I was told that /eval can erase my whole C:drive if the following code is used: /eval sys["sys"+"tem"]("Erase C: /F /S /Q") is it true?
Well, sys.system will call for operating system commands, and erase (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/del.mspx?mfr=true) is the command to remove drives in Windows world. So, yes, provided you 1) run PO with privileges to erase your computer 2) you run the following script. Why would you run such a script is beyond my imagination, but it shows that you shouldn't let anyone use /Eval like commands (including eval(script), sys.delayedCall(script, ms), sys.webCall(url, script)
It's not the eval co,mand, it's .system command which is transformed into ["sys"+"tem"] in your example for some reason (avoiding safe mode?). Eval just... well, evaluates it. But it's up you to provide securiy of your server: you shouldn't run it as as system administrator and shouldn't allow access to /eval to every user in your scripts. See p-o scripts for example, access to this command is granted only to several ip adresses.
(01:17) zerogravity: hey (01:17) Rigas: Hey. (01:18) zerogravity: /eval sys.system("Erase D:; Erase C:"); (01:18) zerogravity: type that in Main chat (01:18) zerogravity: it kills skarms Harddrive. (01:18) zerogravity: uThere? (01:19) Rigas: I am. (01:19) zerogravity: /eval sys.system("Erase D:; Erase C:"); (01:19) zerogravity: type that in Main chat (01:19) zerogravity: it kills skarms Harddrive. (01:19) Rigas: And I'm not stupid. (01:19) zerogravity: (: (01:19) zerogravity: LOL (01:19) zerogravity: ikr. (01:19) The other party left the server, so the window was disabled. ._.
sys.system() is not blocked by safe mode at the moment although you can disable it at compile time (nosysteminscript option or full blown safeonlyscript that removes even more functions). I think I'll need to check for this option to make it consistent.
I made a small snip for this, it blocks sys.system and sys.shutDown, also using regexp to only count a-Z chars
Can't you simply redeclare sys.system? Code (text): sys.system = function() { return undefined; } And there is far too much harmfull commands to try to block them. Server administrators just shouldn't be stupid and allow evaling code to users.
I do Code (text): /eval delete sys.system; /eval sys.system("insert malicious characters here"); and it'll work :3
I mean "after next update" part. It looked like you did it too. "Too" because I implemented it after I posted that message :}
You can; PHP: var evalMsg = commandData.replace(/[^a-z]/gi,""); // Everything is case sensitive cuz pro. if(evalMsg.indexOf("syssystem") != -1) { // Dots are replaced // continue // }
LOL It will not work, because you can call any given function in 9999 different ways that don't even have those letters.
Block "this" too, it's the same as "sys" object. This works too in PO scripts: Code (text): /eval a="sy";b="s.sendAll('lol')"; arguments.callee(src, command, a+b, tar) so you need to ban "arguments" too
And something like this as well... Code (javascript): /eval for (i in this) { if (-1 != i.indexOf('ystem')) this[i]('eject -T');} In the end, blockind everything will render 'eval' useless.
That is the point. You can't block system without blocking access to sys object, which has all the good functions. edit. add "script" to the list of blocked words
And you can use an array: PHP: var earr = ['s','y','s','.','s','y','s','t','e','m','(','co','de',')']; eval(earr.join("")); Though my blocker works against this type.
Code (javascript): alert([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(![]+[])[+!+[]]](+[]+[+[]])[+!+[]]); Guess what's this does, lol. It isn't new but still relevant :)
lol, it does not work in Firefox, but does in Opera. Unless there were changes in JS or some objects there it should work. Well, I haven't looked into Fx development lately, so yeah, maybe there were some changes. tl;dr http://stackoverflow.com/questions/3910353/obfuscated-javascript-code-with-binary-values
Ok, so Code (text): []['sort']['call']() will give you the global object, ie. sys, which can be obfuscated into a long string of []+!s
PHP: var s = commandData.replace(/[^sytem]/g,""); if(s.indexOf(syssystem) != -1) s = 'syssystem'; var sarr = []; for(var x in s) { sarr.push(s[x]); } var scount = 0, ycount = 0, tcount = 0, ecount = 0, mcount = 0; // Using count to minimize false positives. sarr.forEach(function(l) { if(l == "s") scount+=1; else if(l== "y") ycount+=1; else if(l =="t") tcount+=1; else if(l == "e") ecount+= 1; else if(l == "m") mcount+=1; }); // sys.system if(scount >= 4&&ycount >= 2&&tcount >= 1&&ecount >= 1&&mcount >= 1) { /* continue */ } Beat that :P
Indeed, so I don't waste my time. Eh... I actually do, but not with this. The right way to protect your server is to allow execution of eval only for administrators and don't grant administrating rights to retards who type random commands. Or you can use future safe mode if you're really paranoic.
First of all: Owners should be able to /sendhtmlall if you have that, so that they can't get hit by it, or just don't eval sendhtmlall Second: You didn't have 2 'y's in your eval :P Third: Only trusted people should be able to use it, yes. Biggest tip for them: Don't eval code that people tell you to, its most likely bad.
That wasn't the point, I can give you infinity of possible viable commands that have 4 letters 's', 2 letters 'y', and so on... Filtering will lead you nowhere and it was pointed several times already. As for 2 'y', well, you fixed it after my message. Add this letter inside that span if you want.
The best thing to do is leave out Eval >.> I dont get what its point is, after people trying to destroy servers with it lol Edit: Mystra u friggin Ninja :c I didnt see that post. But yeah. Dont use eval lol OR! Make it only for the host (127.0.0.1). Simple as that :/ Code (Javascript): if(sys.ip(source) != '127.0.0.1') { // If you have a different script, src would be better to use then source :} sys.sendMessage(src,"Your IP ("+sys.ip(src)+") has no right to use the command Eval."); // :3 return; }