mchiasson

I need to secure my install a bit better as it was installed as a subdomain of my root. I do have .htaccess restrictions to block .ENV access but still keep manage to see a hacked page popup once in a while on my server monitoring. Each time it looks like a PHP Webshell gets uploaded.

When looking at my raw access logs it shows a lot of different requests to PHPUnit and I'm curious if that is the flaw in my system. My Env is set for App_Debug=False. Below is a snippit of my logs, you can see them sending get/post requests to alpha.php in phpunit and then also eventually they have access to a phpshell of '/wp-includes/css/dist/list-reusable-blocks/pwjs4ahasd.php' in an above level wordpress install.

109.127.13.152 - - [29/Jun/2019:19:20:30 -0400] "POST /portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php HTTP/1.1" 200 146160 "http://MYDOMAIN.com/portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:20:32 -0400] "POST /portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php HTTP/1.1" 200 10536 "http://MYDOMAIN.com/portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:20:34 -0400] "POST /portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php HTTP/1.1" 200 3141 "http://MYDOMAIN.com/portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:20:41 -0400] "POST /portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php HTTP/1.1" 200 3909 "http://MYDOMAIN.com/portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:20:46 -0400] "GET /portal.MYDOMAIN.com/MYDOMAIN-back-office/vendor/knplabs/knp-snappy/src/Knp/new.php HTTP/1.1" 404 73885 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:20:48 -0400] "GET /wp-includes/css/dist/list-reusable-blocks/pwjs4ahasd.php HTTP/1.1" 200 319 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:20:52 -0400] "POST /wp-includes/css/dist/list-reusable-blocks/pwjs4ahasd.php HTTP/1.1" 200 8038 "http://www.MYDOMAIN.com/wp-includes/css/dist/list-reusable-blocks/pwjs4ahasd.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:21:33 -0400] "GET / HTTP/1.1" 301 - "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:21:59 -0400] "POST /portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php HTTP/1.1" 200 11910 "http://MYDOMAIN.com/portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:22:15 -0400] "GET /wp-includes/css/dist/list-reusable-blocks/pwjs4ahasd.php HTTP/1.1" 200 8038 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:48.0) Gecko/20100101 Firefox/48.0"
109.127.13.152 - - [29/Jun/2019:19:22:25 -0400] "POST /portal.MYDOMAIN.com/MYDOMAIN-back-office//vendor/phpunit/phpunit/src/Util/PHP/alfa.php HTTP/1.1" 200 7199 " ```
Any suggestions? This weekend I'll go separate these domains into different cPanel directories.

Thanks @lostdreamer_nl , this helped me find my record that was causing issues! I didn't know how to look at that info above to strip out that info.

Hi everyone, I have some listeners that will send email notifications when documents are added and stuff.

One listener emails subscribers of departments when a new meeting is created. These come through ok but one failed today. Is there a way I can see what data is being sent in the job to debug it?

My laravel log file shows

roduction.ERROR: Address in mailbox given [initialization] does not comply with RFC 2822, 3.6.2. {"exception":"[object] (Swift_RfcComplianceException(code: 0): Address in mailbox given [initialization] does not comply with RFC 2822, 3.6.2. at ......

But similar notifications for different departments are being sent and we only have a handful of subscribers so not sure what is messing up here.

My jobs database has this info in the payload field but not sure how I could use this to debug.

{"displayName":"App\Listeners\MeetingSubscriberEmailNotification","job":"Illuminate\Queue\[email protected]","maxTries":null,"timeout":null,"timeoutAt":null,"data":{"commandName":"Illuminate\Events\CallQueuedListener","command":"O:36:\"Illuminate\Events\CallQueuedListener\":7:{s:5:\"class\";s:48:\"App\Listeners\MeetingSubscriberEmailNotification\";s:6:\"method\";s:6:\"handle\";s:4:\"data\";a:1:{i:0;O:23:\"App\Events\MeetingAdded\":4:{s:10:\"department\";O:45:\"Illuminate\Contracts\Database\ModelIdentifier\":3:{s:5:\"class\";s:14:\"App\Department\";s:2:\"id\";i:3;s:10:\"connection\";s:5:\"mysql\";}s:7:\"meeting\";O:45:\"Illuminate\Contracts\Database\ModelIdentifier\":3:{s:5:\"class\";s:11:\"App\Meeting\";s:2:\"id\";i:8725;s:10:\"connection\";s:5:\"mysql\";}s:18:\"meetingdateandtime\";s:31:\"Tuesday, May 15 2018 at 7:00 PM\";s:6:\"socket\";N;}}s:5:\"tries\";N;s:9:\"timeoutAt\";N;s:7:\"timeout\";N;s:6:\"\u0000*\u0000job\";N;}"}}

Any suggestion so I can see what data is causing the error?

