NYCPHP Meetup

NYPHP.org

[nycphp-talk] [OT] XSS, Joomla & Remote Shells

Ben Sgro (ProjectSkyline) ben at projectskyline.com
Fri Jun 29 10:36:40 EDT 2007 

Hello again,

Just because I was curious, I decoded the remaining variables.

That provided 1 .c program and 3 .pl programs.

The c code binds to a shell and allows incomming connections
dropped to /bin/bash.

The first .pl program does the same.

The second .pl program connects via lynx to a port/host
you specify.

The third .pl program spawns child processes to push data
to a host/port.

Interesting ...

You can view the code here: http://www.projectskyline.com/phplist/test.php

- Ben

Ben Sgro, Chief Engineer
ProjectSkyLine - Defining New Horizons
+1 718.487.9368 (N.Y. Office)

Our company: www.projectskyline.com
Our products: www.project-contact.com

This e-mail is confidential information intended only for the use of the 
individual to whom it is addressed.
----- Original Message ----- 
From: "Ben Sgro (ProjectSkyline)" <ben at projectskyline.com>
To: "NYPHP Talk" <talk at lists.nyphp.org>
Sent: Friday, June 29, 2007 10:21 AM
Subject: Re: [nycphp-talk] [OT] XSS, Joomla & Remote Shells


> Hello,
>
> Its funny you mentioned this because I kinda assumed it might behave that 
> way.
>
> I've seen shellcode in the past that did things you didn't know about...
>
> Great link, thanks!
>
> I decided to see what was encoded in the $c1, $c2 variables,
> which were base64 encoded strings. This is what they held:
>
> <script 
> language="javascript">hotlog_js="1.0";hotlog_r=""+Math.random()+"&s=81606&im=1&r="+escape(document.referrer)+"&pg="+escape(window.location.href);document.cookie="hotlog=1; 
> path=/"; hotlog_r+="&c="+(document.cookie?"Y":"N");</script><script 
> language="javascript1.1">hotlog_js="1.1";hotlog_r+="&j="+(navigator.javaEnabled()?"Y":"N")</script><script 
> language="javascript1.2">hotlog_js="1.2";hotlog_r+="&wh="+screen.width+'x'+screen.height+"&px="+(((navigator.appName.substring(0,3)=="Mic"))?screen.colorDepth:screen.pixelDepth)</script><script 
> language="javascript1.3">hotlog_js="1.3"</script><script 
> language="javascript">hotlog_r+="&js="+hotlog_js;document.write("<a 
> href='http://click.hotlog.ru/?81606' target='_top'><img "+" 
> src='http://hit4.hotlog.ru/cgi-bin/hotlog/count?"+hotlog_r+"&' border=0 
> width=1 height=1 alt=1></a>")</script><noscript><a 
> href=http://click.hotlog.ru/?81606 
> target=_top><imgsrc="http://hit4.hotlog.ru/cgi-bin/hotlog/count?s=81606&im=1" 
> border=0width="1" height="1" 
> alt="HotLog"></a></noscript><Br><br><!--LiveInternet counter--><script 
> language="JavaScript"><!--
> document.write('<a href="http://www.liveinternet.ru/click" '+
> 'target=_blank><img src="http://counter.yadro.ru/hit?t52.6;r'+
> escape(document.referrer)+((typeof(screen)=='undefined')?'':
> ';s'+screen.width+'*'+screen.height+'*'+(screen.colorDepth?
> screen.colorDepth:screen.pixelDepth))+';'+Math.random()+
> '" alt="liveinternet.ru: ïîêàçàíî ÷èñëî ïðîñìîòðîâ è ïîñåòèòåëåé çà 24 
> ÷àñà" '+
> 'border=0 width=0 height=0></a>')//--></script><!--/LiveInternet-->
>
> - Ben
>
> Ben Sgro, Chief Engineer
> ProjectSkyLine - Defining New Horizons
>
> Our company: www.projectskyline.com
> Our products: www.project-contact.com
>
> This e-mail is confidential information intended only for the use of the 
> individual to whom it is addressed.
>
> ----- Original Message ----- 
> From: "inforequest" <1j0lkq002 at sneakemail.com>
> To: <talk at lists.nyphp.org>
> Sent: Friday, June 29, 2007 3:18 AM
> Subject: Re: [nycphp-talk] [OT] XSS, Joomla & Remote Shells
>
>
>> Ben Sgro (ProjectSkyline) ben-at-projectskyline.com |nyphp dev/internal 
>> group use| wrote:
>>
>>> Hello again,
>>>  I've always had an interest in security. Not too long ago a friend was 
>>> looking
>>> into deploying joomla for a client. He's a pentester/researcher for a 
>>> very well
>>> educated and influential firm = ] , so he had to make sure it was going 
>>> to be secure.
>>>  He started researching and found that many joomla installs had/have 
>>> been comprimised
>>> via XSS attacks.
>>>  Today, he posted the link of a site that had been owned by XSS and the 
>>> crackers installed this
>>> web based backdoor script.
>>>  I grabbed the script and included it here 
>>> http://www.projectskyline.com/phplist/r57shell.txt to show PHP 
>>> developers AGAIN how important security is and give us an inside look at
>>> some of the tools our enemies are armed with.
>>>  For those that deploy joomla, this is especially something to watch 
>>> for.
>>> For everyone else, just something to checkout.
>>>  You'll notice this script enables:
>>>  - Mail to be sent out (w/or w/out files attached)
>>> - Commands to be run.
>>> - Search for SUID, writable directories, files, tmp files., .(files) ...
>>> - Outgoing connections to be established
>>> - Some kind of IRC implementation
>>> - SQL to be run
>>> - Files can be downloaded and uploaded
>>> - and much, much more.
>>>  - Ben
>>>
>>
>> Perhaps most interesting about that r57shell is that it quietly  remotely 
>> logs its own use. So in addition to the use as a backdoor shell script, 
>> it becomes a beacon for compromised systems - the tool maker gets a 
>> notice of every IP compromised by the tool when used by others.
>>
>> To quote full disclosure, "they [the script authors] can 0wn everything 
>> you 0wned...Trust no one... write your own tools."
>>
>> http://seclists.org/fulldisclosure/2006/Sep/0083.html
>>
>>
>>
>>
>>
>>
>> -- 
>> -------------------------------------------------------------
>> Your web server traffic log file is the most important source of web 
>> business information available. Do you know where your logs are right 
>> now? Do you know who else has access to your log files? When they were 
>> last archived? Where those archives are? --John Andrews Competitive 
>> Webmaster and SEO Blogging at http://www.johnon.com
>>
>> _______________________________________________
>> New York PHP Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> NYPHPCon 2006 Presentations Online
>> http://www.nyphpcon.com
>>
>> Show Your Participation in New York PHP
>> http://www.nyphp.org/show_participation.php
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

More information about the talk mailing list