Tuesday, August 9, 2016

command.php wget HTTP Post

POST /command.php HTTP/1.0
User-Agent: Wget(linux)

cmd=%63%64%20%2F%76%61%72%2F%74%6D%70%20%26%26%20%65%63%68%6F%20%2D%6E%65%20%5C%5C%78%33%36%31%30%63%6B%65%72%20%3E%20%36%31%30%63%6B%65%72%2E%74%78%74%20%26%26%20%63%61%74%20%36%31%30%63%6B%65%72%2E%74%78%74


I saw this http request in the logs and wondered what it was? Turns out the sometime in 2013 a D-Link® Wireless Router contained and OS command injection vulnerability on a web administrative page. So this attacker is looking for that vulnerable page and running a command.

I decoded the cmd paramter to find that it runs this command.

cd /var/tmp && echo -ne \\x3610cker > 610cker.txt && cat 610cker.txt

The attacker is simply going into the temp folder, creating a text file with some text in it and printing out the text file. If that works then the attacker knows the router is vulnerable and he'll come back to do more damage.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment