Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: BBCode tag "[php]" used to inject php code SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
BBCode tag "[php]" used to inject php code

I saw a somewhat "odd" alert today hit this web server, and am wondering if there are any circumstances under which this attack would have actually worked. The full request:


I broke the request up into multiple lines to prevent an  overflow into the right part of the page, and I obfuscated the one embeded URL.

Decoded, the Javascript in the URL comes out to:

The "simulacre.org" site does not appear to be malicious or compromissed. The contact.php page does not appear to exist. (But the real contact form doesn't appear to work).
 
The PHP code looks a bit more interesting. After Base64 decoding, one gets to:
 
 
 
The code creates the function "ex", which then attempts to execute a command on the server using pretty much any different way that php may use to execute commands trying to bypass some restrictions that may have been put in place. However, I never see the $cmd string populated unless the exploit relies on register_globals which would be a stretch and odd given the careful command execution.
 
Anybody seeing this? Just another broken exploit? Or will this actually work against some old version of CMS "x"? 
 
Postscript: Well, I was all proud to be able to post this and not cause any XSS issues in our diary. But turns out some AV filters triggered (like ClamAV) so I converted the code to images.
 
 
 
 
 

------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Winter 2019

Johannes

3678 Posts
ISC Handler
I subscribe to the Diary using RSS, which then gets sent to me by e-mail. In case it's useful, I should note that this story tripped ClamAV (and thus I didn't receive it):

Report: ClamAV: contains PHP.ShellExec
Report: ClamAV: msg-6037-10.txt contains PHP.ShellExec
Peter Bance

9 Posts
sorry for the ClamAV issue. Maybe time to convert the script to an image :( . I hate when this happens.
Johannes

3678 Posts
ISC Handler
Isn't this a detection script only? I see $cmd="echo IRCsystem", so cmd is filled up. If vulnerable, you'd see sUxCrew, the system name and/or IRCsystem in the resulting page, I would guess? I can't imagine how you would execute php after a [php] in the page, but maybe there's a system out there that uses this tag, a bit like php itself does <?php> ?
Arnt

4 Posts
googling for "sUxCrew" "IRCsysteM" yields some interesting results. The PHP code in this case seems to be just to test if the system can be exploited but other google search results (cached results anyway) seem to also show it trying to connect to an IRC channel on IRCsystem.net (which doesn't resolve for me at the moment).
Brent

121 Posts

Sign Up for Free or Log In to start participating in the conversation!