inserted in your cd-rom drive.It’s this message again…When will we see a game that will run without the cd???Never mind,we will have to crack it if we don’t want it to be inserted each time we want to play the game.(Or if we want to hear our new music cd at the same time we play the game…).So,let’s disassemble the executable of Dark Omen.But,where is it? Its in the “Dark Omen\Prg_eng” and it is named “EngRel”.Found it?Make two copies,name them as:

*EngRel

*EngRel.w32

Disassemble EngRel.w32 so that you can make changes to the exe of the game,while you have W32Dasm opened.

WHAT WERE OUR MESSAGES?

When you double-clicked the shortcut to start the game,you entered the main screen of the game and when you tried to start playing the campaign,you saw a message saying something like that:

CD ROM MISSING

The cd rom is required for this selection.Ensure the cd-rom is present |E:| <-Drive letter and highlight the drive letter of your cd-rom drive. |F:| <-Drive letter

So,what can we make out of this message?We’ll see…Back to W32Dasm and click on String Data References.Try to find any message that should say something like:

“CD ROM MISSING” or “The cd-rom is required..”

Did you find anything?I hope you did.In fact,there are three strings which so do the job:

*CD ROM MISSING?
*THE CD-ROM IS REQUIRED FOR THIS…
*DARK OMEN CANNOT LOCATE THE CD-ROM…

So,there are three suspect strings.Let’s look at the first one.It’s “cd-rom missing” and there are three places in it to look for.I searched them all,set breakpoints on SoftIce to find if there was a place to check for the cd being on drive and I found nothing interesting.So,i didn’t even make the attempt to search into the other two strings and i started to think.Soon i understood something that i ought to have understood before.The bad message which we have seen before,says that it examines the drive in which there should be the cd,which is our cd-rom drive.So,we can make the judgement that it checks for the cd in one other place,highly likely a well-known API function. But,what is this function?

WHERE DOES IT CHECK IF I HAVE A CD-ROM INSERTED IN MY DRIVE?

The answer is that it checks this with an API function,GetDriveTypeA.This is a function that checks if the cd is inserted in the drive the programmer would want it to and that should be our cd-rom drive,of course.So let’s open the “functions\imports” and search for “getdrivetypea”.Once you found it,double-click on it and you should be presented with the following piece of code:

* Referenced by a CALL at Address:
|:0048A5E0                     <-This is the address to goto
|
:0048A600 81EC04010000            sub esp, 00000104
:0048A606 53                      push ebx
:0048A607 56                      push esi
:0048A608 8BB42410010000          mov esi, dword ptr [esp+00000110]
:0048A60F 57                      push edi
:0048A610 55                      push ebp
:0048A611 56                      push esi

* Reference To: KERNEL32.GetDriveTypeA, Ord:00DEh
                                  |
:0048A612 FF15C0645800            Call dword ptr [005864C0]  <-We are thrown here
:0048A618 83F805                  cmp eax, 00000005
:0048A61B 740D                    je 0048A62A
:0048A61D 33C0                    xor eax, eax
:0048A61F 5D                      pop ebp
:0048A620 5F                      pop edi
:0048A621 5E                      pop esi
:0048A622 5B                      pop ebx
:0048A623 81C404010000            add esp, 00000104
:0048A629 C3                      ret

As you have learnt from my first tut,most times we have to goto the call or jump which we first see above the place where there is the string we double clicked on.This means that the piece of code after GetDriveTypeA,should be where the comparison between drives is held.But could it be something interesting in the above CALL?Let’s goto the address 0048A5E0.Then we see:

