Re: vulnerable perl script?

From: Ryan Permeh (ryanat_private)
Date: Thu Oct 18 2001 - 18:57:47 PDT

  • Next message: David Sexton: "RE: Reverse Http Shell Solution" 

    you may also be able to do it via a pipe(|) char in there somewhere.  this
is likely the byproduct of an open command, and pipes can be used to get
input from a program's output.  it depends on the cleaning of input and all,
but it might work.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities

----- Original Message -----
From: "Jay D. Dyson" <jdysonat_private>
To: "Penetration Testers" <pen-testat_private>
Cc: <otanerat_private>
Sent: Thursday, October 18, 2001 11:22 AM
Subject: Re: vulnerable perl script?


-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 18 Oct 2001 otanerat_private wrote:

> I'm doing a pen test and I found a perl script, which seems to be
> vulnerable. If I do a get, for example:
>
> GET
>
/cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../etc/passw
d%00
>
> I can see the content of the passwd file. But when I try to execute a
> command, for example:
>
> GET
>
/cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../bin/id%00
>
> I get this garbage and some interesting stuff:

It's not executing the command; the binary itself is being dumped
(just like if you did a 'cat /bin/id' on the command line).

Try encapsulating the last part as `/bin/id`.  That should get you
the desired results.

> I'm not sure but I think, the %00 is the problem and without %00, I get
> no results. Does anybody know how I can execute my commands? I tried ;
> and ¦, but nothing happened. I'm not able to see the source of the perl
> file.

To see the contents of the PERL file, try something like:

/cgi-bin/whatever.pl?variable1=test%00&variable2=./whatever.pl%00

If that doesn't work, try standard Apache locations like:

/var/lib/apache/cgi-bin/whatever.pl
/usr/local/apache/cgi-bin/whatever.pl
/usr/local/bin/apache/cgi-bin/whatever.pl

...and so on.  If none of that pans out, just try passing a find
or locate command through variable2.  You're bound to hit paydirt
thataway.

- -Jay

  (    (                                                         _______
  ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - jdysonat_private ------<) |    = |-'
 `--' `--'  `- Peace without justice is life without living. -'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO88PzblDRyqRQ2a9AQH/awQAnlHQFzWyN6NvutvxihGEBFCwynuTskTY
prW19RtauFxgYarxTfDpbFi8zKcX3k9b+OjLXADDZDFUFXDA1ege9UWBCFDBwtl1
rn95LtTPvzyXCnskeKMeKCAXQZlfJyLeUySvURVxVegbuDJxSmCsDA4UfeE3eDjJ
Q4JLIbCe0Zw=
=LJcu
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

    This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 19:18:03 PDT