-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathadmin.php
More file actions
233 lines (195 loc) · 8.36 KB
/
admin.php
File metadata and controls
233 lines (195 loc) · 8.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
<?php
require_once 'common_functions.php';
require_once 'login.php';
// Start MySQL connection
$conn = new mysqli($hn, $un, $pw, $db);
if ($conn->connect_error) die("<p class='error'>Sorry! Encountered a connection error. Please try again another time.</p>");
// Add admin credentials to the database if doesn't exist already
$query = "SELECT * FROM admin";
$result = $conn->query($query);
if ($result->num_rows == 0) {
add_admin($conn, $username, $password);
}
// Start the session
session_start();
session_regenerate_id();
// Store check result that session has not timed out - Duration of session is 24 hours
$timeout = isset($_SESSION['timeout']) && $_SESSION['timeout'] + 60*60*24 <= time();
// Store check result to prevent session hijacking - Ensure match of previous IP address and user agent string to current
$match = isset($_SESSION['check']) && $_SESSION['check'] == hash('ripemd128', $_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']);
if (!(isset($_SESSION['username'])) || $timeout || !$match) {
destroy_session_and_data();
die("You're not logged in!<br><a href='authentication.php'>Click here to login</a>");
}
// Check if there exists an AJAX request to log out, ending the session
if (isset($_POST['function']) == "logout") {
destroy_session_and_data();
}
// Display the file upload form HTML
echo <<<_END
<html>
<head>
<title>Virus Scanner</title>
<link rel="stylesheet" href="style.css">
<script src="validation.js"></script>
<script>
// Returns cross-browser supported Ajax request object
function ajaxRequest() {
// Non-IE browser
try { var request = new XMLHttpRequest() } catch(e1) {
// IE6+
try { request = new ActiveXObject("Msxml2.XMLHTTP") } catch(e2) {
// IE5
try { request = new ActiveXObject("Microsoft.XMLHTTP") } catch(e3) {
// Browser does not support AJAX
request = false
}
}
}
return request
}
// Opens a HTTP POST method to the admin to end the current session on logout
function logOut() {
// Send function parameter telling PHP what to do
params = "function=logout"
// Open HTTP POST method, handling request asynchronously (true)
request = new ajaxRequest()
request.open("POST", "admin.php", true)
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded")
//request.setRequestHeader("Content-length", params.length)
//request.setRequestHeader("Connection", "close")
// Define event handling callback function
request.onreadystatechange = function() {
if (this.readyState == 4) {
if (this.status == 200) {
// Reload the page on POST succcess
if (this.responseText != null) location.reload()
else alert("Ajax error: No data received")
} else {
alert("Ajax error: " + this.statusText)
}
}
}
request.send(params)
}
</script>
<nav>
<button id="logout" onclick="logOut();">Logout</button>
</nav>
</head>
<body>
<div class="content">
<h1>VIRUS SCANNER</h1>
<p>Upload a surely infected file to add malware information to the database.</p>
<form method="post" action="admin.php" onsubmit="validate(this);" enctype="multipart/form-data"">
<p>
<label for="malware_name">Name:</label>
<input type="text" name="malware_name">
</p>
<p>
<label for="file">File upload:</label>
<input type="file" name="file">
</p>
<input id="upload" type="submit" value="Upload">
</form>
<hr>
<p>Output:</p>
_END;
// Check if a file has been uploaded
if ($_FILES) {
// Store check result of file validation
$error = is_file_valid($_FILES['file']);
// Proceed to add malware if there is no error message from check result
if ($error == "") {
add_malware($conn, $_POST['malware_name'], $_FILES['file']['tmp_name']);
} else {
echo "<p class='error'>$error</p>";
}
}
// Close the MySQL connection and resources once not needed
$result->close();
$conn->close();
// Display proper closing HTML tags
echo "</div></body></html>";
/**
* Validates name of file upload
* Trims the name string and checks that the name is not an empty string and contains only letters, digits, _, -
* @param $name the name of the malware file uploaded
*/
function validate_name($name) {
$name = trim($name);
// Check #1 - Name cannot be an empty string
if ($name == "") return "Name for malware cannot be empty.";
// Check #2 - Name contains only english letters (case insensitive), digits, _, -
elseif (preg_match("/[^a-zA-Z0-9_-]/", $name))
return "Only letters, digits, -, and _ are allowed in a username.<br>";
// Checks passed - Return empty string indicating no error
return "";
}
/**
* Handles file upload by retrieving the file signature and inserting the file signature (first 20 bytes) into the database
* @param $conn the connection mysql object
* @param $name the name inputted by the admin
* @param $path the file path of the malware file uploaded
*/
function add_malware($conn, $name, $path) {
// Sanitize name input
$name = sanitizeMySQL($conn, $name);
// Perform PHP validation for file name
$error = validate_name($name);
// Terminate script execution on PHP validation fail and display generated error messages
if ($error != "") die("<p class='error'>$error<p>");
$fh = fopen($path, "r") or die("<p class='error'>Cannot open file. File does not exist or lacking permissions to open it.</p>");
// Get the first 20 bytes (signature) of the file
// If file size is less than 20, gets the whole file as the signature
$signature = fread($fh, 20);
// Sanitize the retrieved signature
$signature = sanitizeMySQL($conn, $signature);
// Check #1 - Malware file is not empty
if (strlen($signature) == 0) die("<p class='error'>File contents cannot be empty.</p>");
// Check #2 - Malware does not exist in database
// Conditions used for checking for existence (equality):
// - There can be entries with the same malware name but different signature - The two entries are NOT equal
// - Malware entries are equal only when both name AND signature are equal
$query = "SELECT * FROM malware WHERE name='$name' AND signature='$signature'";
$result = $conn->query($query);
if ($result->num_rows > 0) die("<p class='error'>This malware already exists in the database.</p>");
// Checks passed - Insert sanitized file name and signature into database
$query = "INSERT INTO malware VALUES('$name', '$signature')";
$result = $conn->query($query);
if (!$result) die ("<p class='error'>Database malware insert failed: " . $conn->error . "</p>");
echo "<p class='success'>Success! Malware named '$name' has been added to the database.</p>";
// Close the file handler
fclose($fh);
}
/**
* Adds admin credentials to the database after salting the password and hashing the result
* @param $conn the connection mysql object
* @param $un the username of admin to add
* @param $pw the password of admin to add
*/
function add_admin($conn, $un, $pw) {
// Sanitize the username and password
$un = sanitizeMySQL($conn, $un);
$pw = sanitizeMySQL($conn, $pw);
// Salt the password
$salt1 = "qm&h*";
$salt2 = "pg!@";
// Hash the password
$token = hash('ripemd128', "$salt1$pw$salt2");
// Insert the username and the hash of the salted password into admin
$query = "INSERT INTO admin VALUES('$un', '$token')";
$conn->query($query);
}
/**
* Destroys a session and its data
*/
function destroy_session_and_data() {
// Erase session data
$_SESSION = array();
// Delete cookie by setting it to a time in the past
setcookie(session_name(), '', time() - 2592000, '/');
// Destroy the session
session_destroy();
}
?>