[Info-vax] Using VMS for a web server
Jan-Erik Soderholm
jan-erik.soderholm at telia.com
Wed Jun 10 11:17:02 EDT 2015
Bill Gunshannon skrev den 2015-06-10 14:21:
> In article <ml80jl$cg1$1 at dont-email.me>,
> Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> writes:
>> On 2015-06-09, Jan-Erik Soderholm <jan-erik.soderholm at telia.com> wrote:
>>>
>>> OK. That needs a script called wawalo.php already beeing on the server
>>> in a directory where the server can execute it. The exploit is realy
>>> to be able to upload the wawalo.php file in the first place.
>>>
>>
>> Actually what I read it as was that a PHP script installed for a
>> legitimate purpose on the server (as part of, say, a PHP application)
>> had a vulnerability which allowed attacker controlled commands to
>> be executed.
>
> I have seen no limitation on what script was used. I feel fairly
> certain that the professors who wrote some of them (including one
> with lots of experience both writting and teaching PHP Web Scripting)
> aren't putting backdoors in their scripts. Now, the Word Press stuff
> is more problematic. Students grab this stuff off the web and just
> install it so they can have "A Blog". I would never trust it. But,
> as I said (and demonstrated) it really doesn't seem to matter what
> script is being called. Thus, I suspect this is a behaviour of the
> interpreter.
>
Hm, sure? I think the PHP script must have specific code to run the
URL parameter either as an external command or as an PHP code.
That is, in the example, wawalo.php must have a system() or eval()
command that takes the URL variable as the parameter.
Se sections 8 "Remote Command Execution" and 9 "Remote Code Execution"
on this page: https://www.exploit-db.com/papers/12871/.
<?php
$cmd=$_GET['cmd'];
system($cmd);
?>
http://127.0.0.1/test.php?cmd=whoami
That will execute "whoami" on the server and return the result.
Or:
<?php
$code=$_GET['code'];
eval($code);
?>
http://127.0.0.1/test.php?code=phpinfo();
And that will execute the PHP function phpinfo().
If you allow random code to the executed like that, well... :-)
Any language having a call to run OS commands can do that.
>
> Except that it appears to work with any random PHP script.
Realy?
More information about the Info-vax
mailing list