Steady, Matt. We’re not selling them so it’s okay, right? Actually I won’t even be providing them. It’s all down to the good folks at PHP.
Some of us might remember the Month of PHP Bugs in March, which I have to say passed without great fanfare. I think it’s probably because it made us all look bad so less said about that the better. Anyway I was reviewing today’s server patches (via the magical apticron utility) which reminded me that I should probably review the results of the MOPB. Boy am I glad I did!
Take a look at this little doozy
Basically, it’s an XSS vulnerability in the phpinfo() function which gives unescaped output for all user-submitted arrays in GET, POST and Cookies.
Translation?
Well if anyone has a spare phpinfo() for PHP versions 4.4.3 -> 4.4.6 hanging about, try appending this to its URL:
?f[]=%3Ca%20href%3Dhttp%3A//www.davidnaylor.co.uk/%3EDaveN%20Ownz%20j00%3C/a%3E
Then scroll down to “PHP Variables”. If you have an exploitable version, you should get one, clean, un-condomned backlink. Ain’t that precious? So all you would need to do is to get a bunch of them indexed and you’re happy as Larry. However happy he is.
Now would anyone like 60,600 free backlinks?
PS. For those that don’t get it yet, this post was written by Rob, one of Dave’s programmers. In Vim. Proudly.
47 Comments
-
1
27th April 2007 @ 16:04
-
2
Genie mac, that’s beautiful. You’re a bit of an evil genius aren’t you Rob? I wonder if Bronco’s offices are in an underground bunker.
27th April 2007 @ 16:07
-
3
Nah dude, then I wouldn’t be able to come in wearing shorts and sandles! And I’m pretty sure my wireless headphones would get crappy reception on cig breaks.
27th April 2007 @ 16:22
-
4
Doesnt seem to work, tested on a few sites (linking too them of course
)27th April 2007 @ 17:16
-
5
I promise you it works, I’ve tested it on a number of the top ten serps for that query.
Are you sure they’re running on PHP 4.4.3-6? May I have an example of one that doesn’t work?
I would post working examples but Dave’s on a black-hat ban for a while. I can only show you the door…
27th April 2007 @ 17:24
-
6
The links are actually showing as clickable text links and not just an array query showing you Blah in that actual format? (spaces added so it shows)
And you are just adding that line of code onto the end of the phpinfo.php extension for e.g.
27th April 2007 @ 17:39
-
7
Wow, this really works. But how would you go about getting these indexed ? You only get the link if you append the variables, right ?
27th April 2007 @ 20:15
-
8
Nah! Doesn’t work. I tried but then it shows the statement as it is without link :(…
27th April 2007 @ 21:05
-
9
Ya that’s the point - free backlinks for all!
28th April 2007 @ 00:47
-
10
Doesnt matter, the example I posted is not how i posted it, it skipped the gaps and formed that anchor text link. The results Im seeing (prefer no linkage) are just showing the plain text version of the link and not the link itself with just as text, no link
28th April 2007 @ 01:00
-
11
Glen your looking in the wrong spot. Trust me.
28th April 2007 @ 06:35
-
12
Now that it has been posted here, you can bet those links wont affect SERPS in a day or three. I mean, be realistic, how hard is it for google, yahoo, msn to filter /phpinfo/
Very nice find tho Rob.
28th April 2007 @ 06:49
-
13
When you refresh the link disappears.
Does it go anywhere else or is it just temporary?28th April 2007 @ 17:00
-
14
It works…and all you guys that can’t figure out how to get it in the SEPRS….you don’t belong here
29th April 2007 @ 11:58
-
15
Good find! Thanks for sharing, Dave!
29th April 2007 @ 20:12
-
16
Woow interesting, are you doing it?
29th April 2007 @ 21:28
-
17
’ve been trying to do this but I can only get a pure text… which doesnt help me out alot. Any hints?
30th April 2007 @ 10:20
-
18
Hmm… Google API to return all the phpinfo pages as XML, format them as links, scrape a load of content from other sites as page padding and a few well placed referral links to get my page hit a few times…
What are the chances of someone being slightly upset about all this? lol
30th April 2007 @ 14:03
-
19
Add to that an array with a selection of keywords, all randomly pieced together and appended to the injected url
30th April 2007 @ 14:07
-
20
And don’t limit your backlinks to just an anchor tag either…
30th April 2007 @ 14:21
-
21
Ricardo, follow my exact instructions with http://hosting.iptcom.net/phpinfo.php
30th April 2007 @ 14:26
-
22
Hilarious…
You guys kill me…
I guess the only way to find out is to try it…Done…
30th April 2007 @ 14:49
-
23
Add a couple of backlinks to each outward link, just specify the array index inside f[]:
?f[0]=%3ca%….&f[1]=%3ca%… etc
Limited to maximum length of querystring (2,083 chars IIRC)
30th April 2007 @ 15:18
-
24
2083 characters in internet explorer, but Googlebot doesn’t run on IE
30th April 2007 @ 15:22
-
25
“doesn’t run on IE”… what kind of insanity is this
30th April 2007 @ 15:34
-
26
Good find, Dave. It’s now up to 69,100 backlinks.
