[dokuwiki] Re: attempt to use possible vulnerability of dokuwiki

  • From: Jonathan Dill <jonathan@xxxxxxxxx>
  • To: dokuwiki@xxxxxxxxxxxxx
  • Date: Wed, 06 Feb 2008 16:05:00 -0500

Correction, I think the desired output may actually be:

c6db3524fe71d6c576098805a07e79e4. md5()
Within a few days, it's possible that you will be able to do a web search for that and get a list of sites that would be vulnerable to executing arbitrary PHP code from a third-party site. 

http://ravenphpscripts.com/postt14728.html
http://www.pure-chaos.org/2007/11/25/remote-file-inclusion-galore-2/#high_1

Jonathan Dill wrote:
Interesting, if you decode that URL and (carefully!) plug it in to a web browser, the target brings up a page that says: 

<?php echo md5("just_a_test");?>
Several articles talking about it, but nobody seems to know what it really is yet except it looks like they are just testing to see if they can inject PHP code into your site and have it execute rather than just display the code as text--in other words, if you see the PHP code the attack was partially successful, but if the test was completely successful, you would get back e3c7bd85137405f123258cc1a4b42c4f which is the md5 hash of "just_a_test" rather than the raw PHP code in text format. Presumably, this is a "holding space" for bad code to be uploaded and executed later, at the moment they are just checking to see if they can upload code and have it execute.
http://web.dtbaker.com.au/post/catching_echo_md5_just_a_test_exploit_attempts
http://groups.google.com/group/alt.comp.lang.php/browse_thread/thread/378872f04bf1c156 

http://www.cubecart.com/site/forums/index.php?showtopic=32171
http://www.megginson.com/blogs/quoderat/2008/02/04/strange-web-exploit-attempt/ 

Jonathan



--
DokuWiki mailing list - more info at
http://wiki.splitbrain.org/wiki:mailinglist

Other related posts:

  1. Home
  2. dokuwiki
  3. Archive
  4. 02-2008