----- Original Message ----- From: "Andrew Hintz (Drew)" <mail.drewat_private> To: <plugins-writersat_private> Sent: Friday, January 04, 2002 6:45 PM Subject: A couple NASLs for simple CGI traversals > Here are NASLs for the zml.cgi and the PHP Rocket Add-in directory traversals. > > Is there a KB item for the name of the cgi-bin directory? cgibin() returns one of the paths entered by the user to use instead of cgi-bin. This function duplicates the run of the script, which means that if the user set the CGI path to be '/scripts:/cgi-bin' (the default) then the script will be executed twice when cgibin() is called - the first time, it will return '/scripts', the second time it will return '/cgi-bin'. > > Also, for directory traversals is there a standard file to check for on Unix boxes? (In these two nasls I just use /etc/passwd and grep for root: and :0:0: to verify that it's actually /etc/passwd) Fine on Unix. On Windows we use /winnt/win.ini and grep for [windows] or [fonts] (see iplanet_traversal.nasl) You can't use '/WINNT/system32/ipconfig.exe' and grep for 'IP Configuration' because of international version of Windows. The standard is to use 'dir /OG' and grep for '<DIR>' (see iis_decode_bug.nasl). If there is no way to send arguments use net.exe (see alchemy_eye_http.nasl). Georges Dagousset
This archive was generated by hypermail 2b30 : Fri Jan 04 2002 - 10:03:28 PST