2

this is not about how to encrypt and decrypt. I want to know if it is possible to run a function after retrieving and decrypting it from a text file.

For example I will create a function that defines database password and then encrypt it as if it was just a text string and write it to a text file.

Then I have the function that defines the db password as an encrypted un-readable mess.

When I need the password, I would get the file contents and decrypt it but at this point I need to be able to run it as a function so it will define the DB_PASSWORD constant but it is just text in a string now.

It's the same as if I just did this:

$var = "function define_password(){
   if(!defined('DB_PASSWORD')){define('DB_PASSWORD', 'password');}
}";

It's pretty obvious all I can do with this is echo it out because it's just text in a variable.

So, is there any way to make php see that as a function instead of a string variable?

Thanks

Even if it's redundant, it's educational so I'm posting the result of using the eval() method Xenon pointed out. Here's the encrypted and hidden file called .nothing in a directory outside www with read only access to www-data owned by root:

Pswo0DlrEPMNEs7ExyFs8Zh2n+bSj6yr4NI9zV7gTP9qFiesrFKLxsjoo3R3CnsYJNkojeo0v2gQtI4iJGLzKUS8zdhePLElk3BwhliB3dxYwvRkJFMqbtw7k/UBo0pHPLR/jVRnWq+cTByr0xp8p7X9v8Olbfrz4zwo+VXIDwLA6GsOJTK14Hy0E4jksgeuEQ7/PDtxCgWoMPQ2OomPwjFjukdrAofbF5jxU9zCUK5Cs1UZ8+PYA79w0lccEpUA9vWBPZ6Xuwhr4KuGeyoUCchK9wGgaXDD6Oc845OsmnR/wi+EMnYacvGGeLxN96wEAt9vh/dwmYIkHmpuBtPWUP1vRT/HzTv39HfXoFFKx1kGww4Xph/cjS8joYwAgh+C+LT61sBjlfazkDRNabpmZFd2yyocD+6lQeHrmKuvYxa0cfMSYa8ScAQaBz6Ycg99ldOinEbd+mTnZKltFialAoHOvha4Surc0XZX7vtFx1TxSMctjkgCmLw4bHhJ6B3htLkhOysb6Oz5M1rniogFwEZnFaqLsqD1etpYv1RpceB8FPSss7/Zu0vGwbGeSMldr06FeHylRlB6n25QiH3qaKieHuD8ErKvQjm3YAVCshU04ydR0lTU5ckKnFGGxAGtiXjK9rV3Hle69vk7RjtYJVVuPCbmdSETdE/zHem+w1THKw4/NUROdxiOIDYQtQ6oDY0ORiwAqjU9QHlqwFyadPrDG37AYXSCzLgwFCw76J6uGyYzDsIVDUnP6Dv3yV1yvjrpxAFb5lA9APrnU8qIgNrgEoaZAznpX91QQxt6ztgJFVHyOSyUP8DkkFpsPamHwg22jb1oUZlOVsCgzMSj9G1M4sgokW6lpQjXCtuDYXVrAwoWHk6Bh+UiBXVUoOPIvEjG4PtCIRQl84lEtKiUPAQSWA/7rgN1O308j9tRtNBzho2xYMTPg2g5DOS82RRSS7/ehGxEWlbh9cqig6Xux+oyLLXK4uIp8qA4kLqvuVX9w/UAfJRRfV89t5xQsshMP8TnFn3KrAZtGJ7lQDOduzMiHXpu9Wu91IsEfbHr/v2U0CD+sMc7h9K755fYpdNUptpaRvyz0sVZW96sldPsxY26LktnQaKIAAoDNgcIFbNOmGOBnIuUVOQBUVxbC+e2cYJy8xQsjsJBe0AChfTZB+Vi0TiERyA28OCti4T4PTA=

I made it with the encrypt function in the code below which came from someone here on stackoverflow.

<?php 
define('SALT', 'whateveryouwant');

function encrypt($text) 
{ 
    return trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, SALT, $text, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND)))); 
}

function decrypt($text) 
{ 
    return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, SALT, base64_decode($text), MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND))); 
}

$dec_db = decrypt(file_get_contents('.nothing'));

eval($dec_db);



defineit();
echo ET_APP_USERNAME;

The encrypted part is a function that defines usernames and passwords for 3 different databases but echoing out the first username shows me it works perfectly. And of course as was pointed out, if someone has access to the server they will see the SALT constant and the encrypt/decrypt functions and know from the file_get_contents method where it is so I guess this was just educational for me.

