No_commercial!
Searchers against Smut

Some snippets on weak cgi scripts by POLONUS

By POLONUS, first published in July 2004 at  www.searchlores.org, Version 0.05
Dear Fravia,
 
Because of your request for some snippets (it is not a full essay yet),  I tried to put something in notepad and mail it to you now. Maybe you can put it somehwere on your site, and work it around a bit, if need be. Just like you always did, this rant of mine is meant as an introduction to my list, and also for real searchers to go hunting for their own lists (you will always find what you seek) that they can use in various proggies to see what a server's site has in store for them or is hiding from them.


I publish this as I got it, but it needs serious cleaning: many links wont work. It is still quite useful as it is. Readers with some free time are encouraged, by all means, to take care of this paper, restore it and re-send it to me in a better form. This first 'cleaning' was made by Flux in July 2004:
" I did some minor clean-up work on sosnipo.htm. Unfortunately, I didn't get very far as the second ("example") part of the document still remains a complete mystery to me. I think I'm not very good at mind-reading over the text medium (this _is_ necessary for some passages of this doc). Also, what is said in the first paragraphs of the text is mostly a duplication of the other cgi-related Searchlores pages."
Some snippets on weak cgi scripts by POLONUS

Where a 'Nobody' poses a threat to Everybody, the Common Gateway Interface cannot be fully trusted.

CGI denotes a programming style, that enhances functionality on websites. Search-engines usually meet CGI-specification demands.
This means however generalized standards and non platform specific.

So we have to establish the document tree, then request the URL to execute it. For instance: http://this site/a/path/specific_script.cgi.
In order to try and get what we want to learn, we have to apply similar methods like in good searching in general - in this case sending the script crafted query strings. So there must be a way to use remote user-input through a form or a "searchable-index" command. Dynamically produced indexes make the contents of a complete directory visible to the user (that could be you), also private files could be accessible.

A script does not necessarily have to be invoked in the way the implementer expects it to be, it can be invoked from any form, anywhere in the world. The best way is to invoke the script by directly requesting its URL. Alter the parameters, and we get "unexpected" values. Anything could happen depending on the language used and the platform it runs on. We also could use it through other web services, using search engines e.d.

Locally installed search engines may mean a threat, as was the case with Excite's EWS, it (could) can be tricked on both UNIX and NT to affect the proper website. (Not though outside linked)

For instance test.cgi, if it is on, can produce a file listing of the entire directory for us.

CGI scripts are potentially insecure even though the server is run as "nobody". More so if "nobody" has high privileges (see title). A subverted CGI script may still hold enough privileges to even mail out the system files, examine the network information maps, etc. Even in a chroot jail a buggy script (and a long one is by definition a buggy one) may leak information on the host so the host could become compromised.

Some CGI scripts come all over the document tree, in that case they are difficult to trace (and kept). Better if they are mainly held in a cgi-bin tightly controlled access area, if not - again it is easy to execute it remotely on demand requesting its URL. If the source code is not known or not traceable because it is in binary form, there could be a backup copy laying around from somebody who has altered it recently, look for it and request e.g : http://that-site/a/path/your_script.cgi

CGI-bin in the document root is a treasure find, because source code for CGI-script written in C being is freely available.

Security holes are there, but we do not know them yet, we must explore.
A long script may have problems, programs set to read are more vulnerable and leaking info. Dangerous to the curious are scripts run with suid (set-user-id) priviliges. You may execute shell commands on server hosts if shell metacharacters are not removed from the user-input. Shell metacharacters are e.g: &:'|\"*?-<>()[]{}$\n\r.

The strings '%0a"and '%20' are ASCII line feed and blank return and can be put to good use:
http://www.anyold.com/cgi-bin/query?%0a/bin/cat%20/etc/passwd
You guess what happens here. And it is still around on the net! Some people work with old(er) versions and leave them in the default settings.

To check file permissions for you to see whether the script is vulnerable (in Perl) the string "%0a/bin/ls%20-la%20/usr/src/include" could be appended to the URL of a CGI script using GET.

The easiest is if the root site is found to have the defaults' install.


The home directory on Unix you start in \ in our list we would look for queries with include \ ""home directory.

After this general introduction some examples:
So what to do. Well construct your query according to the information you like to get from the site through  HEAD and GET. For instance I tried this with WebBug:

We tried http://www.findtarget.com/cb/beaucoup.php?q=weak+cgi
sought at: http://www.beaucoup.com/cgi-bin cannot be reached- then redirected to http://www.findtarget.com/ch/beaucoup.php?q=   This redirect can be found if we survey cgi-bin, and we can get to 1promo.html in cgi-bin etc. and have the contents of the document tree.
Actually the webserver has no secrets for us.

