Re: (OT) Understanding phpbb hack.

To: Debian-User <debian-user@lists.debian.org>
Subject: Re: (OT) Understanding phpbb hack.
From: David Dorward <dorward@gmail.com>
Date: Tue, 25 Jan 2005 11:53:55 +0000
Message-id: <[🔎] 1b5927405012503532e3aab6f@mail.gmail.com>
Reply-to: David Dorward <dorward@gmail.com>
In-reply-to: <[🔎] 41F62A7E.3080803@htmlfixit.com>
References: <[🔎] 41F62A7E.3080803@htmlfixit.com>

On Tue, 25 Jan 2005 19:16:14 +0800, Franki <franki@htmlfixit.com> wrote:
> A client of mine was hacked using a phpbb exploit.
 
> %2527%252esystem(chr(101)

> Does anyone know of a perl script or something that can convert this
> back to a string of human readable shell commands??

Its double URL encoded with a bunch of decimal chr commands, this
should get you started:

#!/usr/bin/perl
use strict;
use warnings;

my $string = "viewtopic.php?t=509&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)+%252echr(111)%252echr(32";

$string =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; # Deurlencode
$string =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; # Twice
$string =~ s/chr\((\d*)\)/chr($1)/eg; # Convert chr commands to their output

print $string , "\n";



-- 
David Dorward <http://dorward.me.uk><http://blog.dorward.me.uk>

Reply to:

Follow-Ups:
- Re: (OT) Understanding phpbb hack.
  - From: Franki <franki@htmlfixit.com>

References:
- (OT) Understanding phpbb hack.
  - From: Franki <franki@htmlfixit.com>

Prev by Date: Re: routing table problem after power failure (sarge)
Next by Date: Re: Secure opening of ports
Previous by thread: (OT) Understanding phpbb hack.
Next by thread: Re: (OT) Understanding phpbb hack.
Index(es):
- Date
- Thread