From:	 RoMaN SoFt / LLFB <roman@madrid.com>
To:	 bugtraq@securityfocus.com
Subject: Full-xploiting PHP Nuke
Date:	 Wed, 03 Oct 2001 16:40:31 +0200


 Hi.

 This post is related to Francisco Burzi's PHP Nuke (bugtraq id 3361):
http://www.twlc.net/article.php?sid=421
http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3361

 The discussed bug is *very* serious. I will try to demonstrate it ;-)

 In the former advisory by twlc it is described how to use admin.php
script's bug for copying _existing_ files *inside* the remote machine
but NOT how to upload files. The first exploit is described in the
advisory. The second one is described here and it's attached as
"phpnuker.html" :-). It permits to upload arbitrary files to the
victim server, usually as the "apache" user (depending on webserver's
configuration). Have a look at the code to adjust some parameters:
servername/ip and remote directory.

 I've also created two other "scripts" (well, the last one is really a
html form): rs.php and cmd.html. Using both files you can execute
commands in the victim server (usually as "apache" user). You have to
upload "rs.php" to the victim webserver and then use "cmd.html" form
to send the commands to server.

 All the scripts are intuitive so have a look at the code and change
parameters like "victim server name" and "remote directory" (this is
the directory where files will be uploaded to). Don't forget to change
these values.

 As you can execute commands on the server you can try to exploit some
local bug and gain r00t priviledges. This is tedious 'cause you
haven't got an interactive shell but it's terribly possible. I got to
r00t a RedHat 7.1 Linux box with Apache 1.3.20 (running as "apache"
user) and with all ports closed except 80 (of course) using this
technique.

 Kind regards ;-)

 RoMaNSoFt @ irc.irc-hispano.org
 roman@deathsdoor.com