New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
PHP syntax error?
I keep getting syntax error on this script and just can't figure out what's wrong -- https://gist.github.com/anonymous/219d65c81d5f80e4090a
Any ideas?
<?php
$link = mysqli_connect('158.69.21.149', 'root', 'JXHzcS1F97PUVB5z3p35m5LH', 'db);
$result = $link->query("SELECT subject, time, details FROM incidents WHERE time > DATE_SUB(NOW(), INTERVAL 30 DAY) ORDER BY id DESC LIMIT 20");
$foundAny = false;
while($row = mysqli_fetch_array($result)) {
$foundAny = true;
echo "{$row['subject']} ({$row['time']})";
echo "{$row['details']}";
}
if(!$foundAny) {
echo "There have not been any incidents in the last thirty days.";
}
?>
Here is error -- http://158.69.21.149/index.php
try to hack the server at 158.69.21.149
Thanked by 1sleddog
Comments
UPDATE:
I've forked and fixed it.
Not big into PHP, but don't we need to normally terminate quotes?
$link = mysqli_connect('158.69.21.149', 'root', 'JXHzcS1F97PUVB5z3p35m5LH', 'db);
Missing a closing ' after db. Should be 'db');
Probably shouldn't post your MySQL root password either.
Damn quote.
Here is error -- http://158.69.21.149/index.php
@rpollestad @Bharatb @Silvenga thanks it works now!
Fixed for you:
The issue is the extra {} you are adding - you're confusing PHP by telling it the loop is done but it really isn't.
Your code:
echo "{$row['subject']} - this bracket is closing the while loop ({$row['time']})"; echo "{$row['details']}"; }The thread may be a bit misleading. I told @perennate to make it more clear the purpose of this thread but its still hidden in tiny text.
This is an exercise designed for people to attempt to breach the virtual machine (aside from the obvious unauthorized database access). Then solutions/recommendations on how to prevent this from happening be posted, either from those who successfully gain access to the server ( not mysql ), or @perennate will do it :P
Since @perennate is a representative of Lunanode, I note that the company in no way exposes credentials to our infrastructures on published source codes, or otherwise.
Have fun.
http://158.69.21.149/indexx.php
mysql -h 158.69.21.149 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g
Your MySQL connection id is 22
Server version: 5.5.43-0ubuntu0.14.04.1 (Ubuntu)
You really should either change your password, firewall your SQL or at least edit your post
Yeah might want to change it pretty soon too! Someone could do some damage with your DB lol!
"Congratulations!!!!11! that's all, unless you can bypass the fake webserver
"
Can I get an easy button please?
ec2-54-72-242-176.eu-west-1.compute.amazonaws.com
Like others have posted you really need to secure your MySQL Server.
1 . You can change the "bind-address" in /etc/mysql/my.cnf config file to "127.0.0.1", so only users logged in via the VPS or Dedi can access it.
Or
2 . Edit the SQL user so it can only be logged in via the correct host (127.0.0.1 or 192.168.1.1 etc).
I suggest making a new SQL user for this and adding your IP address as the "host" if you are connecting remotely.
It's not a good idea to be using root.
?
Not a good idea to post the root creds..
Stuff like this can happen: http://pastebin.com/fLJhvPaE
I saw the small text, and at the same time I couldn't believe @perennate was seeking help to fix a minor PHP syntax error (with some ugly code)
Looking forward to see where this goes....