* Possible StringData Ref from Data Obj ->"[MOVIES]\Intro.tgq"  <-What may this be?
                                  |
:0048A59B BA78264F00              mov edx, 004F2678
:0048A5A0 899C24F8000000          mov dword ptr [esp+000000F8], ebx
:0048A5A7 8D8C24F4000000          lea ecx, dword ptr [esp+000000F4]
:0048A5AE 668B5A10                mov bx, word ptr [edx+10]
:0048A5B2 8B420C                  mov eax, dword ptr [edx+0C]
:0048A5B5 8A5212                  mov dl, byte ptr [edx+12]
:0048A5B8 68010B1200              push 00120B01
:0048A5BD 6A02                    push 00000002
:0048A5BF 896908                  mov dword ptr [ecx+08], ebp
:0048A5C2 6A02                    push 00000002
:0048A5C4 89410C                  mov dword ptr [ecx+0C], eax
:0048A5C7 66895910                mov word ptr [ecx+10], bx
:0048A5CB 8D442440                lea eax, dword ptr [esp+40]
:0048A5CF 885112                  mov byte ptr [ecx+12], dl
:0048A5D2 8D8C2400010000          lea ecx, dword ptr [esp+00000100]
:0048A5D9 8D542420                lea edx, dword ptr [esp+20]
:0048A5DD 51                      push ecx
:0048A5DE 50                      push eax
:0048A5DF 52                      push edx
:0048A5E0 E81B000000              call 0048A600       <-We are thrown here.INTERESTING...
:0048A5E5 83C418                  add esp, 00000018
:0048A5E8 5D                      pop ebp
:0048A5E9 5F                      pop edi
:0048A5EA 5E                      pop esi
:0048A5EB 5B                      pop ebx
:0048A5EC 81C464020000            add esp, 00000264
:0048A5F2 C3                      ret

So,if you scroll up a bit,we will see this:

* Possible StringData Ref from Data Obj ->”[MOVIES]\Intro.tgq”

Quite easy what this means.Let me explain now:

The call 0048A5E0 is the one that checks if there are certain files to be loaded in certain drives. To understand better this,think that the files needed for the game to run are all taken from C:\, except from one.This one is the “intro.tgp” file,which is taken from the cd.So,it checks for this file in E:\ and if it cannot find it,it calls for the bad message.As you may have already imagined, there are two solutions:

*Either noop(90) the call that checks for this file,
*Or copy the Movies\intro.tgq file into your directory of the game and MAKE it think it’s in C:\.

However,the first solution is the best,cause if you use the second one,you will also have to find a way so that it will always check if the intro.tgq file is in hard disk and not in cd-rom,which is its default checking.So,nooping the call is the best option.Therefore,we would not have to watch the intro each time we want to play.

Cheat

If you pick the second choice,you will have to remember to visit the registry and pay attention to an API function,CreateFileA.For more,refer to your API reference.

SOFTICE

You may be wondering what’s the use of SoftIce in this tutorial.The answer is simple.In order to be sure that the call at address 0048A5E0 is the one that checks for cd in cd-rom drive,I used a breakpoint at this address.I run the game and was placed into the main menu of the game. Then i set a breakpoint,by writing:

bpx 0048A5E0

After that,i double-clicked on the “CAMPAIGN” option and BOOM!!!Softice broke at this address.This way i was sure that this was the test to see if cd is in drive and it was made by testing a single file,the intro one.

HIEW

So,remember:

*Nop the call at address 0048A5E0.If you don’t know how to do this,read some tuts related on the use of Hiew Editor.I suggest you read Krobar’s Basic use of Hiew Editor.It should cover this thing and a lot more.

Nop(no operation)=90h

More than 6-7 years ago, i’ve written a small tutorial for the great and well known Krobar’s website that featured thousands of reverse engineering tutorials at the time. This essay was about diffing, a technique that, among other things, can be used to make cheats for games. Unluckily, in today’s games there is a high chance that this one will not work, due to serialization, encryption or compression.

However, it will work on old games like simcity 2000 and more. Hence, it’s a good idea that you know how to do that, there will be some cases that it will serve you well. You can find the same essay, courtesy of Krobar here.

What is The Purpose of This Tutorial ?

The purpose of this tutorial is not to teach you a method for cheating games but to let you know of a technique,called diffing.This technique is the practice of comparing two files to find any differences between them,especially if there has been a change.This branch is a game hacking one, but i figured out that it would be really helpful to all newbies,cause it will make them think(and cheat a game).Be certain that the ability to THINK is the greatest achievement of a human-being, according to me at least.So,it is twice an achievement for crackers.

So, How Do I Use This “Diffing” Technnique ?

In order to use this technique more efficiently,i would suggest that you have a program that is able to make a binary comparison of two files,such as Hex Workshop.It won’t be necessary,though, if you are able to use the fc /b command in dos.So,let’s take the example of a well-known game,
which is Simcity 2000.You may be wondering why i am taking the example of such an old one.The answer is that the newer the game is,the more data it needs to store in a saved file and it shows so many changes,that it takes time to find the change you are looking for.Newer games may also encrypt their saved files and decrypt them while they get loaded.In such a case,diffing would be pointless.

