My next class:

BBCode tag "[php]" used to inject php code

Published: 2013-08-04. Last Updated: 2013-08-04 19:45:48 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

I saw a somewhat "odd" alert today hit this web server, and am wondering if there are any circumstances under which this attack would have actually worked. The full request:




	



	I broke the request up into multiple lines to prevent an  overflow into the right part of the page, and I obfuscated the one embeded URL.



	Decoded, the Javascript in the URL comes out to:



	



	The "simulacre.org" site does not appear to be malicious or compromissed. The contact.php page does not appear to exist. (But the real contact form doesn't appear to work).



	 



	The PHP code looks a bit more interesting. After Base64 decoding, one gets to:



	 



	



	 



	 



	The code creates the function "ex", which then attempts to execute a command on the server using pretty much any different way that php may use to execute commands trying to bypass some restrictions that may have been put in place. However, I never see the $cmd string populated unless the exploit relies on register_globals which would be a stretch and odd given the careful command execution.



	 



	Anybody seeing this? Just another broken exploit? Or will this actually work against some old version of CMS "x"? 



	 



	Postscript: Well, I was all proud to be able to post this and not cause any XSS issues in our diary. But turns out some AV filters triggered (like ClamAV) so I converted the code to images.



	 



	 



	 



	 



	 



	------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter





Keywords: bbcode php 

4 comment(s)



My next class:

        
        
Comments

            

                
I subscribe to the Diary using RSS, which then gets sent to me by e-mail.  In case it's useful, I should note that this story tripped ClamAV (and thus I didn't receive it):



    Report: ClamAV:  contains PHP.ShellExec 

    Report: ClamAV: msg-6037-10.txt contains PHP.ShellExec

                

                    

                        
Anonymous
 
                        
Aug 4th 2013
1 decade  ago

                    

                

            

        
            

                
sorry for the ClamAV issue. Maybe time to convert the script to an image :( . I hate when this happens.

                

                    

                        
Anonymous
 
                        
Aug 4th 2013
1 decade  ago

                    

                

            

        
            

                
Isn't this a detection script only? I see $cmd="echo IRCsystem", so cmd is filled up. If vulnerable, you'd see sUxCrew, the system name and/or IRCsystem in the resulting page, I would guess? I can't imagine how you would execute php after a [php] in the page, but maybe there's a system out there that uses this tag, a bit like php itself does <?php> ?

                

                    

                        
Anonymous
 
                        
Aug 5th 2013
1 decade  ago

                    

                

            

        
            

                
googling for "sUxCrew" "IRCsysteM" yields some interesting results.  The PHP code in this case seems to be just to test if the system can be exploited but other google search results (cached results anyway) seem to also show it trying to connect to an IRC channel on IRCsystem.net (which doesn't resolve for me at the moment).

                

                    

                        
Anonymous
 
                        
Aug 5th 2013
1 decade  ago

                    

                

            

        

        

            
Login here to join the discussion.

        





Top of page

Diary Archives