Posted by Oski on 11/14/41 11:57

Sandman wrote:

> Then I suppose the script, as seen, was a small part of a larger
> "hack" library, which the author cut'n'pasted from.
>
> I've been "hacked" this was also, so I've seen some of these scripts.

In this case, the chat script asks for your name and email when
registering.
Then, it creates a php-script (as described in my first post) and
creates lines within it:
$name = "<userinput>";
$email = "<userinput_2";
// and so on ...
So you just have to know where this php script is created/saved and
register with a tampered name and then call this php script with the
desired URL + encoded command strings, like "?c=ls%20-l" etc.

Of course, the real (huuuge!) security hole is creating a php script
with unchecked userinput. (I don't dare to guess what might happen if
you have disabled magic_quotes).

But I could not explain the behaviour of PHP as well, especially as
there is nothing documented about this "feature" to execute code within
a variable assignment.

Ingo

• Next in forum: Re: PHP more development time?
• Prev in forum: send file with resume download
• Thread view: Re: Hacked with system()

[Reply to this message]