Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Web Forms filtered with SQL constraints

from [focus] Network Security [Permanent Link]
Subject: RE: Web Forms filtered with SQL constraints
Date: Fri, 8 Oct 2004 10:31:57 +0000 (GMT) 

To protect your code, you could try using a JavaScript
Obfuscator. This will make your JS very hard to understand.
Or write some sed, perl and bash scripts to obfuscate your
own JS code.

(This is not to enable client-side security checking, just
to protect your code from other peoples prying eyes!)

I have written a set of beta scripts to obfuscate my php
code.

Each variable name begins with "$v_" in the source code.

The scripts use sed to replace the variable name
"$v_my_var_names, with "$vn.

So $v_this_var becomes $v1;
$v_that_var becomes $v2. etc, etc.

Same applies to php functions. The function names are
replaced with fn for the name, where n is the sequence
number as the conversion takes place.

Also, all line endings are removed, making the source code
effectively one long line. Plus other mods such as stripping
out all comments.

Anyone trying to alter the source code will have a pretty
tough time trying to debug it, as the php interpreter
flags all error messages as being on line 1 :-).


**BEFORE OBFUSCATING**

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>

<!-- ======================================================================= -->
<!-- Copyright (c) 2000-2004 Keith Anthony Roberts U.K. ALL RIGHTS RESERVED. -->
<!-- ======================================================================= -->

<!-- php4 include file containing user buttons for muxreg homepage -->

<!-- last updated 15-JAN-2004 -->

<!-- use list.com to print this out - or required sections thereof -->

<!-- ========================================================== -->

<HTML> <HEAD>

<META name="description" content="Free online mutual exchange register for 
Kings Lynn
 area and surrounding villages. For use by council or housing association
 tenants only">

<META name="keywords" content="'Kings Lynn', mutual, exchange, register">

<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

<TITLE> </TITLE> </HEAD>

<!-- ========================================================== -->

<BODY>

<?php // into php4 mode

/*-----------------------------------------------------*/
/*  Anyuser return to muxreg website home page button  */
/*-----------------------------------------------------*/

function anyuser_HOMEPAGE_button($v_text)
{
 // declare the following variables as global to access them
 global $v_host_name;
 global $v_debug_value;
 global $v_table_output;
 global $v_advcd_search;

 ?> <!-- back into HTML mode -->

 <FORM ACTION="./muxreg.hml" METHOD="POST">

 <P ALIGN=CENTER>
 <INPUT TYPE="SUBMIT" VALUE="<?php echo $v_text; ?>"> </P>

 <!-- ========================================================== -->

 <!-- pass the following hidden variables with the form -->

 <INPUT TYPE="HIDDEN" NAME="v_host_name"
        VALUE="<?php echo $v_host_name; ?>">

 <INPUT TYPE="HIDDEN" NAME="v_debug_value"
        VALUE="<?php echo $v_debug_value; ?>">

 <INPUT TYPE="HIDDEN" NAME="v_table_output"
        VALUE="<?php echo $v_table_output; ?>">

 <INPUT TYPE="HIDDEN" NAME="v_advcd_search"
        VALUE="<?php echo $v_advcd_search; ?>">

 <!-- ========================================================== -->

 </FORM>

 <?php // back into php mode

} // end of function anyuser_HOMEPAGE_button($v_text)
/*-------------------------------------------------------------*/

/*-----------------------------------------*/
/*  About this site and User Guide button  */
/*-----------------------------------------*/

function ABOUT_SITE_button($v_text)
{
 // declare the following variables as global to access them
 global $v_debug_value;
 global $v_table_output;
 global $v_advcd_search;

 ?> <!-- back into HTML mode -->

 <FORM ACTION="./about.hml" METHOD="POST">

 <P ALIGN=CENTER>
 <INPUT TYPE="SUBMIT" VALUE="<?php echo $v_text; ?>"> </P>

 <!-- ========================================================== -->

 <!-- pass the following hidden variables with the form -->

 <INPUT TYPE="HIDDEN" NAME="v_debug_value"
        VALUE="<?php echo $v_debug_value; ?>">

 <INPUT TYPE="HIDDEN" NAME="v_table_output"
        VALUE="<?php echo $v_table_output; ?>">

 <INPUT TYPE="HIDDEN" NAME="v_advcd_search"
        VALUE="<?php echo $v_advcd_search; ?>">

 <!-- ========================================================== -->

 </FORM>

 <?php // back into php mode

} // end of function ABOUT_SITE_button($v_text)
/*-------------------------------------------------------------*/

The above code AFTER OBFUSCATING

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";>
<HTML> <HEAD> <META name="description" content="Free online
mutual exchange register for Kings Lynn area and surrounding
villages. For use by council or housing association tenants
only"> <META name="keywords" content="'Kings Lynn', mutual,
exchange, register"> <META http-equiv="Content-Type"
content="text/html; charset=ISO-8859-1"> <TITLE> </TITLE>
</HEAD> <BODY> <?php function f107($v159) { global $v97;
global $v32; global $v153; global $v4; ?> <FORM
ACTION="./muxreg.hml" METHOD="POST"> <P ALIGN=CENTER> <INPUT
TYPE="SUBMIT" VALUE="<?php echo $v159; ?>"> </P> <INPUT
TYPE="HIDDEN" NAME="v97" VALUE="<?php echo $v97; ?>"> <INPUT
TYPE="HIDDEN" NAME="v32" VALUE="<?php echo $v32; ?>"> <INPUT
TYPE="HIDDEN" NAME="v153" VALUE="<?php echo $v153; ?>">
<INPUT TYPE="HIDDEN" NAME="v4" VALUE="<?php echo $v4; ?>">
</FORM> <?php } function f1($v159) { global $v32; global
$v153; global $v4; ?> <FORM ACTION="./about.hml"
METHOD="POST"> <P ALIGN=CENTER> <INPUT TYPE="SUBMIT"
VALUE="<?php echo $v159; ?>"> </P> <INPUT TYPE="HIDDEN"
NAME="v32" VALUE="<?php echo $v32; ?>"> <INPUT TYPE="HIDDEN"
NAME="v153" VALUE="<?php echo $v153; ?>"> <INPUT
TYPE="HIDDEN" NAME="v4" VALUE="<?php echo $v4; ?>"> </FORM>
<?php }

Theses scripts are still in beta, and a bit buggy, but if
anyone wants a copy for downloading and experimenting with,
they are at:

http://www.karsites.net/KAR/websites/pub/computing/obfs/

The main bash script lives at:

http://www.karsites.net/KAR/websites/pub/computing/obfs/grep/encrypt-muxreg-website

Maybe we can write a GPL'd set of encryption scripts, based
on what I have allready started, if anyone wants to continue
this as a project with me.

Any questions, please email me.

Regards - Keith Roberts

On Wed, 6 Oct 2004, V. Poddubnyy wrote:


To: 'Bénoni MARTIN' <Benoni.MARTIN@libertis.ga>, webappsec@securityfocus.com
From: V. Poddubnyy <vpoddubniy@mail.ru>
Subject: RE: Web Forms filtered with SQL constraints

Hello!


But I have 2 questions:
    - How can I hide my Jscript filtering from the user ?
When I want to see the source, everything is diaplayed, quite
normal :( ...
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Fw: RSS Feed List, e-mail Admin G-Able
Next by Date:  nikto vs n-stealth, Gus Fritschie
Previous by Thread:  RE: Web Forms filtered with SQL constraints, V. Poddubnyy
Next by Thread:  Re: Web Forms filtered with SQL constraints, Matt Fisher
Indexes:  [Date] [Thread] [Top] [All Lists]