Breakdown of attack URL

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
ywickham
Forum Newbie
Posts: 3
Joined: Thu Mar 18, 2010 3:10 pm

Breakdown of attack URL

Post by ywickham »

I want a better understanding of what I'm looking at when an attack is reported to me. I'm hoping you guys can help me out by breaking down a URL for me and sending me to the correct sources to get more information. Example URL:

Code: Select all

/MFR1.HTM?view=Panasonic_reviews%22%20onmousedown=%22ct(this,%20'http%3A%2F%2Fwww.imaging-resource.com%2FMFR1.HTM%3Fview%3DPanasonic_reviews','21','3','%2F%2F%2F%3Fpage%3Dpanasonic','',%20'00f08b68183ac8e8fc131147ad2015c66e310dec38043fbb8cc3',%200)/?page=../../../../../../../../../../../../..//proc/self/environ%0000 HTTP Response 200
My understanding was that a server responds with 200 when the request succeeded. I'm guessing the above URL didn't break anything as far as the server was concerned so it sent a 200 repsonse. And if I load this in the browser, it continued to load the page as expected. So what was this URL trying to do exactly? Thanks!
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Breakdown of attack URL

Post by Mordred »

The last part looks like an attempt to elevate a LFI into code execution as /proc/self/environ, can control attacker-controlled strings.
The javascript looks like an attempt at XSS. Why try both at the same time is a puzzle. Maybe it's a misbehaving automated attack script?
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: Breakdown of attack URL

Post by flying_circus »

Decoded

Code: Select all

/MFR1.HTM?view=Panasonic_reviews" onmousedown="ct(this, 'http://www.imaging-resource.com/MFR1.HTM?view=Panasonic_reviews','21','3','///?page=panasonic','', '00f08b68183ac8e8fc131147ad2015c66e310dec38043fbb8cc3', 0)/?page=../../../../../../../../../../../../..//proc/self/environ00 HTTP Response 200
Looks like a session id, or cookie data?
Post Reply