Thanks!

Hi everyone, I was curious if I can do something like this for my routes. Does laravel check the entirelist to see if your route hits something lower or does it just go where it matches first.

So if I went to a URL of /admin/events/individual-event/6 will that try to pass 'individual-event' as my 'eventgroup' parameter?

/admin/events/{eventgroup}
/admin/events/{eventgroup}/first
/admin/events/individual-event/{id}

Thanks.

Thanks that was totally it! I didn't even realize I had some blank fields!!

Hi, probably a stupid question but I have a relationship that I cannot figure out why it won't display the results properly in a foreach statement.

I have an Appointments table and a Users table. My App\Appointment file has a belongsTo relation setup on my User table and that seems fine.

My controller has the below.

$appointments = Appointment::where('appointment_event' , '2018')->with('user')->get();
return view('appointments_manage', compact('appointments'));

In my blade file I have below which gives me an error

 @foreach($appointments as $appointment)
<td>
  {{$appointment->appointment_event}}
</td>
<td>
{{$appointment->user->name}}
</td>
@endforeach 

That fails with 'Trying to get property of non-object ' but if I change that email request to just

{{$appointment->user}}

It then will display on my table html page where the $appointment->user spot was.

{"id":706,"name":"John Smith","email":null,"created_at":"2018-03-19 16:00:00","updated_at":"2018-03-19 16:00:00","old_id":706}

Does anyone have any ideas? I'm kind of stuck on where I messed up here. I tried adding an additional foreach statement for $appointment->user as $user and that didn't seem to work.

Ok so looks like that is part of my 'Session' array anyways. So I got it to display by using this. Leaving this up here for anyone else to find helpful!

@if(Session::get('Message'))
                <div class="alert alert-success">
                    {{ Session::get('Message') }}
                </div>
            @endif 

When placing the following in my view

 <?php echo '<pre>';var_dump(session()->all()); ?>

It returns

array (size=6)
  '_token' => string 'HDKkFo2JRNj9IN26WLuDP0jYogRX1Q3WoL0gxt6Z' (length=40)
  '_flash' => 
    array (size=2)
      'old' => 
        array (size=1)
          0 => string 'Message' (length=7)
      'new' => 
        array (size=0)
          empty
  '_previous' => 
    array (size=1)
      'url' => string 'http://homestead3.test/admin/documents/add' (length=42)
  'url' => 
    array (size=0)
      empty
  'login_web_59ba36addc2b2f9401580f014c7f58ea4e30989d' => int 1
  'Message' => string 'This is a Success Message' (length=25)

It looks like the Message variable is there, now sure why it won't display with

{{$message}}

Hi everyone, having a super annoying thing happening trying to send Success messages when redirecting. I've browsed tons of similar questions on here but not found any answers.

At the end of my POST controller action I attempt to process the below code to send it back to my GET page. Ideally since it succeeds to that point it will display a message.

return redirect()->route('AddNewDocument')->with('message', 'This is a Success Message!');

Here is my blade view

@if(isset($message))
                <div class="alert alert-success">
                    {{ $message }}
                </div>
            @endif

Any ideas? If I submit it as

return redirect('/admin/documents/add')->withErrors(['errors', 'This is a Success Message']);

it will successfully pass to my error part of my view. I've also tried working with Sessions with no luck!

Thanks @Snapey I checked the routes all looked good, still not sure why it won't work as intended.

@nanadjei2 your solution pretty much worked for me.

The below would not work for me on a redirect (please note, this is in my template file and works fine for every other view that gets returned.

@if(isset($message))
                <div class="alert alert-success">
                    {{ $message }}
                </div>
            @endif 

This did work for me! Thanks!

            @if (Session::has('message'))
                <div class="alert alert-success">
                {{ Session::get('message') }}
                </div>
            @endif

Hi @RamjithAp this did not work for me either. I think the problem is it processes the Controller action for the original GET page which has no 'message' passed to its view.

That seems to be the issue, I need to pass the message variable from my redirect to my original GET controller action and then return that to the view.

Does anyone else have any suggestions? Also @Snapey I tried using their example and it did not work for me.

Hi everyone, I'm working on a project and can return errors to my views not a problem, however when attempting to return other variables like 'message', it just does not work for me.

I am trying right now on my Post function within a controller to do this

return redirect()->back()->withMessage('IT WORKS!');

and in my view I have

@if ($errors->any())
                <div class="alert alert-danger">
                    <ul>
                        @foreach ($errors->all() as $error)
                            <li>{{ $error }}</li>
                        @endforeach
                    </ul>
                </div>
            @endif

            @if(isset($message))
                <div class="alert alert-success">
                    {{ $message }}
                </div>
            @endif 

However when it redirects back to the regular page it does not list my Message. Normal view pages are doing this fine just not on these redirect ones. If I populate an error variable it works fine using

->withErrors('Help this is an Error!')