Cheat Money on Simcity 2000

I suppose you have installed the game and played it many times.I am also quite sure that you have sometimes had problems with money(except if you are a Simcity wizard).So here is what to do next:

1.Start a new game,or load an existing one and save the game when you have 20000$.Name it as you want.Mine will be crack1.

2.Continue to play the game you have just saved and buy a thing that will cost you the lowest money possible.So,in my case,i build a road and spend 10$.My money now is 19990$.Then i save the game in a new save and i name it crack2.

3.Then i exit the game and open the calculator of my computer.I now change the simple view of my calculator to the scientific one.Then i take care that my calculator shows the decimal value of a number(dec),i type 20000 and i change Dec to Hex.Now my calculator shows the value of 20000 in Hex.It is 4E20.The same thing i do with 19990.It shows 4E16.Now,we have:

20000(dec)=4E20(hex)
19990(dec)=4E16(hex)

So as you may notice the difference between these two numbers in hex is 4E(20-16).As a matter of that,you will have to make a binary comparison between these two files and as you see the differences, you will surely see something like 20 in one save and 16 in the other one.When you see it,look at
their offset number.In my case it’s 00000028.So,my next stop is in hex editor.I open the second save and i search for offset 00000028.Then i see:

00000028:024E16

I change 024E16 to 02ffff,cause f is the highest (hex)adecimal value.Next time i load the game back,i have 65535$,in my bank.

I Have Changed 4E20 to FFFF and GOT 65535, What Happens If I Want More ?

In this case,you will have to experiment.Try to change the adjacent byte,too,or a nearby one. However,i advise you to spend this sum of money and then do that again.One way or another,the fact is that you now know what diffing is and how to use it to cheat games.

In an not so old tutorial, i’ve described how one can use urllib in Python to fetch url data and write cunning little scripts that automate online works. Sometimes, especially when you need to server some content to other users via a website, you will need to write such programs in php. Learning how to use curl is a pretty nice idea overall, since there are wrappers for the famous libcurl library at almost every language you can imagine. Therefore, you will sooner or later be using that.

Thankfully, curl fits very nicely with PHP. The good idea about libcurl is that you just create a curl handle object and then you can edit any option related to curl at will. You want to post data ? Can be done by just setting a flag and specifying that data. Next you just want to get a post. Just remove the previously set flag. Want to add some cookies to the whole routine ? Once again, it’s a matter of one command. Let’s now see together some real life examples of using curl with PHP:

Use CURL to login to Facebook

I always prefer to use real life examples when explaining how to write some code. In this one, you will be presented with a function that automatically logs you in facebook. Whenever you log to such websites automatically, at 99% percent of situations, you will have to use cookies. Luckily, doing so is pretty easy with curl. You just call curl_setopt using the cookiejar and cookiefile parameters, as long as the cookie name. Take a look at the code and i will explain it thoroughly below :

 $login_email = 'name@mail.com';
 $login_pass = 'password';

 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL, 'http://www.facebook.com/login.php');
 curl_setopt($ch, CURLOPT_POSTFIELDS,'email='.urlencode($login_email).'&pass='.urlencode($login_pass).'&login=Login');
 curl_setopt($ch, CURLOPT_POST, 1);
 curl_setopt($ch, CURLOPT_HEADER, 0);
 curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
 curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/my_cookies.txt");
 curl_setopt($ch, CURLOPT_COOKIEFILE, "/tmp/my_cookies.txt");
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
 curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3");
 curl_setopt($ch, CURLOPT_REFERER, "http://www.facebook.com");
 $page = curl_exec($ch);

As you see, we first initialize curl and get the connection object. Then, we use the important curl_setopt function to specify some important parameters. The first parameter is, of course, the url that we want to connect to. Then, follow the parameters that we want to post to the login form, in the form of “parameter = value&parameter2=value2&parameter3=value3″, as a simple string. We specify that we want to post these values to the form when we set the flag CURLOPT_POST to 1 (meaning true). CURLOPT_HEADER can be set to 0 since we don’t really need the headers of the request. The FOLLOWLOCATION parameter is just used in case of page redirects. If the page we request redirects to another page, we get that page automatically. Therefore, it’s a good addition, especially when we look at login functions. Specifying the user agent is just a way to masquarade your script, so that the remote server thinks you’re Mozilla Firefox. This is useful, if you’re a bit on the grey or dark side of hats Finally, we specify the referer so that facebook thinks we first visited the main page. Right after, we execute the http request. Notice the RETURNTRANSFER = 1 parameter. When set, curl_exec, instead of just returning a simple true or false value, it returns the whole page it retrieved. This one is really really useful.

