Snort mailing list archives
PHP Remote File Include via data: URI
From: Jamie Riden <jamie.riden () gmail com>
Date: Fri, 26 Oct 2012 07:59:15 +0100
Hi all, Just to be a royal pain, PHP Remote File Include is perfectly viable using base64 encoded data: URIs. PoC below: # curl "http://127.0.0.1/vulnrfi.php?phone=data:text/plain;base64,PD9waHAgZWNobyAiV09PSE9PISIgPz4=" Searching for GET parameter 'phone'<br>including parameter phone<br>WOOHOO!included parameter phone # cat /var/www/vulnrfi.php <?php echo "Searching for GET parameter 'phone'<br>"; $phonesearch= $_GET["phone"]; echo "including parameter phone<br>"; include($phonesearch); echo "included parameter phone<br>"; ?> Of course, the base64 decode of PD9waHAgZWNobyAiV09PSE9PISIgPz4=" is <?php echo "WOOHOO!" ?> Which would imply that all the following need to match on (https?|ftps?|php|data) ... wouldn't it? Any false positives likely if we don't make it "data:" with a colon at the end? cheers, Jamie $ egrep -r =\\\(http ~/Desktop/rules/ /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP remote include path"; flow:to_server,established; content:".php"; nocase; http_uri; content:"path="; fast_pattern:only; pcre:"/path=(https?|ftps?|php)/i"; metadata:service http; classtype:web-application-attack; sid:2002; rev:14;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established; content:"/objects.inc.php4"; http_uri; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(https?|ftps?|php)/"; metadata:service http; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-attack; sid:2147; rev:13;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttforum remote file include attempt"; flow:to_server,established; content:"forum/index.php"; http_uri; content:"template="; pcre:"/template=(https?|ftps?|php)/i"; metadata:service http; reference:bugtraq,7542; reference:bugtraq,7543; reference:nessus,11615; classtype:web-application-attack; sid:2155; rev:11;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery remote file include attempt"; flow:to_server,established; content:"/setup/"; http_uri; content:"GALLERY_BASEDIR="; http_uri; pcre:"/GALLERY_BASEDIR=(https?|ftps?|php)/Ui"; metadata:service http; reference:bugtraq,8814; reference:nessus,11876; classtype:web-application-attack; sid:2306; rev:11;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote file include attempt"; flow:to_server,established; content:"do=ext"; http_uri; content:"page="; http_uri; pcre:"/page=(https?|ftps?|php)/Ui"; metadata:service http; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:13;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Opt-X header.php remote file include attempt"; flow:to_server,established; content:"/header.php"; nocase; http_uri; content:"systempath="; fast_pattern:only; pcre:"/systempath=(https?|ftps?|php)/i"; metadata:service http; reference:bugtraq,9732; classtype:web-application-attack; sid:2575; rev:8;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php remote file include attempt"; flow:to_server,established; content:"/admin/templates/header.php"; fast_pattern; nocase; http_uri; content:"admin_root="; pcre:"/admin_root=(https?|ftps?|php)/"; metadata:service http; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:nessus,11636; classtype:web-application-attack; sid:2150; rev:16;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include attempt"; flow:to_server,established; content:"/index.php"; fast_pattern; nocase; http_uri; content:"file="; pcre:"/file=(https?|ftps?|php)/i"; metadata:service http; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:20;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established; content:"/gm-2-b2.php"; fast_pattern; nocase; http_uri; content:"b2inc="; pcre:"/b2inc=(https?|ftps?|php)/i"; metadata:service http; reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:12;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP pmachine remote file include attempt"; flow:to_server,established; content:"lib.inc.php"; fast_pattern; nocase; http_uri; content:"pm_path="; pcre:"/pm_path=(https?|ftps?|php)/"; metadata:service http; reference:bugtraq,7919; reference:nessus,11739; classtype:web-application-attack; sid:2226; rev:16;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP ME Download System remote file include in header.php Vb8878b936c2bd8ae0cab"; flow:to_server,established; content:"header.php"; fast_pattern:only; http_uri; content:"Vb8878b936c2bd8ae0cab="; nocase; pcre:"/Vb8878b936c2bd8ae0cab=(https?|ftps?)/i"; metadata:service http; reference:bugtraq,19336; reference:cve,2006-4053; classtype:web-application-attack; sid:20652; rev:5;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP Akarru remote file include in main_content.php bm_content"; flow:to_server,established; content:"main_content.php"; fast_pattern:only; http_uri; pcre:"/\x2Fmain_content\.php?