[Snort-sigs] PHP Remote File Include via data: URI

Jamie Riden jamie.riden at ...2420...
Fri Oct 26 02:59:15 EDT 2012


Hi all,

Just to be a royal pain, PHP Remote File Include is perfectly viable
using base64 encoded data: URIs. PoC below:

# curl "http://127.0.0.1/vulnrfi.php?phone=data:text/plain;base64,PD9waHAgZWNobyAiV09PSE9PISIgPz4="

Searching for GET parameter 'phone'<br>including parameter
phone<br>WOOHOO!included parameter phone

# cat /var/www/vulnrfi.php
<?php
echo "Searching for GET parameter 'phone'<br>";

  $phonesearch= $_GET["phone"];

echo "including parameter phone<br>";
  include($phonesearch);

echo "included parameter phone<br>";

?>

Of course, the base64 decode of PD9waHAgZWNobyAiV09PSE9PISIgPz4=" is
<?php echo "WOOHOO!" ?>

Which would imply that all the following need to match on
(https?|ftps?|php|data)  ... wouldn't it? Any false positives likely
if we don't make it "data:" with a colon at the end?

cheers,
 Jamie

$ egrep -r =\\\(http ~/Desktop/rules/
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP remote include path";
flow:to_server,established; content:".php"; nocase; http_uri;
content:"path="; fast_pattern:only; pcre:"/path=(https?|ftps?|php)/i";
metadata:service http; classtype:web-application-attack; sid:2002;
rev:14;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4
remote file include attempt"; flow:to_server,established;
content:"/objects.inc.php4"; http_uri; content:"Server[path]=";
pcre:"/Server\x5bpath\x5d=(https?|ftps?|php)/"; metadata:service http;
reference:bugtraq,7677; reference:cve,2003-0394;
reference:nessus,11647; classtype:web-application-attack; sid:2147;
rev:13;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttforum remote file include
attempt"; flow:to_server,established; content:"forum/index.php";
http_uri; content:"template="; pcre:"/template=(https?|ftps?|php)/i";
metadata:service http; reference:bugtraq,7542; reference:bugtraq,7543;
reference:nessus,11615; classtype:web-application-attack; sid:2155;
rev:11;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery remote file include
attempt"; flow:to_server,established; content:"/setup/"; http_uri;
content:"GALLERY_BASEDIR="; http_uri;
pcre:"/GALLERY_BASEDIR=(https?|ftps?|php)/Ui"; metadata:service http;
reference:bugtraq,8814; reference:nessus,11876;
classtype:web-application-attack; sid:2306; rev:11;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote
file include attempt"; flow:to_server,established; content:"do=ext";
http_uri; content:"page="; http_uri;
pcre:"/page=(https?|ftps?|php)/Ui"; metadata:service http;
reference:bugtraq,8791; reference:nessus,11873;
classtype:web-application-attack; sid:2307; rev:13;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Opt-X header.php remote
file include attempt"; flow:to_server,established;
content:"/header.php"; nocase; http_uri; content:"systempath=";
fast_pattern:only; pcre:"/systempath=(https?|ftps?|php)/i";
metadata:service http; reference:bugtraq,9732;
classtype:web-application-attack; sid:2575; rev:8;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php remote
file include attempt"; flow:to_server,established;
content:"/admin/templates/header.php"; fast_pattern; nocase; http_uri;
content:"admin_root="; pcre:"/admin_root=(https?|ftps?|php)/";
metadata:service http; reference:bugtraq,7542; reference:bugtraq,7543;
reference:bugtraq,7625; reference:nessus,11636;
classtype:web-application-attack; sid:2150; rev:16;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file
include attempt"; flow:to_server,established; content:"/index.php";
fast_pattern; nocase; http_uri; content:"file=";
pcre:"/file=(https?|ftps?|php)/i"; metadata:service http;
reference:bugtraq,3889; reference:cve,2002-0206;
classtype:web-application-attack; sid:1399; rev:20;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php
remote file include attempt"; flow:to_server,established;
content:"/gm-2-b2.php"; fast_pattern; nocase; http_uri;
content:"b2inc="; pcre:"/b2inc=(https?|ftps?|php)/i"; metadata:service
http; reference:nessus,11667; classtype:web-application-attack;
sid:2143; rev:12;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP pmachine remote file
include attempt"; flow:to_server,established; content:"lib.inc.php";
fast_pattern; nocase; http_uri; content:"pm_path=";
pcre:"/pm_path=(https?|ftps?|php)/"; metadata:service http;
reference:bugtraq,7919; reference:nessus,11739;
classtype:web-application-attack; sid:2226; rev:16;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP ME Download System remote file
include in header.php Vb8878b936c2bd8ae0cab";
flow:to_server,established; content:"header.php"; fast_pattern:only;
http_uri; content:"Vb8878b936c2bd8ae0cab="; nocase;
pcre:"/Vb8878b936c2bd8ae0cab=(https?|ftps?)/i"; metadata:service http;
reference:bugtraq,19336; reference:cve,2006-4053;