Please bear in mind that you may have to create the cookie file yourself before calling curl_exec. Not doing so might trigger a failure on running this code at the first time. After that, in the second execution, the file will have been created and no problem will occur again. To be sincere, i don’t really know why this happens, but i’ve encountered it, so please watch out for it.

Keep the Requests Going

Now that we have logged in, we can keep on with our requests, getting more pages or doing other nasty stuff. Just set the parameters accordingly. Want to retrieve a facebook page where you do not need to post anything, like the home one ? Just reset the CURLOPT_POST parameter, specify the cookie that holds our login information and execute a new curl_exec that will fetch you that page.

curl_setopt($ch, CURLOPT_URL,"$some_url");
 curl_setopt($ch, CURLOPT_COOKIEFILE, "/tmp/my_cookies.txt");
 curl_setopt($ch, CURLOPT_POST, 0);
 $page = curl_exec($ch);

I hope that you will have fun with curl and that you use it for automating important stuff. Use it sensibly

This is a guest post by a good personal friend of mine under the name Black Shadow.

Whenever we need to fill in an array, multiply a variable against a value multiple times or generally want to do the same stuff over and over, we use the C++ looping structures. They help us repeat the commands that we want to execute. We specify a set of commands to be executed according to a certain condition that we also define. While this condition is evaluated as true, the set of commands keeps executing, while when it becomes false, the looping structure ends. In general, the checking condition of a looping structure consists of a counter, that counts the number of times that the set of commands was executed. There are 3 different looping structures :

1. The for loop

for (counter = starting value; counter = final value; counter = repetition step)
{

// set of commands here

}

This is the most widely used and most versatile looping structure. In this one, everything gets initialized inside the parenthesis and therefore we do not need to write the values of the counter and the repetition step separately. This is an example that illustrates that more closely :

#include <iostream.h>
#include <conio.h>

void main()
{
    int i,m=0;
    for (i=0; i<=6; i+=2)
    {
        m+=2;
       cout<<m<<endl;
    }

    getch();
}

When the program reaches the looping structure, it checks the condition inside the parenthesis. Having initialized counter i as 0, the program checks whether the counter is smaller or equal to 6. If the condition is true, the commands inside the brackets are executed. When all the commands get executed, the program rechecks the condition inside the parenthesis and increases the counter depending on the initial value that we have provided. In this example, the value is 2. If this condition is true again, all the commands are executed again. Once more the counter gets increased and gets the value of 4. The new check on whether this value is smaller or equal to 6 is true and the commands execute again. When the counter gets 6 as its value and the commands execute, the counter then gets the value of 8. The new check shows that 8 is bigger than 6 and the condition now returns false, thus finishing the loop.

2. The While Loop

counter = initial value;
while (counter = final value)
{
    set of commands ..
    counter = repetition step;
}

This looping struct does the exact same thing that for does. The only difference is that for this one we need to initialize the counter in a different manner when it comes to the loop and the repetition step. We need to put that inside the brackets and have it run along with the other commands. In the condition, inside the brackets, we input the value of the counter that when acquired, the loop ends. This means that while the condition is true, the loop goes on with the execution :

#include <iostream.h>
#include <conio.h>

void main()
{
    int i=0,m=0;

    while(i<=6)
    {
        m+=2;
        cout<<m<<endl;
        i+=2;
    }

    getch();
}

At first, we need to initialize the counter. It is the initial value that the counter has. Then, we write the final value of the counter inside the bracket. When this value gets surpassed, the loop ends. As with the previous for loop, inside the brackets reside the commands to be executed. Moreover, inside them we write the repetition step. The order of the commands is important because depending on the final value of the counter, the set of commands can be executed as many times as we would like them to. When the condition becomes false, the loop ends. In the example that follows, the commands are going to be executed 4 times :