user1311706
  • 21
  • 3
  • 2
    What is the benefit you hope to get from doing all this? – deceze Apr 04 '12 at 01:22
  • I'm experimenting with different road blocks to put up for security and was thinking if database connection values aren't defined until runtime and not written in plain text in a config file, it would make it that much more difficult for a hacker to figure out. – user1311706 Apr 04 '12 at 01:34
  • 3
    Since your code will have to have access to the real password, there's **NO** way to make this any more secure, if an attacker has access to the encrypted password and therefore the server to begin with. However many layers of encryption you'll layer on top, I'd just go in and put a `var_dump(DB_PASSWORD)` into your code where it connects to the database. You're trying to defend an area that's already too late to be defended. – deceze Apr 04 '12 at 01:46
  • good point deceze but since I'm being educated here, suppose you don't have access to the server. Is this still redundant? I mean is there any other way you can go through a port and try to dump my password without having access to write to my files? – user1311706 Apr 04 '12 at 01:55
  • 1
    First, no, by default there's no secret backdoor to access anything on a server besides what the server is freely willing to give out (i.e. the website). If there was, there'd be no security on the 'net. So the only way to get the encrypted password is to read the file from the disk. And however an attacker would manage to do that, he'd manage to get the other files the same way. Even if he could only *read* the files, he could still get all the decryption code and follow the same steps to decrypt the password. At best this'll slow him down a minute or two. – deceze Apr 04 '12 at 02:01
  • Ok, well thanks for the info deceze. Not knowing much about how hackers do the dark magic they do, I guess I get some silly ideas and it's good to have someone tell me why it's pointless to do. – user1311706 Apr 04 '12 at 02:05

4 Answers4

2

I'll just suppose that the benefit you hope to get here is that an attacker won't be able to read the database password, if your site was ever hacked. Based on that assumption, I'll say:

  1. An attacker that can get the encrypted password code can with all likelihood also get the code that decrypts the password and decrypt the password himself. Nothing gained.
  2. Why does it have to be code that sets the password? Just encrypt the password itself. Then when you decrypt it, you'll have the password as a string and this question becomes irrelevant. I don't see any advantage whatsoever in requiring code that needs to be executed.
  3. Requiring arbitrary code to be executed just opens you up to more security problems and possibly code injection.
deceze
  • 510,633
  • 85
  • 743
  • 889
  • I don't know, I'm still somewhat new to programming and not sure what all directions a hacker can attack from so was just trying to come up with something to add more difficulty. The eval() method Xenon posted does seem to be what I was looking for but I'm considering the error of my thinking. Thanks deceze – user1311706 Apr 04 '12 at 01:47
  • 2
    Just start with the premise that if an attacker can read the file with the encrypted password, you can be pretty sure he has access to all other files on the disk as well, and can likely even modify them. Then what? – deceze Apr 04 '12 at 01:49
0

I think what you may be looking for is eval(), which takes a string and executes it as PHP code.

Be very careful with using this, and heed the warning:

The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

So, for example, you could do this:

$var = "function define_password(){
   if(!defined('DB_PASSWORD')){define('DB_PASSWORD', 'password');}
}";

eval($var);
Xenon
  • 3,174
  • 18
  • 37
  • If eval runs the variable as a function then it is what I was looking for. Not sure how else I could ask the question other than to leave out the encrypted/decrypted part. I'm actually going to get the value of $var by decrypting an encrypted string. I didn't know about eval(). Thanks for the info – user1311706 Apr 04 '12 at 01:36
  • Thanks Xenon. You answered the question even though I can see the logic in some of the others as to why this is pointless. I found some more info here that helped my understand why eval can be dangerous. http://stackoverflow.com/questions/951373/when-is-eval-evil-in-php – user1311706 Apr 04 '12 at 01:43
  • `eval()` should execute the code, which would be like writing a function normally. You still have to call the function to use it. – Xenon Apr 04 '12 at 01:45
  • I'd vote you up for answering my question but I don't have any rep points so I can't vote :-) – user1311706 Apr 04 '12 at 01:50
0

If you hadn't given the explanation of what you were trying to achieve with this, I wouldn't have said anything. However, since you're saying that what you're trying to achieve with all of this is to read a password stored in a file (inside a function for some reason), I would highly suggest you review your method of attack.

I'll direct you to the benefits of parse_in_file() http://www.php.net/manual/en/function.parse-ini-file.php

If possible, don't store a function to simply define a variable - there are far better ways to do it, and using an ini file is a very good/better alternative. You can even have it define() the password too if you want to make it even easier to access the information.

Eli Sand
  • 1,032
  • 7
  • 11
  • well my point as poinless as it turns out to be was that the password is not even defined until runtime when it gets run by the app. But thanks for the info. I'll also look at parse_ini_file – user1311706 Apr 04 '12 at 02:09
  • That's exactly what you can do. Your ini file stores the password; you load the ini file at runtime and it's stored as an element in the ini object and then you can use a `define()` call to define the password in to a constant. – Eli Sand Apr 05 '12 at 23:22
0

Try create_function(). Then call it. If it fails, it returns NULL or FALSE or smth.

Dude
  • 1