classtype:web-application-attack; sid:20652; rev:5;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP Akarru remote file include in
main_content.php bm_content"; flow:to_server,established;
content:"main_content.php"; fast_pattern:only; http_uri;
pcre:"/\x2Fmain_content\.php?[^\r\n]*?bm_content=(https?|ftps?)/Ui";
metadata:service http; reference:bugtraq,19870;
reference:cve,2006-4645; classtype:web-application-activity;
sid:20631; rev:4;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP Modernbill remote file include
in config.php DIR"; flow:to_server,established; content:"config.php";
fast_pattern:only; http_uri; content:"DIR"; nocase;
pcre:"/DIR=(https?|ftps?)/i"; metadata:service http;
reference:bugtraq,19335; reference:cve,2006-4034;
classtype:web-application-attack; sid:20651; rev:5;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP Free File Hosting remote file
include in forgot_pass.php ad_body_temp"; flow:to_server,established;
content:"forgot_pass.php"; fast_pattern:only; http_uri;
content:"ad_body_temp"; nocase; pcre:"/ad_body_temp=(https?|ftps?)/i";
metadata:service http; reference:bugtraq,20781;
reference:cve,2006-5762; classtype:web-application-attack; sid:20657;
rev:5;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP AnnoncesV remote file include
in annonce.php page"; flow:to_server,established;
content:"annonce.php"; fast_pattern:only; http_uri;
pcre:"/\x2Fannonce\.php?[^\r\n]*?page=(https?|ftps?)/Ui";
metadata:service http; reference:bugtraq,19854;
reference:cve,2006-4622; classtype:web-application-activity;
sid:20632; rev:4;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP GrapAgenda remote file include
in index.php page"; flow:to_server,established; content:"index.php";
fast_pattern:only; http_uri; content:"page"; nocase;
pcre:"/page=(https?|ftps?)/i"; metadata:service http;
reference:bugtraq,19857; reference:cve,2006-4610;
classtype:web-application-attack; sid:20654; rev:5;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP Boite de News remote file
include in inc.php url_index"; flow:to_server,established;
content:"url_index="; fast_pattern:only; http_uri;
pcre:"/\x2F(inc2?|index)\.php?[^\r\n]*?url_index=(https?|ftps?)/Ui";
metadata:service http; reference:bugtraq,19440;
reference:cve,2006-4123; classtype:web-application-activity;
sid:20633; rev:4;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP GestArtremote file include in
aide.php3 aide"; flow:to_server,established; content:"aide.php3";
fast_pattern:only; http_uri; content:"aide"; nocase;
pcre:"/aide=(https?|ftps?)/i"; metadata:service http;
reference:bugtraq,22825; reference:cve,2006-5612;
classtype:web-application-attack; sid:20656; rev:5;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP MyNewsGroups remote file
include in layersmenu.inc.php myng_root"; flow:to_server,established;
content:"layersmenu.inc.php"; fast_pattern:only; http_uri;
content:"myng_root"; nocase; pcre:"/myng_root=(https?|ftps?)/i";
metadata:service http; reference:bugtraq,19258;
reference:cve,2006-3966; classtype:web-application-attack; sid:20650;
rev:5;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP Flashchat remote file include
in aedating4CMS.php"; flow:to_server,established;
content:"/aedating4CMS.php"; nocase; http_uri; content:"dir[inc]=";
nocase; http_uri;
pcre:"/\x2Faedating4CMS\.php?[^\r\n]*?dir\[inc\]=(https?|ftps?)/Ui";
metadata:service http; reference:bugtraq,19826;
reference:cve,2006-4583; classtype:web-application-activity;
sid:20680; rev:3;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP Comet WebFileManager remote
file include in CheckUpload.php Language"; flow:to_server,established;
content:"CheckUpload.php"; fast_pattern:only; http_uri;
pcre:"/Language=(https?|ftps?)/i"; metadata:service http;
reference:bugtraq,19433; reference:cve,2006-4077;
classtype:web-application-attack; sid:20663; rev:5;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP Sabdrimer remote file include
in advanced1.php pluginpath[0]"; flow:to_server,established;
content:"pluginpath[0]="; fast_pattern:only; http_uri;
pcre:"/\x2Fadvanced1\.php\?[^\r\n]*?pluginpath\x5B0\x5D=(https?|ftps?)/Ui";
metadata:policy security-ips drop, service http;
reference:bugtraq,18907; reference:cve,2006-3520;
classtype:web-application-attack; sid:20732; rev:5;)
/home/jamie/Desktop/rules/web-php.rules:# alert tcp $EXTERNAL_NET any
-> $HOME_NET $HTTP_PORTS (msg:"WEB-PHP WoW Roster remote file include
with hslist.php and conf.php"; flow:to_server,established;
content:"subdir="; fast_pattern:only; http_uri;
pcre:"/\x2F(conf|hslist)\.php\?[^\r\n]*?subdir=(https?|ftps?)/Ui";
metadata:service http; reference:cve,2006-3997;
reference:cve,2006-3998; classtype:web-application-attack; sid:20728;
rev:3;)


-- 
Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...
http://uk.linkedin.com/in/jamieriden




More information about the Snort-sigs mailing list