52

I found the following string '<?=print(9347655345-4954366);?>' in a blocked request logged by our WAF this morning. This string was contained in the path as well as a number of headers.

GET /?'<?=print(9347655345-4954366)?>'
Host: *******************
User-Agent: Mozilliqa'<?=print(9347655345-4954366);?>'
Connection: close
Content-Type: application/x-www-form-urlencoded
Cookie: __utmz=456675675.5478566565.2.3.utmcsr=google.com'<?=print(9347655345-4954366);?>'|utmccn=(referral)|utmcmd=referral|utmcct=/root'<?=print(9347655345-4954366);?>'root/83764/
Referer: https://www.google.com/'<?=print(9347655345-4954366);?>'
Reverse-Via: '<?=print(9347655345-4954366);?>'
X-Forwarded-For: '<?=print(9347655345-4954366);?>'
X-Real-IP: '<?=print(9347655345-4954366);?>'
X-Varnish: '<?=print(9347655345-4954366);?>'
Accept-Encoding: gzip

A google search turns up a few bugs where projects encountered this but nothing about what it is attempting to exploit. I'd like to understand what this is targeting.

Dmitry Grigoryev
  • 10,152
  • 1
  • 27
  • 56
Dave Rager
  • 645
  • 5
  • 8

1 Answers1

62

The request was checking if the server has a RCE (Remote Code Execution) vulnerability, by testing if the server could print the result of a mathematical operation.

As the result is never found in the original request, the attacker can just check if the result is found in the response to know that the mathematical operation was correctly performed by the remote server.

Based on the tags surrounding the print function call, it looks like it was targeting the PHP language, but the main test is language-agnostic.

Benoit Esnard
  • 14,694
  • 7
  • 69
  • 69
  • 1
    That's kind of what I thought. However, the numbers are rather specific. Google will return many results regarding that particular string but if I change one of the values I get few or no results. – Dave Rager May 02 '23 at 16:02
  • 37
    @DaveRager The numbers were probably chosen randomly in order to reduce false positives (since the resulting of the calculation would be very unlikely to be found in an ordinary webpage). The Google results look like other sites that were tested in the same way as your server, e.g. there's some results where someone posted that code into a comment form. A likely conclusion is that someone is running an automated scan across millions of sites across the Internet and looking for ones that are vulnerable (rather than targeting you specifically). – NobodyNada May 02 '23 at 23:08
  • 1
    @NobodyNada That makes sense. Thanks! – Dave Rager May 03 '23 at 12:08
  • 4
    I don't have enough reputation to comment, but @NobdyNada's comment doesn't mention a small point: If these numbers had been randomly generated per call, then the search would have probably turned up nothing. So the post is certainly a probe attack for RCE. The fact that you got anything in your search for those numbers means that some skiddy was knocking on doors rather than a more sophisticated attacker. – Nathan Zook May 03 '23 at 19:01
  • 1
    For example the top Google result is this page which is apparently trying to describe every user-agent string (oddly, it doesn't think this one comes from a bot), then a couple of abuse reporting sites, one actual bug (but not an RCE) caused by this string being in X-Forwarded-For, and a few spam pages somehow harvested and copied this text. – user253751 May 04 '23 at 18:31
  • Searching the result of the math operation is also fun. :) – Benoit Esnard May 04 '23 at 23:59