oss-sec mailing list archives
Re: What does this PHP exploit do?
From: Jann Horn <jann () thejh net>
Date: Fri, 10 Oct 2014 21:43:48 +0200
On Sat, Oct 11, 2014 at 06:28:04AM +1100, Dave Horsfall wrote:
I'm trying to figure out what this exploit does; it started around the time that Shellshock did, but I don't think that they're related.
The hex-encoded stuff in the script below decodes to "-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-n" but my PHP-fu doesn't quite extend that far (and that "safe_mode=off" looks a bit suss).
Looks like CVE-2012-1823 to me: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/
Attachment:
signature.asc
Description: Digital signature
Current thread:
- What does this PHP exploit do? Dave Horsfall (Oct 10)
- Re: What does this PHP exploit do? Jann Horn (Oct 10)
- Re: What does this PHP exploit do? Pierre Schweitzer (Oct 10)
- Re: What does this PHP exploit do? Pierre Schweitzer (Oct 10)
- Re: What does this PHP exploit do? Pierre Schweitzer (Oct 11)
- Re: What does this PHP exploit do? Pierre Schweitzer (Oct 10)
- Re: What does this PHP exploit do? Jon Hart (Oct 10)
- Re: What does this PHP exploit do? Dave Horsfall (Oct 15)