Jump to content
Nytro

Known RFI Payload Reference Hashes

By Nytro, in Stiri securitate

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]Known RFI Payload Reference Hashes[/h]

One of the attacks we see the most when running a WordPress based blog, or really any web service, is RFI attacks. The attackers try to abuse poorly designed software or configurations to run their code on our servers. These vulnerabilities have become strangely common due lazy/greedy developers copy and pasting insecure code into their plugins/themes and not properly updating them when vulnerabilities are found.

The most common is the TimThumb attack. You can see the details of this attack here in an article written by MaXe(@intern0t), who was researching a lot of botnets based on this exploit along side me when researching for Insecurity of Poorly Designed Remote File Inclusion Vulnerabilities: Pt 1.

In this attack(and quite a few others), the payloads are stored as an MD5 of the URL to the payload. It is actually so common, that quite a few of them can be googled, and live versions of these payloads can be found on servers. If you have the source code to those payloads(some of which are stored at my decoder) you can then use those payloads to remove the infection from that server(might not be legal depending on your country of residence).

Also, you can use a list of the hashes of the known URLs to make sure your system is not compromised. Since I have been archiving every RFI payload that shows up on my WAF, in Attack Scanner, every one I get from Irongeek’s Webshell and RFI collection, then any submitted by any site running any of the scripts I’ve put out to collect these shells, I decided that I should release a list of these hashes, since I was basically already storing them with a very similar naming scheme.

For the first version of the list, I just put them up on pastebin. I figure at some later point when I have more storage, I will incorporate it into the decoder and make a full API for querying the lists of data, as well as more information from the decoder itself.

RFI Payload Locations

.php was appended to make searching for the files on your file system easier.

Sursa: https://www.ballastsecurity.net/php/known-rfi-payload-reference-hashes/

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...