-1

I have a code that lead the code become remote code execution. How this exploit go and how to run it? Also how to fix the code. I've tried many times but it won't succeed. Thanks!

This is the code:

<?php

error_reporting(E_WARNING | E_DEPRECATED);

require_once 'inc.php';

function getip(){
 if(getenv('HTTP_X_FORWARDED_FOR')){
 $ip = $_SERVER['REMOTE_ADDR'];
 if(preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", getenv('HTTP_X_FORWARDED_FOR'), $ip3)){
  $ip2 = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.16\..*/', '/^10..*/', '/^176..*/', '/^206..*/');
  $ip = preg_replace($ip2, $ip, $ip3[1]);
 }
 }else{
  $ip = $_SERVER['REMOTE_ADDR'];
 }
 if($ip == ""){ $ip = "x.x.x.x"; }
 return $ip;
}
$ipnya = getip();
$arrip = array("192.168.10.10","192.168.11.11");
if(!in_array($ipnya,$arrip)) {
    header( "HTTP/1.1 301 Moved Permanently" );
 header( "Status: 301 Moved Permanently" );
    header( "Location: https://www.google.com" );
 exit(0);
}

if(class_exists(PHPIDS_SUSPECTIP)) {
    $susp_ip = new PHPIDS_SUSPECTIP;
    
    if($susp_ip->__add())

    echo "<br>";
    
    $susp_list = json_decode($susp_ip->__read())->ip;    

    if(in_array($ipnya,$susp_list)) {
        header( "Status: 404 Page Not Found",true,404 );
    } else {
    }
}

?>
Rob
  • 1

1 Answers1

0

The code runs fine by itself. You have a problem with some URL linking or redirection.

TheWandererLee
  • 1,012
  • 5
  • 14
  • the code leads to Remote Code Execution. I want to know how to exploit it and how to fix it. – Rob Mar 22 '19 at 19:10
  • $ip could be safe but it could be spoofed, $ip2 is hardcoded (bad) to remap local addresses, and $ip3 comes from another location. Is $ip3 coming from user entry or an unsafe location? Because it will replace $ip. Likely, the whole thing should be rewritten to use PHP's IP address builtin handlers. Also, see this answer on how it may be spoofed: https://stackoverflow.com/questions/3003145/how-to-get-the-client-ip-address-in-php – TheWandererLee Mar 22 '19 at 20:22