How does this url string exploit work?

Red Squirrel · Aug 30, 2014

Was going through my apache logs and noticed something odd:

Code:

http://www.domain.com/forum/profile.php?mode=register&agreed=true+[PLM=0][R]+GET+http://www.domain.com/forum/profile.php?mode=register&agreed=true+[0,22775,73872]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24840,72900]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24786,73546]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24790,73924]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24787,71358]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24792,68993]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24810,71620]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24780,72478]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24780,73294]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24794,70450]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24788,72995]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24798,74102]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24770,74439]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,25043,72787]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24778,73611]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24784,74963]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24819,71517]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24783,73370]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24788,73592]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24794,72943]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,25024,72774]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24798,73530]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24791,69749]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,24803,73392]+-%3E+[R]+POST+http://www.domain.com/forum/profile.php+[0,0,27325]+-%3E+[N]+GET+http://www.domain.com/forum/viewtopic.php?t=6478+[12329,0,42900]

This string was able to fetch a row from my database and do a print_r of it right on the web pgae, basically exposing a forum user's MD5 password hash among other things.

How does this even work? Obviously it's some kind of injection, but how does php interpret it, what does it do with it exactly? I need to fix that flaw, and look for other similar flaws.

Considering it has GET and POST in it, I'm even wondering if it's exploiting not just the php script but the web server itself? You normally would not use GET/POST when talking directly to a php script. Though I suppose if the script uses any kind of queries directly to the web server maybe...

Markbnj · Aug 30, 2014

I have no clue, but I'm going with "because PHP."

code65536 · Aug 30, 2014

Not really possible to tell without looking at the code in this profile.php...

Red Squirrel · Aug 30, 2014

code65536 said:
Not really possible to tell without looking at the code in this profile.php...

It's phpbb 2.0.21 with very little changes. But I'm more curious as to how php even interprets that URL, like what does it do with it? It's not like it's just a standard query string, it's something rather convoluted, most likely generated by a script. Is it some kind of memory overrun exploit and those numbers in brackets are memory addresses or something?

Basically whatever that exploit technique is I want to make sure I account for it when coding my own stuff.

Crusty · Aug 30, 2014

You're using 8yr old forum software written in PHP... not surprised it has vulnerabilities.

http://www.cvedetails.com/vulnerabi...ersion_id-36841/Phpbb-Group-Phpbb-2.0.21.html

code65536 · Aug 30, 2014

Red Squirrel said:
It's phpbb 2.0.21 with very little changes. But I'm more curious as to how php even interprets that URL, like what does it do with it?

It passes it along to the PHP script?

PHP itself does very little with it. Decoding of encoded elements, basically. The problem isn't with PHP itself. It's with the forum software that's written in PHP.

Red Squirrel · Aug 30, 2014

Crusty said:
You're using 8yr old forum software written in PHP... not surprised it has vulnerabilities.

http://www.cvedetails.com/vulnerabi...ersion_id-36841/Phpbb-Group-Phpbb-2.0.21.html

True, but it's kinda unrealistic to constantly update especially if it has any kind of mods, or is even an active forum. I my possibly merge it with another forum as I'm working on this project to merge all my forums together to one single forum to make management easier. Even if I do update, a day later there's another version out.

But I'm still trying to figure out exactly how this string works, that way I can audit my code and look for vulnerabilities and fix them for good.

Like can someone break it down and tell me what each part is doing? It seems like it's doing a lot of the same thing repeatedly so just need a general gist of it.

I know how ?var=val&var2=val2 query strings work like, but this is completely different than anything I've seen. There is no mod_rewrite stuff going on either.

Red Squirrel · Aug 30, 2014

code65536 said:
It passes it along to the PHP script?

PHP itself does very little with it. Decoding of encoded elements, basically. The problem isn't with PHP itself. It's with the forum software that's written in PHP.

Yeah but I want to know, basically, what is done in the php code to do stuff with that url. Ex: I know that if I have ?var=val in the url in php I would do something like this to handle the variable (in this case printing it, but I could store it in another var, act upon it etc) :

Code:

echo($_GET['var']);

But I don't understand what that url exploit is doing and how it is processed in php. Basically, what do I need to look for in my code to fix this exploit.

Like what does this do:

Code:

+[PLM=0][R]+GET+

Or this:

Code:

+[0,22775,73872]+-%3E+[R]+POST+

that is nothing to do with $_GET or $_POST so what else could it be doing that I need to look out for when coding stuff? Typically I'm used to looking for stuff like injection so I'm dealing with GET/POST mostly but this is completely different than anything I've ever seen.

After playing around with that exploit though, it seems you actually have to be logged in for it to show anything, so if this was a random passer by bot chances are it did not get anything out of it, but still something I want to understand as there may be other exploits possible with this kind of query string, either in phpbb, or other code.

Mark R · Aug 30, 2014

I think it's something to do with apache URL rewriting. [R] and [N] are typical commands for that. For example, [R] means in the event of a match, issue a redirect to the following URL.

At the same time, however, %3E means > - which is a HTTP code for redirect to the following URL.

So, it's possible that this URL contains several similar methods to try to run. It looks like the payload contains a ton of different URL redirections. I can't see how it's being injected, but I'm guessing the PHP code is passing something into a script parameter, which is then getting executed. No idea why it needs so many redirects, maybe it's trying to overflow something, possibly a buffer overflow in the apache rewriter.

Easiest way to deal with this sort of crap, is to set up your own rewrite rules, that redirect URLs which contain shady looking stuff such as brackets, the word "script", double periods, etc. to a static HTML page saying "error" or something vague. Here are a few example rewrite rules:
Link

Red Squirrel · Aug 30, 2014

Hmm so would it also be an apache exploit too then? I did not figure rewriting could be done outside of htaccess parameters or the main config file. My apache is fairly up to date as far as I know, well, perhaps not because I'm at the mercy of whatever version my distro updates to. Downside of using package managers...

I'll be moving to a new server soon so during that process I'll be able to get a newer distro too.

Search

How does this url string exploit work?

Red Squirrel

No Lifer

Markbnj

Elite Member <br>Moderator Emeritus

code65536

Golden Member

Red Squirrel

No Lifer

Crusty

Lifer

code65536

Golden Member

Red Squirrel

No Lifer

Red Squirrel

No Lifer

Mark R

Diamond Member

Red Squirrel

No Lifer

TRENDING THREADS