-----BEGIN PGP SIGNED MESSAGE----- On Thu, 18 Oct 2001 otanerat_private wrote: > I'm doing a pen test and I found a perl script, which seems to be > vulnerable. If I do a get, for example: > > GET > /cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../etc/passwd%00 > > I can see the content of the passwd file. But when I try to execute a > command, for example: > > GET > /cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../bin/id%00 > > I get this garbage and some interesting stuff: It's not executing the command; the binary itself is being dumped (just like if you did a 'cat /bin/id' on the command line). Try encapsulating the last part as `/bin/id`. That should get you the desired results. > I'm not sure but I think, the %00 is the problem and without %00, I get > no results. Does anybody know how I can execute my commands? I tried ; > and ¦, but nothing happened. I'm not able to see the source of the perl > file. To see the contents of the PERL file, try something like: /cgi-bin/whatever.pl?variable1=test%00&variable2=./whatever.pl%00 If that doesn't work, try standard Apache locations like: /var/lib/apache/cgi-bin/whatever.pl /usr/local/apache/cgi-bin/whatever.pl /usr/local/bin/apache/cgi-bin/whatever.pl ...and so on. If none of that pans out, just try passing a find or locate command through variable2. You're bound to hit paydirt thataway. - -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee."-. >====<--. C|~~|C|~~| (>------ Jay D. Dyson - jdysonat_private ------<) | = |-' `--' `--' `- Peace without justice is life without living. -' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBO88PzblDRyqRQ2a9AQH/awQAnlHQFzWyN6NvutvxihGEBFCwynuTskTY prW19RtauFxgYarxTfDpbFi8zKcX3k9b+OjLXADDZDFUFXDA1ege9UWBCFDBwtl1 rn95LtTPvzyXCnskeKMeKCAXQZlfJyLeUySvURVxVegbuDJxSmCsDA4UfeE3eDjJ Q4JLIbCe0Zw= =LJcu -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 12:53:27 PDT