Values of   i       Results

0                                   2

2                                   4

4                                   6

6                                   8

8                              the loop ends

3. The Do While Loop

counter = initial value;

do
{
    set of commands ..
    counter = repetition step;
}

while (counter = final value);

As in the previous loop, we need to initialize the counter and include the repetition step as well as the actual commands to be executed. Also, the looping structure will be executed as long as the condition is true. However, there is a big difference when compared to the previous structures. The commands are going to be executed at least once. This happens because in this looping structure, the commands are executed first and the condition is checked after that. Here’s an example of that :

#include <iostream.h>
#include <conio.h>

void main()
{
    int i=0,m=0;
    do
    {
        m+=2;
        cout<<m<<endl;
        i+=2;
    }
    while(i<=6);

    getch();
}

The loop executes 4 times as well. The commands run first and then the counter gets increased. In the end, the condition is checked. When the counter becomes 8, the commands get executed and then the condition specified that the loop ends, since it returns false.

To conclude, the important things to keep in mind for looping structures are :

1. Correct usage of the different structs

2. Check the initial value of the counter

3. Check the final value of the counter

4. Check the set of commands to be executed

Thanx for reading that, make sure that you also read the fourth part about C++ Introduction to Functions.

Few people really mind security matters before anything bad happens to them. Once they get to feel how it is to lose data or give away precious information due to security faults, they begin to get more concerned over protecting their data. When it comes to websites, SQL security is one of the most important thing that haunts them. Of course, the most important one, is the php/asp or whatever code it uses.

The problem with almost every security fault is trust. In the world of websites and user related data, nothing is to be taken for granted. Do you ask your users to register for your website under a given name ? Then, you should check what that input. Never, ever assume that the website user will not be a malicious person. Do not trust your users !

What is SQL injection ?

This idea extends to lots of different exploits, but certainly one of the most well known and easily exploitable ones is definately mySQL injections. As with any other input devices, databases handle user input as well, and heavily. In this post, i assume that you’re at least familiar with SQL. If not, please take a look at this tutorial about mysql programming.

The scenario is simple. There is a part of a website that handles some user input and then makes a simple query back to the database. Let’s suppose that in this webpage, a user gets to view his/her emails. The url of the page is like “www.website.com?index.php?page=mail&uid=3″.

Now, as you see, there is a GET parameter passed to a php script. This corresponds to our user id, being 3. So, in the actual php script, the code that gets a user emails from the database would be like :

$query = "SELECT * FROM mails WHERE uid='$_GET['uid']' ";
mysql_query($query);

Now this seems ok, doesn’t it ? Actually, it is a very vulnerable execution flow. Using that, an attacker can even delete the whole database, in some cases. What they could easily do, is get the mails of other users apart from the ones of their legitimate account. As you see, we specify the uid value through the url. What would happen if that value was 4 instead of 3 ? Well, we would just be able to see every email, that a user who was unlucky enough to have the user id 4, has stored inside the system.

How I Hacked a Popular Website

Well, there are actually hundreds of websites that follow this scheme. However, i was surprised to see that a very well known website had this trivial security problem. I will not specify the actual url, but i will present you with the test case. One of the very first things that i do when i want to test a website for vulnerabilities, is check if there is an /admin page.

In this case, there was one. A typical one, needing a username and a password. The next step is checking for sql vulnerabilities. One of the easiest ways to do so is just input a single quote (‘) as a username or password. Doing so, you get this error :

“error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”” and password=” )’ at line 1″

This now makes it sure for us that there is a big mySQL vulnerability here. Why this error comes up ? Well, think of the previous query specified above. If you just input a single quote, the query becomes faulty and mySQL returns an error code.We know that this is vulnerable, but what can we do ? First of all, let’s think how the actual registration check may look like. It could be like this :

$query = "SELECT COUNT(*) as count FROM users WHERE password='$password' ";
 $result = mysql_query($query);

if ($result['count'] > 0)  ..... // you are admin

If somebody enters the correct admin password, they become an administrator. While this would be fair, the implementation is not secure. We could make it so that the query returns more than 0 results. But how ? What about selecting all the users of the system ? If the query was like :

$query = "SELECT COUNT(*) as count FROM users WHERE password='$password' OR 1=1";

This selects every user, if the password correct or 1=1. But 1 will be 1 for every user ! Therefore, every user will be selected. This principle is what makes it easy for us now to exploit. The key would be an input value like 1′ or ‘1′=’1 . This makes the sql command like :

$query = "SELECT COUNT(*) as count FROM users WHERE password='1' or '1'='1'  ";

Do you see it ? It returns as a count the total number of all the users in the database, meaning that we effectively get to be admins. Once you input that, welcome to the administration panel ..

