Easiest way to send txt tiles to ftp server.

GoliBroda

Member
GM Version: Studio
Target Platform: Windows
Download: see code below
Links: n/a

Hi, i making a game where you can create levels and upload these levels for others.
So i have figured out easiest way to do this. I haven't seen this method anywhere when i was researching web for file uploading tutorials.
I do it for sending levels but you can also do it to pass single variables or json files with data.

Sooo first of all you need an ftp server. Select one, register etc.

Step 1: Go to your FTP file manager, create new file and call it WhateverYouWant.php
Step 2: Paste this code inside the file:


Code:
<?php
$string = $_POST["string"]; //Get string from gamemaker
$fileName = $_POST["name"]; //Get name from gamemaker
$string2 = str_replace('<', '', $string); //Delete "<" symbols from string for safety
file_put_contents("uploads/".$fileName.".sav",$string2 ); //Create txt file from string you will send from gamemaker
?>
Step3: Now go to gamemaker and put this somewhere in key press or something like that (not in step)

Code:
//Upload Levels
var q = file_text_open_read("upload.sav"); //Here put filename of file you want to send
var filestr = file_text_read_string(q);
file_text_close(q);

http_post_string("http://website.com/NameOfUrFile.php","string="+string(filestr)+"&fileName="+string(NAMEofFile))
And actually thats it. You sent ur file to ftp server.
You can pass as many variables you want by http_post_string, just remember to put "&" between them.

Step4: Do this in gamemaker to download file and get its content.
Code:
if keyboard_check_pressed(vk_down){
    file = http_get_file("https://website.com/test.sav", "\Users\lukasz\AppData\Local\Bullet_Hell\down.zip"); //Here you need to put adress to file on ftp server (use +string(something) to select diffrent names) and second argument is for downloading. we need to save it as zip file because gamemaker dont allow to download txt or sav files.
}
if file_exists("down.zip"){ //Now just rename it to extension you want.
    file_rename("down.zip","save.sav")

}
Some aditonal info:
If your file is JSON you can somehow reach its values without downloading a file (im not sure how, i think you can do it with http_request)
Other way of getting info from server is dooing something like this in ur php file: echo("info you want to get with gm") and then use http_get to get this value (look for gm manual to see how, you need to do stuff in async event)

Let me know if something is not right, i just wrote those codes now without checking if stuff works.
 
Last edited by a moderator:

FrostyCat

Member
PHP tutorials on the GMC have never failed to draw my ire, and this one is unfortunately no different.

First of all, you're looking for a web host with PHP support here, not an FTP server. Not all web hosts support user-uploaded PHP, and not all FTP servers run LAMP stacks.

Second of all, the body of your file is not properly URL-encoded, so a file containing anything on this list or a character past 0x7F would screw up the request. And even then, it's not binary-safe. A binary-safe setup would have used http_request() with multipart/form-data or at least a base64-encoded field, not stock application/x-www-form-urlencoded.

Third of all, your setup is vulnerable to a path traversal attack because you allow filthy user-specified file paths. This is another major no-no.
 
Last edited by a moderator:

GoliBroda

Member
But if i delete > symbols from string noone can create php script inside a file so they cant execute any codes.
I dont know much about php just found file_put_contents in web and made simple level uploader for my game.
 

gnysek

Member
This is http POST request, not FTP upload. Both http and ftp are unsecure, you should rather use https/sftp.

I dont know much about php
Sorry to say that, but then don't create "tutorials" without such lack of knowdlege. Your example have so many security flaws, that it could be used as an example to learn what people SHOULDN'T DO.
 

chamaeleon

Member
Can u give an example of how anyone could hack this?
or ill pm my game to you and u hack it.
Seems to me that this is a question better asked in a PHP/web development/security related forum or mailing list if you want to really understand what the problems may be. And of course, no one needs your game to exploit any vulnerabilities in your PHP code, they'll just use curl for instance and craft whatever requests they desire in order to show what could happen.
 

FrostyCat

Member
Can u give an example of how anyone could hack this?
or ill pm my game to you and u hack it.
First of all, I don't need the game client to break into the server, in fact it's much easier to just use curl or Postman. This is the first security-wise thing you learn when developing a backend in HTTP --- you could be talking to the client you intend to talk to, or you could be talking to a request tester that can say virtually anything it likes.

This is how you execute a path traversal attack against your setup:
As PHP uses the underlying C functions for filesystem related operations, it may handle null bytes in a quite unexpected way. As null bytes denote the end of a string in C, strings containing them won't be considered entirely but rather only until a null byte occurs. The following example shows a vulnerable code that demonstrates this problem:

Example #1 Script vulnerable to null bytes
PHP:
<?php
$file = $_GET['file']; // "../../etc/passwd\0"
if (file_exists('/home/wwwrun/'.$file.'.php')) {
// file_exists will return true as the file /home/wwwrun/../../etc/passwd exists
include '/home/wwwrun/'.$file.'.php';
// the file /etc/passwd will be included
}
?>
Let's say there is another file called anotherFile.php just beside your endpoint that I want to deface. I would just use curl or Postman to make a request to your endpoint with the following body:
Code:
string=OVERWRITE&fileName=..%2FanotherFile.php%00
Aside from this, there are also ways for your own client to break the setup because you didn't encode the body properly. If your file string contains any character on this list or a character past U+00FF, you risk mangling the request and the data won't come out right on the other end. For example, if your file string is this:
GML:
000000&1011000&1010001&01101111
The resulting upload using your GML code would lose everything past the first &, because & separates request parameters in application/x-www-form-urlencoded requests.

Seriously, take down this "tutorial", and don't publish another until you get at least a year under your belt and learn how to do this stuff properly. I'd rather see nobody teach PHP on the GMC, than seeing somebody who's new to PHP teaching raw early-2000s PHP. It's a community-wide security risk, and it puts a huge black eye on GM as a whole.
 
Top