Hi. This post is related to Francisco Burzi's PHP Nuke (bugtraq id 3361): http://www.twlc.net/article.php?sid=421 http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3361 The discussed bug is *very* serious. I will try to demonstrate it ;-) In the former advisory by twlc it is described how to use admin.php script's bug for copying _existing_ files *inside* the remote machine but NOT how to upload files. The first exploit is described in the advisory. The second one is described here and it's attached as "phpnuker.html" :-). It permits to upload arbitrary files to the victim server, usually as the "apache" user (depending on webserver's configuration). Have a look at the code to adjust some parameters: servername/ip and remote directory. I've also created two other "scripts" (well, the last one is really a html form): rs.php and cmd.html. Using both files you can execute commands in the victim server (usually as "apache" user). You have to upload "rs.php" to the victim webserver and then use "cmd.html" form to send the commands to server. All the scripts are intuitive so have a look at the code and change parameters like "victim server name" and "remote directory" (this is the directory where files will be uploaded to). Don't forget to change these values. As you can execute commands on the server you can try to exploit some local bug and gain r00t priviledges. This is tedious 'cause you haven't got an interactive shell but it's terribly possible. I got to r00t a RedHat 7.1 Linux box with Apache 1.3.20 (running as "apache" user) and with all ports closed except 80 (of course) using this technique. Kind regards ;-) RoMaNSoFt @ irc.irc-hispano.org romanat_private
This archive was generated by hypermail 2b30 : Wed Oct 03 2001 - 10:23:57 PDT