In The End, Sanitize

If you do not that to happen to your programs, make sure that you check what the user has inputted. First of all, escape special characters. Quotes should always be escaped for instance. Take a look at magic quotes for mysql. Then, also make sure that if you need a numeric value, never accept strings. Limit user input and guess what their “out of the ordinary” input can be. Play safe to be safe.

The linux shell is probably the most important thing that provides raw power to the end user. Getting to know more about it is crucial if we seek to be able to do simple and more complicated tasks with its help. The bash shell, which is what 99% of linux users use, contains a certain environment that a user works under.

These variables are responsible for letting the shell know of some configuration which, in the end, only makes our lives easier. The core of environment variables is certainly the $PATH variable. In case that you are not familiar with that, $PATH is a variable that helps the shell run binaries under different filepaths. For instance, think of executing “ls -l”. Ls is a command that lies under the path /bin/ls. Now, when we execute that command we should be doing it like “/bin/ls -l”, but in reality we only use “ls -l” to do so. So, what happens ? How is the shell able to get to the location where ls lies on ?

The answer is that it uses the $PATH variable to do so. Let’s print out its contents by executing a simple “echo $PATH” command :

nemesys:darkfight hthought$ echo $PATH
/opt/local/bin:/opt/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin

This is the $PATH on my mac computer, if you own a linux or other unix based system, it will be a bit different, but the same rules still apply. Notice that $PATH consists of a series of different filepaths, separated by a colon. Do you spot the “/bin/” filepath ? It’s in the middle of those specified. What this means now is that for every command that we try to execute under a linux shell, it first tries to locate that command in every one of those filepaths and the current path where it was executed from. Therefore, if we execute “ls -l”, the shell is able to tell that we actually want to run “/bin/ls -l”. If we explicitly wanted to execute a binary named ls under our current working dircctory, we would be using a command like “./ls” and not “ls”. The former would execute the ls binary under the current working directory (which you can get with the command pwd).

Adding a Directory to Your $PATH

Sometimes, you may want to add a certain directory to your shell $PATH. It could be that you just want to make your life easier when executing binaries inside a certain directory. For example, you may be a python developer and want to be able to execute python inside a certain folder, without having to type the whole path every time. I have to state at that point that it should not be essential to change your filepath at most cases, but in the case that you want to do it, it’s good to know how to do it.

There are actually two ways to do that. The temporary and the persistent way. The temporary one applies to a certain shell session. Thus, you just change the $PATH variable to whatever you would like it to be. In this way, the updated $PATH variable only applies to your current shell session, meaning that when you close the shell, your previous $PATH becomes as it was before your intervention. In order to do that, you simply execute a command like :

PATH=$PATH:/yourpath

Now, to make this change global, you need to edit your .bash_profile file and include the same command, along with a simple export command like:

PATH=$PATH:/yourpath

export PATH

Finally, if you want to make this change applicable to all users at once, just insert it at /etc/profile.

The world of Unix is a place where everything is done the right way, till there is an even “righter” way to do it. For everything that gets coded, there is always something left to be edited. Almost every project in the Linux (or other unix related OS) community is based on patches. There are even quite a lot of patches for the linux kernel itself.

A patch is essentially a remedy of some kind to the original source code (or just data). Imagine, for instance, that you just discovered a critical security bug in openssh (well, you won’t be the first or the last to do that). After you fix that, you would want to inform the others (hopefully) about this bug and provide your solution. While you could still just provide the authors with your version of openssh sources, wouldn’t it be better if you just provided them with a patch, that when applied, it will automatically do the necessary changes to the needed files ?

