BBCode tag "[php]" used to inject php code

Published: 2013-08-04
Last Updated: 2013-08-04 19:45:48 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

I saw a somewhat "odd" alert today hit this web server, and am wondering if there are any circumstances under which this attack would have actually worked. The full request:

I broke the request up into multiple lines to prevent an  overflow into the right part of the page, and I obfuscated the one embeded URL.

Decoded, the Javascript in the URL comes out to:

The "" site does not appear to be malicious or compromissed. The contact.php page does not appear to exist. (But the real contact form doesn't appear to work).
The PHP code looks a bit more interesting. After Base64 decoding, one gets to:
The code creates the function "ex", which then attempts to execute a command on the server using pretty much any different way that php may use to execute commands trying to bypass some restrictions that may have been put in place. However, I never see the $cmd string populated unless the exploit relies on register_globals which would be a stretch and odd given the careful command execution.
Anybody seeing this? Just another broken exploit? Or will this actually work against some old version of CMS "x"? 
Postscript: Well, I was all proud to be able to post this and not cause any XSS issues in our diary. But turns out some AV filters triggered (like ClamAV) so I converted the code to images.

------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter

Keywords: bbcode php
4 comment(s)


I subscribe to the Diary using RSS, which then gets sent to me by e-mail. In case it's useful, I should note that this story tripped ClamAV (and thus I didn't receive it):

Report: ClamAV: contains PHP.ShellExec
Report: ClamAV: msg-6037-10.txt contains PHP.ShellExec
sorry for the ClamAV issue. Maybe time to convert the script to an image :( . I hate when this happens.
Isn't this a detection script only? I see $cmd="echo IRCsystem", so cmd is filled up. If vulnerable, you'd see sUxCrew, the system name and/or IRCsystem in the resulting page, I would guess? I can't imagine how you would execute php after a [php] in the page, but maybe there's a system out there that uses this tag, a bit like php itself does <?php> ?
googling for "sUxCrew" "IRCsysteM" yields some interesting results. The PHP code in this case seems to be just to test if the system can be exploited but other google search results (cached results anyway) seem to also show it trying to connect to an IRC channel on (which doesn't resolve for me at the moment).

Diary Archives