what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Jan 8, 2002
Authored by securiteam | Site securiteam.com

NT PHP.exe remote exploit. Allows any file on the webserver to be read.

tags | exploit, remote, php
SHA-256 | c70fec2805964960bbe0e6b210553f178550aa358ea04a158de1e717aa0fec37


Change Mirror Download
        <TD colspan="2" align="left" bgColor="navy">&nbsp;<FONT color=white><B style="FONT-SIZE: 12pt">Summary</B></FONT></TD>
<TD colspan="2" style="FONT-SIZE: 11pt">As advised in the installation text that comes with all versions of PHP, when installing PHP.EXE for use on a windows machine installed with Apache, the user should insert a few lines of code into the Apache "httpd.conf". These exact lines are shown here:<br>

&nbsp;&nbsp;&nbsp;ScriptAlias /php/ "c:/php/"<br>
&nbsp;&nbsp;&nbsp;AddType application/x-httpd-php .php<br>
&nbsp;&nbsp;&nbsp;Action application/x-httpd-php "/php/php.exe"<br>

A security vulnerability arises when placing the ScriptAlias line above. This line effectively maps the alias /php/ to your web document root such that typing "http://www.example.com/php/" will actually try to access in this case "c:\php\". Please note that the last "/" on the end of the URL has to exist for this to work ("http://www.example.com/php" will not work). At this point your server will respond with "Access Denied", however if you now specify the URL "http://www.example.com/php/php.exe" , you will see the error "No input file specified". This error is actually returned by php.exe, which you have just executed on the server.<br>

There are many exploits that can happen with this setup (some very serious, which could be used to gain root access).<br>
<TD colspan="2" align="left" bgColor="navy">&nbsp;<FONT color="white"><B style="FONT-SIZE: 12pt">Details</B></FONT></TD>
<TD colspan="2" style="FONT-SIZE: 11pt"><B>Exploit 1:</B> <br>
It is possible to read <b>any</b> file remotely on the server, even across drives with the following URL construct:<br>
PHP.EXE will parse the sam file "c:\winnt\repair\sam" and return it to the browser for download (this is the Windows NT password file).<br>
PHP.EXE will return the same file on the D: drive.<br>
The above SAM file can then be used to decrypt all the Account Passwords for the Server.<br>
<B>Exploit 2:</B> <br>
If you specify a file that exists in the php directory (different files exist depending on the version of PHP), the web server will try to execute this file and will throw back an error reporting the install directory of php. So in PHP4, for example, you would specify the following line:<br>
The error returned by the web server would be: " couldn't create child process: 22693: C:/php/php4ts.dll " showing the install path of PHP.<br>
<TD colspan="2" align=left bgColor=navy>&nbsp;<FONT color=white><B style="FONT-SIZE: 12pt">Additional information</B></FONT></TD>
<TD colspan="2" style="FONT-SIZE: 11pt">The information has been provided by <A HREF="mailto:brereton_paul at btopenworld.com">Paul Brereton</A>.
<TD COLSPAN="3">&nbsp;</TD>
<TD COLSPAN="3" width="1" height="1" bgcolor="orange"><img src="http://www.securiteam.com/space.gif" height=1 border="0" width=1 alt=&"nbsp;"></TD>
<td COLSPAN="3">
<div align="center">
<font color="gray" style="FONT-SIZE: 8pt">
Copyright © 1998-2001 <a href="http://www.beyondsecurity.com/info.html" style="COLOR: gray; FONT-SIZE: 7pt">Beyond Security
Ltd.</a> All rights reserved.<br>
<a href="http://www.beyondsecurity.com/legal.html" style="COLOR: gray; FONT-SIZE: 7pt">Terms of Use</a> <a href="http://www.beyondsecurity.com/privacy.html" style="COLOR: gray; FONT-SIZE: 7pt">Site Privacy Statement</a>.<br><br>
Login or Register to add favorites

File Archive:

March 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    13 Files
  • 3
    Mar 3rd
    15 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    16 Files
  • 7
    Mar 7th
    31 Files
  • 8
    Mar 8th
    16 Files
  • 9
    Mar 9th
    13 Files
  • 10
    Mar 10th
    9 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    10 Files
  • 14
    Mar 14th
    6 Files
  • 15
    Mar 15th
    17 Files
  • 16
    Mar 16th
    22 Files
  • 17
    Mar 17th
    13 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    16 Files
  • 21
    Mar 21st
    13 Files
  • 22
    Mar 22nd
    5 Files
  • 23
    Mar 23rd
    6 Files
  • 24
    Mar 24th
    47 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    50 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    7 Files
  • 30
    Mar 30th
    31 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By