|
|
|
|
|
|
by fapjacks
3008 days ago
|
|
|
Hej! Thanks for curl! And since you asked, here's a really dumb one... Many years ago, a friend of mine ran one of those super cool hacker forums where noobs get together and talk about how great they are at hacking. I didn't participate, but one day he came to me and told me that his forum was hacked! He had a janky PHP alert set up to notify him if/when a forum user was added to the MySQL database with admin privileges, or if a user was modified to upgrade existing privileges. He said that one of his most trusted co-admins was using the console at the time and was running a PHP script given to him by a person this co-admin trusted. The PHP script seemed totally harmless, but it was grabbing and eval()ing some PHP from the network in an innocent-looking function that checked for updates. My friend and his co-admin of course loaded the script via browser and via curl and it was totally harmless, checking for script updates and exiting. They concluded it must have just been a coincidence and started looking elsewhere without any luck. This is when my friend asked me for help. I logged into the machine and started looking around, but I mean c'mon, it had to have been that update function, right? It was my habit at the time to nullify my user-agent when using curl, just out of muscle memory, and I curled the URL and indeed! There it was, the "update" function now clearly running malicious PHP to give this "trusted" third party admin privileges in the forum database. PHP of course was using libcurl to get the script, and by default it was using a blank user-agent string. The malicious server was serving up the malicious script only to requests with a blank user-agent string. Turns out, this "trusted" third party had been slowly gathering information about the custom forum software and database structure from the co-admin over some time, in the form of giving him advice for building it and modifying it, finally striking when he had enough information. |
|
|