This php injection attack was similar to the one I blogged about yesterday but interesting none-the-less.
POST/index.php?s=/abc/abc/abc/${@print(eval($_POST[c]))}
c=@eval(base64_decode($_POST[x0]));
x0=ZWNobyAiLT58MTIzfDwtIjs=
Similar to yesterday it's trying to execute PHP code based on an old php vulnerability that appears to allow the eval of php code via query string parameters and post parameters.
First they're going to print the results back to the screen which essentially get returned in the http response and can be used to automate a response (if bad guys gets results back then he knows it's vulnerable and can attack further). Then he'll try to eval (or execute) the php code found on the post parameter 'c'.
In the post data the parameter 'c' will try to eval (or execute) the base64_decode function which decodes the value in the 'x0' post parameter. This is just a way of obfuscating what he's doing, hiding from the good guys, from the IDS/IPS, etc.
So basically all we need to know is what's in the base64 encoded value 'ZWNobyAiLT58MTIzfDwtIjs='. Well find a good free base64 decoder (or just use notepad++). It'll tell you that it is equivalent to echo "->|123|<-"; which means that if successful this attack literally just prints out some text ... ->|123|<-
So, nothing exciting, please move on :-)
More about neonprimetime
Top Blogs of all-time
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment