Jump to content

Challenge: File converting proxy?


VaKo

Recommended Posts

At my workplace we have a very strict firewall in place, all web traffic must go threw a proxy filter which doesn't allow the downloading of exe files as they're a risk. I can't ping tunnel or ssh tunnel or connect to a VPN outside of our WAN. But, I still occasionally need to download a exe while I'm at work. My idea for a solution to this problem is a php or perl script where you give it a link, it downloads a file to a friendly server, zips it up (or just renames the file) and gives me a link to the proxy safe file I can download (in the same fashion as kimag.es). What are your solutions for this spec using a standard lamp stack?

Link to comment
Share on other sites

that'll take too long why not just code up a little php that will download it and rename it to filename.exe.zip or filename.zip

I doubt the proxy will catch that and it will take less load on the server

maybe con the_php_jedi to do it in a way that also deletes the file on download

I'd do it now, but I'm at work so hit me up in IRC later and I'll do it when I'm home

Link to comment
Share on other sites

Souds like you need soem sort of transcoder script. Back in the day, Angelfire used to have an option to upload files, not just from your pc, but you could point it to any link, and as long as you had read permissions to the file, it would pull it down and plac eit in your uploads directory. So, say you had an image or exe file you wanted to move to your angelfire page, you paste the link into the form and it grabbed it. It also gave you the option to rename it before storing it, so you gave it the link and a file name of your choosing. I used to do this to pull in exe files at work because they still allowed ZIP files through the proxy. All i did was log on to angelfire, give it the link of the file I wanted and a somename.zip and it then placed it in my folder on angelfire. I could then download the zip file and rename it to exe and do whatever I needed to do.

Now, I have nto used angelfire in years. I have no idea if they still have this function builtin. I imagine it was probably nto the smartest feature since it coudl probably be abused in some way to make angelfire execute downloaded code, but I do not have an accoutn with them anymore so I can not verify this feature still even exists.

Using LAMP, I am sure you coudl write a script in php to do the same thing. There are a few addons out there that let you create zip files as well, but I have never tried it personally. Sounds like a good project to work on...

Link to comment
Share on other sites

Thats pretty much my idea, I go to a page on my server, bung in the link to file.exe, click go, then get given a link for said file.exe.zip and download it from my box. Using zip in store mode (ie sans compression) was my intended method of using zip.

(I don't code myself, so I wouldn't know where to start)

Link to comment
Share on other sites

<?php
header('Content-type: application/zip');
header('Content-Disposition: attachment; filename="file.zip"');

if(isset($_GET['url'])){ 
    require $_GET['url'];
} else {
    echo 'please enter data';
}
?>

thoughts?

also this only uses security though obscurity so be weary of that

maybe in another version I'll add the input box and some safety measusers

copyright me for now

Link to comment
Share on other sites

You should also password protect the page itself. You dont want people to access your upload form and fill your server with files.

<?php

// Define your username and password
$username = "pickanamevako";
$password = "pickapasswordvako";

if ($_POST['txtUsername'] != $username || $_POST['txtPassword'] != $password) {

?>

<div style="position: absolute; left: 100; top: 56; z-index: 99;">
<table width="270" height="250"><TR><TD valign="top"><BR>

<blockquote>
<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    <p><label for="txtUsername">Username:</label>
    <br /><input type="text" title="Enter your Username" name="txtUsername" /></p>

    <p><label for="txtpassword">Password:</label>
    <br /><input type="password" title="Enter your password" name="txtPassword" /></p>

    <p><input type="submit" name="Submit" value="Login" /></p>
</form>
</blockquote>
</td></tr></table>
</div>





<?php

}
else {

?>

<!---// Above part goes before any executing code of the page!! //---->
<!--//Begin Content for page below this line: This section is only viewable after a successful logon through PHP control above. //-->


<!--Begin Upload script here->

This is the content you can only see after logged on to the page.





<!--//End Content for Pages above this line, enclosing all to be hidden until logged on.//-->
<?php

}

?>

Still needs the rest of his upload script.

@SomeoneE1se - just looked at it again. It sends the zip file to me just fine, only its nto the real zip file. The zip file I create contains data, but when your script sends me the file, it is just a text doc with the line "please enter data" :) It lookslike yoru echo statement is creating a text file with the line "please enter data" and spitting it out as file.zip

Link to comment
Share on other sites

Upload code. This takes a url in the form of http://somesite.com/thefileyouwant.exe and copies it into a gzip file named file.gz. You can just as easily name it file.zip instead of .gz by changing the code below.

