Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can anyone explain this php code injection attack to me?

Tags:

security

php

code-injection

I've been receiving requests for unexpected urls on my server.

Specifically one for /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E

This seems to be happening every few hours.

I ran the url through http://www.url-encode-decode.com/ and it comes out as:

phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d open_basedir=none -d auto_prepend_file=php://input -n

What is the attacker trying to do here?

like image 864
Nate B Avatar asked Aug 02 '13 04:08

Nate B

2 Answers

Attacker is trying to make use of CVE-2012-1823, this only applies if your PHP is used in CGI mode (mod_php is not vulnerable to this).

Using -d parameter injection to PHP binary attacker disables various protection mechanisms your PHP might have in place and executes PHP code directly by using auto_prepend_file (automatically executes PHP code before processing any PHP file), while php://input is a stream of POST request data.

Unless your web server logging is custom you probably won't find out what attacker had in the POST request (POST data are not being logged normally).

Check your PHP, eg. using a script like this:

<?php phpinfo();

PHP version is on the first line, compare that to CVE definition. If you're using a vulnerable version, update it ASAP, also look for Server API line there, if it does not contain something with CGI you should be safe for the moment, but using an obsolete PHP version is never good.

like image 67
lukash Avatar answered Sep 28 '22 07:09

lukash

attacker is try to update your php configuration file(php.ini) allow_url_include,safe_mode are different php configuration settings which are important for security, so they are disabled by default

like image 27
PravinS Avatar answered Sep 28 '22 07:09

PravinS
Sign in to Comment

Related questions

is there a simple php shell for windows?
.htaccess with products (string)
Please provide the prefix of GraphicsMagick installation [autodetect]
SELECT then immediately DELETE mysql record
PHP's DateTime::Diff gets it wrong?
Can mysql_real_escape_string ALONE prevent all kinds of sql injection ?
USPS : API Authorization failure
Zip files contain same files but have different hashes?
YII how to handle custom 404 error page along with other error pages
How to get the referer search query from google?
Symfony2 / Doctrine mapped superclass in the middle of class table inheritance
Find if value exists in a JSONArray in php
Fatal error: Class 'OAuth' not found in
PHP: What is the difference between exit(), die() and return; within "self" and included files?
eBay API to download user listing (eBay API user guide / step by step guide)
Reliable Way to Detect Desktop vs. Mobile Browser [duplicate]
file_put_contents not creating txt file
How to update a website without making it go down?
What problems could I meet with Laravel 4 on PHP 5.3.3?
Slim Framework endpoint unit testing

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!