This vulnerability was published in packetstorm. I translated it into Chinese and added some comments of my own. I hope it will be helpful to friends who run
PHP on NT.
After you download PHP, the installation file contained in it helps to install PHP on NT + Apache Web Server
. The installation help will ask you to add the following lines of settings Go to apache's httpd.conf settings file, and this installation file will guide you to open your system portal.
These lines of commands are:
ScriptAlias /php/ "c:/php/"
AddType application/x-httpd-php .php
Action application/x- httpd-php "/php/php.exe"
We further explain these three lines of settings. These setting commands require Apache to map the /php/ virtual directory directly to the c:/php/
directory. , so when you use:
"http://www.example.com/php/"
to link to a web page, the Web Server actually accesses c:/ directly. php/ directory, then you will see the error message "Access Denied"
, but when you use:
"http://www.example.com/php/php.exe When you use the "
command to connect, you will find that the server sends back the line "No input file specified.". This line is sent back by php.exe
, indicating that you have just connected. The php executable file is executed on this server.
If your server is set up using the installation method taught to you in php, you may have the following crisis at this time.
[** Vulnerability 1 **]
We can use this vulnerability to read any file on this server, even across disks, as long as we use the following method to connect:
"http://www.example.com/php/php.exe?c:winntrepairsam"
PHP will throw the file "c:winntrepairsam" to the browser and send it is displayed, and this file is where Windows NT
saves passwords,
"http://www.example.com/php/php.exe?d:winntrepairsam"
PHP will transfer the same files in the D: disk.
With this SAM file, hackers can use it to crack the password you set on this machine.
[** Vulnerability 2 **]
If you specify a file in the php directory, your web server will try to execute the file and pass an error message, so when you
Used:
"http://www.example.com/php/php4ts.dll"
This error will cause the Web Server to return "couldn<|>t create child process: 22693: C:/php/php4ts.dll"
This information, thus leaking the real directory where you installed PHP
PS. After my testing, the second vulnerability is in PHP V4 When executed on .11, an "Internal Server Error" error will be returned.
does not leak the directory structure, but in PHP V4.11, the first vulnerability is still valid.
Simple solution: Use a long and difficult-to-determine virtual directory to place the PHP executable file, such as:
ScriptAlias /php-mY-sCrIpT/ "c:/php411/"
AddType application/x-httpd-php .php
Action application/x-httpd-php "/php-mY-sCrIpT/php.exe"
This way it will be difficult for intruders to know where PHP is stored directory, thereby reducing the chance of being hacked.
Remember to restart Apache Service after changing httpd.conf∶
NET STOP APACHE
NET START APACHE
[END]