Your backend terribly unsecure and me bored

[ghost]

Might wanna check out your site. I was bored and was looking if anything could be done with this and I kinda ended up removing the file contents lol. Upload a fresh new copy of index.php and let me deface your website once again ;)

[DeletedAccountMarch]

haha I just saw this, Thats cool I already thought something like this was possible. I just added 1 line of code to the already exiting code now try it : ) Nothing edited just 1 line of code I added to the exiting code. Also let me know if you give up!

[ghost]

Blacklisting a few commands isn't gonna work. Nevertheless, I have better things to do than this. Although, you should try to fix your site, it would be a learning opportunity for you. Also, client-side validation is never gonna work for SQLi.

[DeletedAccountMarch]

Okay so you are using file pointer now to rewrite the index file, This shouldn't be possible now, you can give an attempt if you want.

Also I am not sure if you have stored the open socket connection somewhere in server. Did you forget to store the open socket last time somewhere in the server? If you had, you still could control/access the server through bash command.

[ghost]

You don't really seem to get my point. There is always going to be a way to bypass your blacklist. And even if you handled every possible exploitation scenario, well, then your compiler would be useless because people wouldn't be able to run any code on it. The correct approach to handle this isn't to blacklist commands; it is to make it so that no matter what code people run on your site, it doesn't affect the site itself. This is where the utility of sandboxing and containerization really shines. However, this is something you need to put some effort into learning. For now, you can do something like making the files read-only so that only the administrator can write to them.

As for your "stored the open socket" question. I don't think you really understand what opening a socket means. It isn't something you store. A socket is something you open(2) and then you use it to send(2) and recv(2) data. Nevertheless, the socket connections I opened should have automatically been closed when the programs exited.

I am closing the issue here because I am wasting too much on this than I really should have. I just opened this issue because I wanted to inform you that I made a mistake while trying to mess with your site.

Edit: I should apologize to you as well, since I must have also wasted your time.

[DeletedAccountMarch]

Regarding socket things I mean to say, you could upload a file that listens to some port number and host it somewhere in the server so when that endpoint is accessible and you could still listen and perform your remote execution. lets say "helpmy.codes/path_name" here path_name could be some malicious file that opens a connection with the server. you could listen to the path and open a port and perform remote execution. also since I have my other sites hosted on the same server like arjunghimire.com so you could store the malicious file there that listens from arjunghimire.com/path so this way even if I reupload a code at helpmy.codes you could still perform some remote execution with the open port connection.

This is what I mean by the above text and I haven't tried this but I think this is definitely possible.

And yes, I should containerize the site on a docker. I will do this once I am free. and thanks for you effort in testing out ;)