This is where the great diff and patch commands can help. Diff is actually a command that compares two or more files line by line and provides a report indicating what is different between them. Let’s examine how diff works by examples :

How Diff Works

In order to better understand how diff works, it would be a good idea to create two files to diff one against the other. Let’s say that the names of the two files are “original.txt” and “changed.txt”. As you can understand, the original one corresponds to the original version of a file and the changed one is the one that you supposedly created after some editing you did on the original.

The contents of “original.txt”:

example of diff
and example of patch

The contents of “changed.txt”:

example of diff patched
and example of patch
new line added

So, what we first need to do is locate the differences of the two files. This is what happens now :

nemesys:Desktop hthought$ diff -u original.txt changed.txt
--- original.txt    2009-12-02 22:52:53.000000000 -0500
+++ changed.txt    2009-12-02 22:53:15.000000000 -0500
@@ -1,2 +1,3 @@
-example of diff
-and example of patch
\ No newline at end of file
+example of diff patched
+and example of patch
+new line added
\ No newline at end of file

You first notice the names of the files that we compare, along with their last modification dates. The “@@ -1,2 +1,3 @@” specifies that starting from line 1 of “original.txt”, there is a chunk of two lines of data and starting from line 1 of “changed.txt”, there is a chunk of three lines of data. After that, you can start seeing the actual contents of the two files. If there is a line that is exactly the same in both files, it gets no sign (not a – or +), meaning that it is the same. If not, it prints both versions so that you see the differences between them and understand which file they refer to.

Now, while this is good, it doesn’t really do much for us as it is. What we would want to do is redirect this output to a file as a patch for “original.txt”. Then, when we want to change that file, we would just apply the patch to transform “original.txt” to “changed.txt”. The first command to do to achieve that is :

nemesys:Desktop hthought$ diff -u original.txt changed.txt > original.patch

Applying The Patch

Applying the patch is pretty easy. We just use the patch command to do this like (from our working directory):

patch original.txt < original.patch

This is really easy but most times this is not the common case. In 90% of the cases, a patch applies to more than one files and directories. And now comes the “a bit tricky” p directive. To better understand what this actually specifies, imagine that you want to apply a patch to a a list of files under the directory “dir1″. Then, this “dir1″ directory contains another “dir2″ directory that the patch has to patch as well. The person that created the patch did that under his/her own path names. Therefore, if your working directory is on “dir2″, the patch will not be able to recognize that it has to start to patch from the previous directory. Thus, the general rule is to apply the patch to your top level directory. When you are at that one, a p1 switch is just ok. If you were in “dir2″, for instance, a p2 would be needed. Thus, in “dir1″, you would apply the patch like :

patch -p1 < original.patch

and remove it with :

patch -p1 -R < original.patch

Create a Whole Directory Patch

As you would expect, the first thing is to create a local backup of the whole directory that includes the files that are about to be edited. Then, after you finish with your changes, you just make a recursive patch using :

diff -urN originalDir/ changedDir/ > fullDir.patch

And you just apply it to the whole directory as shown above, simply by making it your working directory and specifying -p1 as the p parameter.

I will claim it. If you’re not using Python, you are losing a lot. At that point, i understand that some of you will argue that with saying how nice perl is or how great things work at ruby on rails. Well, get to know all scripting worlds if you like. Then, come back to Python programming.

I’m not trying to preach you about how good Python is (hope you know that already ), but your being knowledgeable and using other scripting languages is fair enough. Bear with me on that though. It would be a really really good idea to take up Python if you’ve never done that before. I can assure you that it will be well worth it. Alas, if you wanted more preaching you could have read the 5 reasons why you should learn Python, you say angrily. You’re right, sorry.

To the point now. One of the very good things about Python is that you can find lots of premade libraries for all sorts of things that you may want to do. I must admit that the documentation is most times not as good as Perl’s very organized CPAN, but it still consists of some great reusable code that makes your job much easier.

In your scripting endeavours, there will be many times where you will need to fetch some data from a website. In my occasion, one of the best uses for that, was creating a script that automated the login and whole playing procedure for a well known browser game. YES, i am a cheater. But come on i did it for practice (not really, but i have to defend myself somehow).

In that occasion, i needed to do two things. First, i needed to log in to the game. Then, after doing that, i needed to grab certain webpages and send back certain requests that would automate procedures like building army, new constructions and such. Generally speaking, getting a premium service at my own expense. The tricky part about it is cookies. The cookie, in that sense, is a way for the browser to know when your session with the server ends. Thus, if it notices inactivity for a certain period of time (usually 15 minutes), your session expires and you get a message like “please log in”.

