#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2005
    Location
    Vancouver, WA, USA
    Posts
    425
    Rep Power
    0

    Is this vulnerable?


    I am not a PERL programmer. My language of choice is PHP.

    A client has a website that keeps getting hacked. I found this file on the site, and it looks to me, like it might be used to deliver a malware payload. Again, I don't know PERL.

    Does this look malicious? To me it looks like someone can pass GET or POST data to it, to modify files.

    Code:
    #!/usr/bin/perl
    
    sub parse_form_data
    {
        local (*FORM_DATA) = @_;
        local  ( $request_method, $query_string, @key_value_pairs, $key_value, $key, $value);
        $request_method = $ENV{'REQUEST_METHOD'};
        if ($request_method eq "GET") {
            $query_string = $ENV{'QUERY_STRING'};
        } elsif ($request_method eq "POST") {
            read (STDIN, $query_string, $ENV{'CONTENT_LENGTH'});
        };
        @key_value_pairs = split(/&/, $query_string);
        foreach $key_value (@key_value_pairs) {
            ($key, $value) = split (/=/, $key_value);
            if (defined($value)) {$value =~ tr/+/ /;
                $value =~ s/%([\dA-Fa-f][\dA-Fa-f])/pack ("C", hex ($1))/eg;};
            if (defined($FORM_DATA{$key})) {
                $FORM_DATA{$key} = join (" ", $FORM_DATA{$key}, $value);
            } else {
                $FORM_DATA{$key} = $value;
            }
        }
    }; # end of sub
    
    &parse_form_data(*simple_form);
    $t = time;
    chdir ($ENV{'DOCUMENT_ROOT'}) ; chdir("..");
    open (OUTFILE, ">data/gdform_$t") or die ("Cannot open file");
    while (($key , $value) = each(%simple_form)) {
    
      print OUTFILE "<GDFORM_VARIABLE NAME=$key START>\n";
      print OUTFILE "$value\n";
      print OUTFILE "<GDFORM_VARIABLE NAME=$key END>\n";
      if ($key eq "redirect") { $landing_page = $value;}
    
    }
    close (OUTFILE);
    if ($landing_page ne "") {
      print "Location: https://$ENV{'HTTP_HOST'}/$landing_page\n\n";
    } else {
      print "Location: https://$ENV{'HTTP_HOST'}/\n\n";
    }
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Apr 2009
    Posts
    2,233
    Rep Power
    1298
    That's a very poorly written script.

    It doesn't modify any existing files. It creates a new file and stores the key/value pairs of a form submission and then does a redirect to either the home page or some other page within the same site.

    It's a very common type of script (in either Perl or PHP) but this one is very poorly implemented.

    Comments on this post

    • ttremain agrees : Thank you

IMN logo majestic logo threadwatch logo seochat tools logo