This is on Laravel 5.4 and I'm not adding the Web middleware onto my routes page. Thanks for any help.

Thanks @SyedAbuthahir ! I tried experimenting with UpdatePivot and a few other things and your solution was by far the easiest!! Appreciate you helping me out on this one!

Hi everyone, I'm attempting to update a table 'department_user' that has a PK of 'id' and other fields like 'department_id' and 'user_id' for the many to many relationship. I can successfully create records in my application for these but when attempting to update, I am having trouble.

The below controller updates every record that matches the department_id and user_id and seems to ignore the query for just the plain 'id' field. I want it to only update the specific record with the ID field assigned.

Below is a sample from my controller

public function ManageDepartmentMembersEditTerm($id, $termid, Request $request) {
        $request = $request->all();

        $department = Department::findOrFail($id);
        $department_user = $department->user()->where('department_user.id',$termid)->first();
        $department_user->pivot->term_start_date = $request['term_start_date'];
        $department_user->pivot->term_end_date = $request['term_end_date'];
        $department_user->pivot->term_end_reason = $request['term_end_reason'];
        $department_user->pivot->save();

}

My route if it helps

Route::post('admin/departments_manage/{id}/members/term/{termid}/edit', '[email protected]')

My URL if it helps

http://homestead3.app/admin/departments_manage/8/members/term/17/edit

Big thanks to anyone who might be able to point me in the right direction on this one.

That worked! Thanks @Parasoul ! I didn't see that we had to specify what fields to insert.

Sorry my above response was with

$request = $request->all();
dd($request);

If I do exactly as you posted

$request = $request->all();
    dd( $request->all() );

I get the below error.

at DepartmentController->ManageDepartmentMembersAddTerm('8', array('_token' => '0ZTXQ0GMB4VgbTNf3XMvpfJ33wgtOCaNUalvKeKC', 'user_id' => '5', 'autofill' => 'Laravel Admin', 'term_start_date' => '10/19/2017', 'term_end_date' => '06/30/2018'))

array:5 [▼
  "_token" => "0ZTXQ0GMB4VgbTNf3XMvpfJ33wgtOCaNUalvKeKC"
  "user_id" => "5"
  "autofill" => "Laravel Admin"
  "term_start_date" => "10/19/2017"
  "term_end_date" => "06/30/2018"
]

That 'autofill' field is just what I named a ajax style auto fill where they type the username and it autofills the user_id input field.

Hi everyone, I am really struggling trying to get my post data from a form to be added into my pivot table.

I have a 'users' table, and a 'departments' table, and a 'department_user' table with some additional fields.

Here is a snippet from how my controller is looking

public function ManageDepartmentMembersAddTerm($id, Request $request) {
        $request = $request->all();
        $departments = Department::findOrFail($id);
        $departments->user()->attach($request);

The error I get is as follows

SQLSTATE[01000]: Warning: 1265 Data truncated for column 'user_id' at row 1 (SQL: insert into `department_user` (`created_at`, `department_id`, `updated_at`, `user_id`) values (2017-10-19 13:15:21, 8, 2017-10-19 13:15:21, 0ZTXQ0GMB4VgbTNf3XMvpfJ33wgtOCaNUalvKeKC), (2017-10-19 13:15:21, 8, 2017-10-19 13:15:21, 2), (2017-10-19 13:15:21, 8, 2017-10-19 13:15:21, Mike), (2017-10-19 13:15:21, 8, 2017-10-19 13:15:21, 10/19/2017), (2017-10-19 13:15:21, 8, 2017-10-19 13:15:21, 06/30/2018))

I'm trying to pass it the following named fields: user_id term_start_date term_end_date

It looks like in that SQL statement it is populating the user_id field with my csrf token, then trying to add another row containing my user_id, then trying to add nother row with my start_date, then a final row with my end_date as the user_id.

So most likely this is a problem with my request, any idea on what I am doing wrong?

Thanks community!

@andonovn this worked perfectly thanks! I didn't realize ->wherePivot was the proper syntax!

Hi everyone, I have 3 tables (users, departments, department_user), I can query the pivot table results fine on my returned views but I am trying to write an eloquent query with where clauses on the pivot table.

My pivot table has a column called "term_end_date" and I am trying to get all records prior to a certain date. Any suggestions on how I would do this?

$departments_past = Department::findOrFail($id)->where(pivot->term_end_date, <, '2017-10-10');

I'm sure I'm way off on this, could someone point me in the correct direction on how to query the results based on the pivot table data? Thanks!