[^\r\n]*?bm_content=(https?|ftps?)/Ui"; metadata:service http; reference:bugtraq,19870; reference:cve,2006-4645; classtype:web-application-activity; sid:20631; rev:4;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP Modernbill remote file include in config.php DIR"; flow:to_server,established; content:"config.php"; fast_pattern:only; http_uri; content:"DIR"; nocase; pcre:"/DIR=(https?|ftps?)/i"; metadata:service http; reference:bugtraq,19335; reference:cve,2006-4034; classtype:web-application-attack; sid:20651; rev:5;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP Free File Hosting remote file include in forgot_pass.php ad_body_temp"; flow:to_server,established; content:"forgot_pass.php"; fast_pattern:only; http_uri; content:"ad_body_temp"; nocase; pcre:"/ad_body_temp=(https?|ftps?)/i"; metadata:service http; reference:bugtraq,20781; reference:cve,2006-5762; classtype:web-application-attack; sid:20657; rev:5;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP AnnoncesV remote file include in annonce.php page"; flow:to_server,established; content:"annonce.php"; fast_pattern:only; http_uri; pcre:"/\x2Fannonce\.php?[^\r\n]*?page=(https?|ftps?)/Ui"; metadata:service http; reference:bugtraq,19854; reference:cve,2006-4622; classtype:web-application-activity; sid:20632; rev:4;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP GrapAgenda remote file include in index.php page"; flow:to_server,established; content:"index.php"; fast_pattern:only; http_uri; content:"page"; nocase; pcre:"/page=(https?|ftps?)/i"; metadata:service http; reference:bugtraq,19857; reference:cve,2006-4610; classtype:web-application-attack; sid:20654; rev:5;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP Boite de News remote file include in inc.php url_index"; flow:to_server,established; content:"url_index="; fast_pattern:only; http_uri; pcre:"/\x2F(inc2?|index)\.php?[^\r\n]*?url_index=(https?|ftps?)/Ui"; metadata:service http; reference:bugtraq,19440; reference:cve,2006-4123; classtype:web-application-activity; sid:20633; rev:4;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP GestArtremote file include in aide.php3 aide"; flow:to_server,established; content:"aide.php3"; fast_pattern:only; http_uri; content:"aide"; nocase; pcre:"/aide=(https?|ftps?)/i"; metadata:service http; reference:bugtraq,22825; reference:cve,2006-5612; classtype:web-application-attack; sid:20656; rev:5;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP MyNewsGroups remote file include in layersmenu.inc.php myng_root"; flow:to_server,established; content:"layersmenu.inc.php"; fast_pattern:only; http_uri; content:"myng_root"; nocase; pcre:"/myng_root=(https?|ftps?)/i"; metadata:service http; reference:bugtraq,19258; reference:cve,2006-3966; classtype:web-application-attack; sid:20650; rev:5;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP Flashchat remote file include in aedating4CMS.php"; flow:to_server,established; content:"/aedating4CMS.php"; nocase; http_uri; content:"dir[inc]="; nocase; http_uri; pcre:"/\x2Faedating4CMS\.php?[^\r\n]*?dir\[inc\]=(https?|ftps?)/Ui"; metadata:service http; reference:bugtraq,19826; reference:cve,2006-4583; classtype:web-application-activity; sid:20680; rev:3;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP Comet WebFileManager remote file include in CheckUpload.php Language"; flow:to_server,established; content:"CheckUpload.php"; fast_pattern:only; http_uri; pcre:"/Language=(https?|ftps?)/i"; metadata:service http; reference:bugtraq,19433; reference:cve,2006-4077; classtype:web-application-attack; sid:20663; rev:5;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP Sabdrimer remote file include in advanced1.php pluginpath[0]"; flow:to_server,established; content:"pluginpath[0]="; fast_pattern:only; http_uri; pcre:"/\x2Fadvanced1\.php\?[^\r\n]*?pluginpath\x5B0\x5D=(https?|ftps?)/Ui"; metadata:policy security-ips drop, service http; reference:bugtraq,18907; reference:cve,2006-3520; classtype:web-application-attack; sid:20732; rev:5;) /home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP WoW Roster remote file include with hslist.php and conf.php"; flow:to_server,established; content:"subdir="; fast_pattern:only; http_uri; pcre:"/\x2F(conf|hslist)\.php\?[^\r\n]*?subdir=(https?|ftps?)/Ui"; metadata:service http; reference:cve,2006-3997; reference:cve,2006-3998; classtype:web-application-attack; sid:20728; rev:3;) -- Jamie Riden / jamie () honeynet org / jamie.riden () gmail com http://uk.linkedin.com/in/jamieriden ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- PHP Remote File Include via data: URI Jamie Riden (Oct 26)
- Re: PHP Remote File Include via data: URI Jamie Riden (Oct 29)