Hackers Bypassing Registration With PyCurl
By Dan Morrill
Expert Author
Article Date: 2007-12-12
Interesting hacking attack going on at a social networking site that I am working on today.
Seems that the hacker is using PyCurl to bypass the registration page and dump user's right into the system.
It looks like the piece of offending code in the user.php file is
if($this->id===0) {
$this->id = $db->insert_id;
} else {
// Username is never updated
$sql = "UPDATE " . table_users . " set user_avatar_source='$user_avatar_source' ";
$extra_vars = $this->extra;
if(is_array($extra_vars)){
foreach($extra_vars as $varname => $varvalue){
$sql .= ", " . $varname . " = '" . $varvalue . "' ";
}
}
$sql .= " , user_login='$user_login', user_occupation='$user_occupation', user_location='$user_location', public_email='$user_public_email', user_level='$user_level', user_karma=$user_karma, user_date=FROM_UNIXTIME($user_date), user_pass='$saltedpass', user_email='$user_email', user_names='$user_names', user_url='$user_url', user_aim='$user_aim', user_msn='$user_msn', user_yahoo='$user_yahoo', user_gtalk='$user_gtalk', user_skype='$user_skype', user_irc='$user_irc' WHERE user_id=$this->id";
//die($sql);
What is ending up happening is this in the database.
That looks like the user is being generated by a Bot of some sort that is using the Pycurl library to bypass the login system and captcha that is required to validate a user. Rather than using the captcha, it is just dumping in users by latching directly onto the users.php file.
The reason why I say that this is a bot is that the IP Addresses are all over the map. Moreover, the activity is too close to be a person who is typing this. The Log looks like this per entry. Nothing but Posts.
2007-12-11 22:44:18 W3SVC9885 208.67.80.207 POST /user.php login=FredLeo 80 - 69.254.189.23 HTTP/1.1 PycURL/7.17.1 - - www.yasvs.com 200 0 0 26974 558 6406
2007-12-11 22:44:19 W3SVC9885 208.67.80.207 POST /register.php - 80 - 68.84.10.116 HTTP/1.1 PycURL/7.17.1 - - www.yasvs.com 200 0 0 20081 616 2812
2007-12-11 22:44:26 W3SVC9885 208.67.80.207 GET /ts_image.php ts_random=86714782 80 - 68.84.10.116 HTTP/1.1 PycURL/7.17.1 - -
But the time hacks in the database look like this.
What makes this interesting is that this is nothing new, but the first time that I have seen PycURL used to bypass the entire registration process to simply dump users into a system by using the insert command followed by data that the system needs to generate the user account.
Neat trick to pull on people using any form of registration on the network.
Comments
About the Author:
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
|
