Would anyone like some free backlinks?
- 27th Apr 2007
- Leave a Comment
- Programming
Steady, Matt. We’re not selling them so it’s okay, right? Actually I won’t even be providing them. It’s all down to the good folks at PHP.
Some of us might remember the Month of PHP Bugs in March, which I have to say passed without great fanfare. I think it’s probably because it made us all look bad so less said about that the better. Anyway I was reviewing today’s server patches (via the magical apticron utility) which reminded me that I should probably review the results of the MOPB. Boy am I glad I did!
Take a look at this little doozy
Basically, it’s an XSS vulnerability in the phpinfo() function which gives unescaped output for all user-submitted arrays in GET, POST and Cookies.
Translation?
Well if anyone has a spare phpinfo() for PHP versions 4.4.3 -> 4.4.6 hanging about, try appending this to its URL:
?f[]=%3Ca%20href%3Dhttp%3A//www.davidnaylor.co.uk/%3EDaveN%20Ownz%20j00%3C/a%3E
Then scroll down to “PHP Variables”. If you have an exploitable version, you should get one, clean, un-condomned backlink. Ain’t that precious? So all you would need to do is to get a bunch of them indexed and you’re happy as Larry. However happy he is.
Now would anyone like 60,600 free backlinks?
PS. For those that don’t get it yet, this post was written by Rob, one of Dave’s programmers. In Vim. Proudly.
46 Comments | Leave a comment »
Haha, gotta love it. How about a couple hundred .edu links ;)
http://www.google.com/search?hl=en&safe=off&q=%22PHP+Version+4.4%22+%22phpinfo%28%29%22+inurl%3A.edu&btnG=Search
Genie mac, that’s beautiful. You’re a bit of an evil genius aren’t you Rob? I wonder if Bronco’s offices are in an underground bunker.
Nah dude, then I wouldn’t be able to come in wearing shorts and sandles! And I’m pretty sure my wireless headphones would get crappy reception on cig breaks.
Doesnt seem to work, tested on a few sites (linking too them of course ;) )
I promise you it works, I’ve tested it on a number of the top ten serps for that query.
Are you sure they’re running on PHP 4.4.3-6? May I have an example of one that doesn’t work?
I would post working examples but Dave’s on a black-hat ban for a while. I can only show you the door…
The links are actually showing as clickable text links and not just an array query showing you Blah in that actual format? (spaces added so it shows)
And you are just adding that line of code onto the end of the phpinfo.php extension for e.g.
Wow, this really works. But how would you go about getting these indexed ? You only get the link if you append the variables, right ?
Nah! Doesn’t work. I tried but then it shows the statement as it is without link :(…
Ya that’s the point - free backlinks for all!
Doesnt matter, the example I posted is not how i posted it, it skipped the gaps and formed that anchor text link. The results Im seeing (prefer no linkage) are just showing the plain text version of the link and not the link itself with just as text, no link
Glen your looking in the wrong spot. Trust me.
Now that it has been posted here, you can bet those links wont affect SERPS in a day or three. I mean, be realistic, how hard is it for google, yahoo, msn to filter /phpinfo/
Very nice find tho Rob.
When you refresh the link disappears.
Does it go anywhere else or is it just temporary?
It works…and all you guys that can’t figure out how to get it in the SEPRS….you don’t belong here ;-)
Good find! Thanks for sharing, Dave!
Woow interesting, are you doing it?
’ve been trying to do this but I can only get a pure text… which doesnt help me out alot. Any hints?
Hmm… Google API to return all the phpinfo pages as XML, format them as links, scrape a load of content from other sites as page padding and a few well placed referral links to get my page hit a few times…
What are the chances of someone being slightly upset about all this? lol
Add to that an array with a selection of keywords, all randomly pieced together and appended to the injected url :D
And don’t limit your backlinks to just an anchor tag either…
Ricardo, follow my exact instructions with http://hosting.iptcom.net/phpinfo.php
Hilarious…
You guys kill me…
I guess the only way to find out is to try it…
Done…
Add a couple of backlinks to each outward link, just specify the array index inside f[]:
?f[0]=%3ca%….&f[1]=%3ca%… etc
Limited to maximum length of querystring (2,083 chars IIRC)
2083 characters in internet explorer, but Googlebot doesn’t run on IE :-)
“doesn’t run on IE”… what kind of insanity is this :P
Good find, Dave. It’s now up to 69,100 backlinks.
Here’s a nice little trick for compiling a list of links with this method. Download SEO for Firefox from tools.seobook.com and do Rob’s suggested search for the phpinfo pages. Download the CSV provided by the SEO for FF extension and delete everything but the urls. Now enter the formula below in cell B1:
=A1&”?f[]=%3Ca%20href%3Dhttp%3A//www.davidnaylor.co.uk/%3EDaveN%20Ownz%20j00%3C/a%3E”
Now copy the formula down and there you have it. A list of urls ready to post to comments, sigs, etc. Thanks again, Rob! :)
Any time mate :-)
Just because Dave’s on a black-hat ban…
Nice find Rob - when’s Dave going to let you out of the cage so you can come along to a LondonSEO or conference? Included your find in a blog post as an XSS example, hope you don’t mind.
Cheers,
Rob
search google for only version 4.4.4, less results but each will work
The only problem I see is that it shows your ip address at _SERVER[”REMOTE_ADDR”]. How can we block that?
One more question. Is this what the actual url would look like with all of the percent (%) symbols and things? Those type of url’s would be difficult to get indexed wouldn’t they?
What? The $_SERVER[’REMOTE_ADDR’] only shows the IP of the computer accessing the page - for indexing purposes that’s the spider’s IP only.
As for the percentage signs: No, that’s just how you need to encode query string parameters. Look up URL encoding.
Unfortunately mate I reckon you have too great a lack of understanding of the Internet and HTTP to really exploit this one properly.
Not that exploiting it is going to do anyone any good though.
as above.
“Does it go anywhere else or is it just temporary?”
It doesn’t matter. There’s no way the url will ever get indexed.
Sure it will - just link to it :-)
I really don’t see where the confusion lies. I played around with this and came up with a very simple 1 page php script that pulls all of the php 4.4.4 results, paginates them into 20 or so pages (only the first 200 results) and every one has a random bit of text for the actual link to the php page (and this link has whatever link I want appended to the phpinfo.php pages) as well as some random content under the links. Every vestige of google has been stripped out returning only the links to the php pages. It was very simple and if I decided to try it, I’m guessing highly effective.
Yeah if you want to get your site banned dude :-)
Yeah my first thought was it would be a good way to get someone elses site banned (someone you didn’t like). You could very easily fill the internet with illigetimate link backs for any site you want. 60k is a formidable number.
But my stance is this, I, for painfully obvious reasons, wouldn’t use this, but its very very easy to implement. I doubt the writer of this blog would use it either. But you know what they say, knowledge is power. :) Cheers.
Everything is ok but how google would find these links if they are not indexed?
Anyway you have to put it somewhere so what’s the difference between using these links instead your site url?
Google finds the links if you link to them. Linking to anything that returns a 200 status line is like creating out of thin air. Remember this.
The point is that you don’t need to put it anywhere, there’s thousands of them out there.
google has been stripped out returning only the links to the php pages
great one but i like geting backlinks the old fashioned way
Great way to get backlinks,thanks.
You could also go to http://www.lamelime.com and submit a thred with your link in it, your allowed to do that there
how do i get education back links phillip