Alright so I still wasn't having luck and ended up re-writing my queries from the start.

Your solution helped me get to the solution, in my Controller I removed an

->all() 

that I had at the end of my query and that seemed to help get things rolling.

My Controller is

public function GetUsersPermissions($id) {
        $user = User::findOrFail($id);
        $permissions = DB::table('roles')->get();
        $active_permissions = DB::table('role_user')
            ->select('role_user.*', 'roles.name')
            ->join('roles', 'roles.id', '=', 'role_user.role_id')
            ->where('role_user.user_id', '=', $user['id'])
            ->get();

        $permissions = $permissions->pluck('name', 'id')->toArray();
        $active_permissions = $active_permissions->pluck('role_id')->toArray();
        //dd($active_permissions, $permissions);
        return view('users_permissions',compact('permissions','active_permissions'));
    }

This worked in my View

@foreach($permissions as $key => $permission)
                        @if(in_array($key, $active_permissions))
                                THERE WAS A MATCH
                            @else
                                NO MATCH
                        @endif
                    @endforeach 

Thanks so much for your help Cronix!

I tried that but it didn't find a match.

Thanks Cronix, I think this is helping me in the right direction but still hitting some errors.

(also we are missing a ')' in your code above for the in_array line if you want to edit it for future viewers)

When I use the above pluck command it gives me the following error:

in_array() expects parameter 2 to be array, object given

If I print_r the $roleNames array it produces the following:

Illuminate\Support\Collection Object ( [items:protected] => Array ( [0] => Subscriber [1] => Author [2] => Test1 [3] => Test2 [4] => Test3 [5] => Test4 [6] => Test5 [7] => Test6 [8] => Test7 ) )

If I manually populate a new array as $roleNames it doesn't error out. So I'm assuming this Laravel collection that it makes won't work in the in_array. Any ideas on how I can change it to a regular array? I tried using

$roleNames->toArray();

but that did not work.

Here is a DD of my arrays

Collection {#224 ▼
  #items: array:2 [▼
    0 => {#221 ▼
      +"user_id": 5
      +"role_id": 11
      +"id": 11
      +"name": "Subscriber"
      +"email": "[email protected]"
      +"password": "$2y$10$iIthwprVNVfCHtk/r2Vgc.e7L9bmX4sHxNyRm/BGom//0UVc/DFrC"
      +"remember_token": null
      +"created_at": "2017-07-10 19:45:50"
      +"updated_at": "2017-07-10 19:45:50"
      +"display_name": null
      +"description": null
    }
    1 => {#222 ▼
      +"user_id": 5
      +"role_id": 12
      +"id": 12
      +"name": "Author"
      +"email": "[email protected]"
      +"password": "$2y$10$iIthwprVNVfCHtk/r2Vgc.e7L9bmX4sHxNyRm/BGom//0UVc/DFrC"
      +"remember_token": null
      +"created_at": "2017-07-10 19:45:50"
      +"updated_at": "2017-07-10 19:45:50"
      +"display_name": null
      +"description": null
    }
  ]
}
Collection {#207 ▼
  #items: array:9 [▼
    0 => {#208 ▼
      +"id": 11
      +"name": "Subscriber"
      +"display_name": null
      +"description": null
      +"created_at": "2017-07-10 19:45:50"
      +"updated_at": "2017-07-10 19:45:50"
    }
    1 => {#210 ▼
      +"id": 12
      +"name": "Author"
      +"display_name": null
      +"description": null
      +"created_at": "2017-07-10 19:45:50"
      +"updated_at": "2017-07-10 19:45:50"
    }
    2 => {#202 ▼
      +"id": 13
      +"name": "Test1"
      +"display_name": null
      +"description": null
      +"created_at": null
      +"updated_at": null
    }
    3 => {#215 ▼
      +"id": 14
      +"name": "Test2"
      +"display_name": null
      +"description": null
      +"created_at": null
      +"updated_at": null
    }
    4 => {#209 ▶}
    5 => {#214 ▶}
    6 => {#216 ▶}
    7 => {#217 ▶}
    8 => {#218 ▶}
  ]
}

Looking to work out my own GUI for working with Users/Roles from Entrust and basically want to write some blade syntax to make a bunch of check boxes in an edit user view to enable/disable permissions on a form submit.

I'm having some trouble through being able to loop through my $roles and $active_user_roles arrays. In essence I don't know how to do this with more than 1 array. Ideally I would go 'for each' to display the $roles->names and enable the check box to be checked if it exists in the $active_user_roles->names array. I have the arrays passing properly from my controller to my view.

I figured the best way is to use an 'if (in_array' setup but I can't figure out how to properly loop through two different sets of arrays. Can anyone share some tips? Thanks!