30th April 2007 @ 23:29
-
27
Here’s a nice little trick for compiling a list of links with this method. Download SEO for Firefox from tools.seobook.com and do Rob’s suggested search for the phpinfo pages. Download the CSV provided by the SEO for FF extension and delete everything but the urls. Now enter the formula below in cell B1:
=A1&”?f[]=%3Ca%20href%3Dhttp%3A//www.davidnaylor.co.uk/%3EDaveN%20Ownz%20j00%3C/a%3E”
Now copy the formula down and there you have it. A list of urls ready to post to comments, sigs, etc. Thanks again, Rob!
3rd May 2007 @ 19:06
-
28
Any time mate

Just because Dave’s on a black-hat ban…4th May 2007 @ 10:37
-
29
Nice find Rob - when’s Dave going to let you out of the cage so you can come along to a LondonSEO or conference? Included your find in a blog post as an XSS example, hope you don’t mind.
Cheers,
Rob
8th May 2007 @ 09:46
-
30
search google for only version 4.4.4, less results but each will work
11th May 2007 @ 20:22
-
31
The only problem I see is that it shows your ip address at _SERVER["REMOTE_ADDR"]. How can we block that?
14th May 2007 @ 03:49
-
32
One more question. Is this what the actual url would look like with all of the percent (%) symbols and things? Those type of url’s would be difficult to get indexed wouldn’t they?
14th May 2007 @ 03:57
-
33
What? The $_SERVER['REMOTE_ADDR'] only shows the IP of the computer accessing the page - for indexing purposes that’s the spider’s IP only.
As for the percentage signs: No, that’s just how you need to encode query string parameters. Look up URL encoding.
Unfortunately mate I reckon you have too great a lack of understanding of the Internet and HTTP to really exploit this one properly.
Not that exploiting it is going to do anyone any good though.
14th May 2007 @ 10:40
-
34
as above.
“Does it go anywhere else or is it just temporary?”25th May 2007 @ 14:59
-
35
It doesn’t matter. There’s no way the url will ever get indexed.
25th May 2007 @ 21:19
-
36
Sure it will - just link to it
26th May 2007 @ 02:18
-
37
I really don’t see where the confusion lies. I played around with this and came up with a very simple 1 page php script that pulls all of the php 4.4.4 results, paginates them into 20 or so pages (only the first 200 results) and every one has a random bit of text for the actual link to the php page (and this link has whatever link I want appended to the phpinfo.php pages) as well as some random content under the links. Every vestige of google has been stripped out returning only the links to the php pages. It was very simple and if I decided to try it, I’m guessing highly effective.
31st May 2007 @ 15:57
-
38
I’m guessing highly effective
Yeah if you want to get your site banned dude
31st May 2007 @ 16:35
-
39
Yeah my first thought was it would be a good way to get someone elses site banned (someone you didn’t like). You could very easily fill the internet with illigetimate link backs for any site you want. 60k is a formidable number.
But my stance is this, I, for painfully obvious reasons, wouldn’t use this, but its very very easy to implement. I doubt the writer of this blog would use it either. But you know what they say, knowledge is power.
Cheers.31st May 2007 @ 20:33
-
40
Everything is ok but how google would find these links if they are not indexed?
Anyway you have to put it somewhere so what’s the difference between using these links instead your site url?19th June 2007 @ 10:54
-
41
Google finds the links if you link to them. Linking to anything that returns a 200 status line is like creating out of thin air. Remember this.
The point is that you don’t need to put it anywhere, there’s thousands of them out there.
19th June 2007 @ 17:18
-
42
google has been stripped out returning only the links to the php pages
19th July 2007 @ 21:21
-
43
great one but i like geting backlinks the old fashioned way
12th December 2007 @ 10:57
-
44
Great way to get backlinks,thanks.
15th December 2007 @ 14:07
-
45
You could also go to http://www.lamelime.com and submit a thred with your link in it, your allowed to do that there
10th February 2008 @ 00:02
-
46
how do i get education back links phillip
20th May 2008 @ 13:37
-
47
I cannot get this to work, but here is my link at any rate, maybe it will generate 1 or 2 back links…
http://www.webupon.com/Social-Networks/Discovering-Moonbeams.6854855th May 2009 @ 16:46



Haha, gotta love it. How about a couple hundred .edu links
http://www.google.com/search?hl=en&safe=off&q=%22PHP+Version+4.4%22+%22phpinfo%28%29%22+inurl%3A.edu&btnG=Search