Therefore, you need to be using urllib in such a way that it creates one or more cookies as well and handles them. But before messing with the cookies, let’s first check a much simpler example of using urllib to fetch data from a certain URL, without having to create any cookies:

import urllib2

def getPage():
    url="http://www.whatever.com"

    req = urllib2.Request(url)
    response = urllib2.urlopen(req)
    return response.read()

if __name__ == "__main__":
    namesPage = getPage()
    print namesPage

This is a very simple but effective example. The first thing that we need to do is call the urllib2 function named Request(). We invoke it using the url as a parameter and we get a request object back. This is used in its simplest form in the meaning. You could also be specifying http headers and data, but we will keep it simple for this first example. Then, you need to call the urlopen function that returns a file object to the actual received that. After that, you simply use the standard python read() function to read the whole file’s contents, get that and print it out.

Messing With Form Parameters, Cookies and HTTP Headers

While this is a good example of the core use of urllib2, it’s not used at its full potential here. Let’s see a more complicated example :

import urllib
import urllib2
import ClientCookie

def login():
    url = "http://domain.com/login.php"  # example url

    opts = {
    'user': 'yourUSERNAME',
    'password': 'yourPASS',
    'server': 'serverName'
    }

    data = urllib.urlencode(opts)

    headers = {
    'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12',
    'Accept': 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
    'Accept-Language': 'en-gb,en;q=0.5',
    'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
    'Connection': 'keep-alive'
    }

    req = urllib2.Request(url, data, headers)

    response = ClientCookie.urlopen(req)
    return response.read()

This is the actual login function (a bit edited), that i was using for the script i mentioned beforehand. It’s a bit more complicated, but it resembles a real world script. Let’s descramble it together. Notice that this time we use two more parameters for the Request function of urllib2. The first one is the url data. Since we want to login to the game, we have to provide our credentials. Our name, password and the server at which we play. You can get the names of the actual form elements easily using firefox’s great Web Developer plugin.

As you see, opts is actually a dictionary with the names and values of each important parameter that we need to pass to the server. This dictionary is then passed to urlencode that does what it says. It url encoded the data to properly be passed onto the server. Then, to make this a bit more professional, we disguise ourselves to be Mozilla Firefox. Nobody would want to suspect that we are a bot right ? Firefox headers look much more casual, don’t you think ?

After that, the procedure is almost the same. We just use ClientCookie as a means to get the webpage and invoke urlopen. What this does is allow python to store a session cookie for us. This is it now. We are in a situation like being logged in the actual game and we can do pretty much everything now

Multiple Cookies Handling

There has been a situation for me, when i needed multiple cookie handling and ClientCookie was just not doing that. I thought that it would be good to let you know of that occasion as well. Thus, this is the final example of this tutorial, that specifies how you can go about handling multiple cookies :

import urllib
import urllib2
import cookielib

def login():
    url = "https://whatever.com/login.php"
    opts = {
        'email': 'emailaddr',
        'pass': 'password',
    }

    headers = {
      'User-Agent': 'Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12',
      'Accept': 'text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5',
      'Accept-Language': 'en-gb,en;q=0.5',
      'Accept-Charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
      'Connection': 'keep-alive'
    }

    data = urllib.urlencode(opts)
    request = urllib2.Request(url, data, headers)

    cookies = cookielib.CookieJar()
    cookies.extract_cookies(response,request)

    cookie_handler= urllib2.HTTPCookieProcessor( cookies )
    redirect_handler= urllib2.HTTPRedirectHandler()
    opener = urllib2.build_opener(redirect_handler,cookie_handler)

    response = opener.open(request)

    return response.read()

if __name__ == "__main__":
    print login()

As you see, this is pretty different than the previous examples. We use cookielib to create what is called a cookie jar that will store multiple cookies for us. Then, build_opener() is used to combine the http handler with the cookies handler and after that things are back to normal. Using the opener object, we just execute a simple open to that obect in order to get a file object with the response of the server.

Make sure that you use this in a good manner and don’t go about creating bots ! Or maybe you think it’s a good way to practice, huh ? I second that.