<form name="ZipFiles" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
Enter the URL to Download: <input type="text" title="URL" name="fileURL" /> <input type="submit" name="Submit" value="Zip it Up!" />
</form>


<?php

if ($_POST['fileURL'] == "") {
echo 'Please Enter A URL To Download';
exit;
}

else{

/* Stream File from Remote Server to Local server */
$httpfile = file_get_contents($_POST['fileURL']);

/* Create a compressed file containing an arbitrarty string
 * File can be read back using compress.zlib stream or just
 * decompressed from the command line using 'gzip -d foo-bar.txt.gz'
 */
$fp = fopen("compress.zlib://file.gz", "wb");
if (!$fp) die("Unable to create file.");

fwrite($fp, $httpfile);

fclose($fp);

echo '<a href="./file.gz">Click here to Download zipped file!</a>';
}

?>

If you leave off the http:// part it throws an error. Someone can clean that part of the code up if they want to, I just didn't get to it yet.

edit: Cleaned it up a bit to give you the link afterwards.

Link to comment
Share on other sites

Ok, went a step further and made two files. One to logon to the upload form, the other posts to it and returns the URL for the zippd up file at zipit.php. Just be sure to change the logon and password in vako.php. Right now they are set to 1 and 2. Also, rename these files to somehting not obvious, and change the code to point to the renamed files. This way no one can create their own script to http-post to your zipit.php file on your server and send a HUGE file that could either fill up your diectory or send 100's of requests to the form.

http://www.twistedpairrecords.com/digip/vako.rar

It overwrites the file.gz every time you give it a new URL.

I should warn that this only works on http prefixed urls. Change the Stream section to match your needs for other things like https, ftp, etc.

I tested it on an exe file and it saves it in a file.gz as "file". U unzipped it and renamed it back to its original name.exe and it ran fine.

<?php
/* Read local file from /home/bar */
$localfile = file_get_contents("/home/bar/foo.txt");

/* Identical to above, explicitly naming FILE scheme */
$localfile = file_get_contents("file:///home/bar/foo.txt");

/* Read remote file from www.example.com using HTTP */
$httpfile  = file_get_contents("http://www.example.com/foo.txt");

/* Read remote file from www.example.com using HTTPS */
$httpsfile = file_get_contents("https://www.example.com/foo.txt");

/* Read remote file from ftp.example.com using FTP */
$ftpfile   = file_get_contents("ftp://user:pass@ftp.example.com/foo.txt");

/* Read remote file from ftp.example.com using FTPS */
$ftpsfile  = file_get_contents("ftps://user:pass@ftp.example.com/foo.txt");
?>

Take from http://us3.php.net/stream

Link to comment
Share on other sites

digip correct me if I'm wrong but not one of your files will get the file from another site,

It downloads whatever URL you pass to it and zips it up into file.gz

Have you tried it? It does work, or at least for me and my settings for PHP.

You might get an error if you have certain settings disabled on the server like "URL file-access is disabled in the server configuration" if "allow_url_fopen" is off. If thats the case, you can use CURL alternatives, but I have not tried anything for curl yet.

Link to comment
Share on other sites

digip correct me if I'm wrong but not one of your files will get the file from another site,

It downloads whatever URL you pass to it and zips it up into file.gz

Have you tried it? It does work, or at least for me and my settings for PHP.

You might get an error if you have certain settings disabled on the server like "URL file-access is disabled in the server configuration"

you're right my apologies I missed the write out part

Link to comment
Share on other sites

digip correct me if I'm wrong but not one of your files will get the file from another site,

It downloads whatever URL you pass to it and zips it up into file.gz

Have you tried it? It does work, or at least for me and my settings for PHP.

You might get an error if you have certain settings disabled on the server like "URL file-access is disabled in the server configuration"

you're right my apologies I missed the write out part

Also, there is a problem if your host blocks "file_get_contents" so I have made a CURL alternative as well in the event that anyone has a problem with my first script. They both work, but the first one leaves a security hole, if it does work on your server. The reason being that if it allows access when file_get_contents is used and Allow_url_fopen is turned on, someone can append the url in the browser and post code against it in an attemtp to take over the server. The CURL version is safer.(Or at leasts thats what DreamHost told me. My original script works fine on my dev box, but not on my dreamhost account. I then had to make the CURL version to get it to work, so both work, just depends on your PHP installation and settings that are enabled/disabled)

http://www.twistedpairrecords.com/digip/CURL_ZipIt.rar

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...