Secondly we can find a neat and clean searchpage through demanding the right query: (the default_index_ could be somewhere else).
we used webbug to get some information on the server, and find through GET on http://search.yahoo.com/search/dir the following information:

HTTP/1.1 200 OK
Date: Sun, 20 Jun 2004 
21:27:28 GMT
P3P: policyref="http://p3p.yahoo.com/w3c/p3p.xml", 
CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi 
OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE 
GOV"
Cache-Control: private
Connection: close
Content-Type: text/html; 
charset=ISO-8859-1

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html><head><meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
<link rel="stylesheet" href="http://us.i1.yimg.com/us.yimg.com/lib/s/ysch_051204_b.css" type="text/css">
        <script language="javaScript1.2">
                if (document.layers && !document.getElementById)
                        document.writeln('<link rel="stylesheet" href="http://us.i1.yimg.com/us.yimg.com/lib/s/ysch_nn4_051004.css" type="text/css"> ');
        </script>
        <title>Yahoo! Search Results for </title>
<style>
/* macIE hide \*/
#yschsec li {overflow:hidden;}
/* end macIE hide */
</style>
</head>
<body>
<!-- SpaceID=0 robot --> <div id=ygma>
<table cellpadding=3 cellspacing=0 border=0>
<tr><form action="http://rds.yahoo.com/S=96062852/K=/v=2/SID=e/l=DSBT/*-http://search.yahoo.com/search/dir" name=s>
<td><!-- SpaceID=0 robot -->
<a href="http://rds.yahoo.com/S=96062852/K=/v=2/SID=e/l=HEAD/*-http://search.yahoo.com"> <img border=0 height=30 width=222 src="http://us.i1.yimg.com/us.yimg.com/i/us/search/gr/schma_1.gif" alt="Yahoo!"></a></td>
<td><input size=42 name=p value="">&nbsp;<input type=submit value="Yahoo! Search"><input type=hidden name="ei" value="ISO-8859-1"><input type=hidden name="n" value="20"><input type=hidden name="fl" value="0"><INPUT type=hidden name=x value=drt></td>
<td nowrap style="line-height: .9em;"><small><a href="http://rds.yahoo.com/S=96062852/K=/v=2/SID=e/l=DAST/*-http://search.yahoo.com/dir/advanced?">Advanced</a><br> <a href="http://rds.yahoo.com/S=96062852/K=/v=2/SID=e/l=DPRT/*-http://search.yahoo.com/search/preferences?pref_done=http%3A%2F%2Fsearch.yahoo.com%2Fsearch%2Fdir%3Fp%3D%26ei%3DISO-8859-1&pref_cancel=http%3A%2F%2Fsearch.yahoo.com%2Fsearch%2Fdir%3F">Preferences</a> </small></td></tr></table>
<div></div></form>
</div>
<hr class=yschnocss>
<hr class=yschnocss>
<div id=yschtg class=yschtgdir>
<SPAN class=yschtgpt><STRONG class=yschnocss>Show results for:</STRONG></SPAN>
<b><a href="http://rds.yahoo.com/S=96062852/K=/v=2/SID=e/l=DNWT/*-http://search.yahoo.com/search?">Web</a></b><span class="yschnocss yschnn4"> | </span><b><a href="http://rds.yahoo.com/S=96062852/K=/v=2/SID=e/l=DNIT/*-http://images.search.yahoo.com/search/images?">Images</a></b><span class="yschnocss yschnn4"> | </span><b class=yschontb>Directory</b><span class="yschnocss yschnn4"> | </span><b> <a href="http://rds.yahoo.com/S=96062852/K=/v=2/SID=e/l=DNYT/*-http://yp.search.yahoo.com/search/ypredirect?">Yellow&nbsp;Pages</a></b><span class="yschnocss yschnn4"> | </span><b> <a href="http://rds.yahoo.com/S=96062852/K=/v=2/SID=e/l=DNNT/*-http://news.search.yahoo.com/search/news?">News</a></b><span class="yschnocss yschnn4"> | </span><b> <a href="http://rds.yahoo.com/S=96062852/K=/v=2/SID=e/l=DNPT/*-http://search.shopping.yahoo.com/search;_ylc=X3oDMTFmcDNiNjc2BF9TAzI3NjY2NzkEX3MDMTQ0ODkxMTUEc2VjA3NyY2h0YWIEc2xrA3Byb2R1Y3Rz?&cop=mss" id=prod>Products</a></b>
</div>
<hr class=yschnocss>
<div id=yschres>
<div id=yschpri>
<br>
<p class=err><img src="http://us.i1.yimg.com/us.yimg.com/i/us/search/gr/alertbubble.gif" width=23 height=19 border=0 align=middle alt=Alert> Your search box was empty. Please enter one or more words in the box above.</p>
<br>
</div>
</div>
<div id=yschpg><p>
</p></div>
<hr class=yschnocss>
<hr class=yschnocss>
<div id=yschft>
<p><small><!-- SpaceID=0 robot -->
</small></p></div>
<img alt="" width=1 height=1 src="http://pa.yahoo.com/pa?q=&s=96062852">
<form name=hf><input type=hidden name=p><input type=hidden name="ei" value="ISO-8859-1"><input type=hidden name="n" value="20"><input type=hidden name="fl" value="0"></form>
<form name=hfps><input type=hidden name=p><input type=hidden name="cop" value="mss"><input type=hidden name="__yltc" value=""> <input type=hidden name="ei" value="ISO-8859-1"><input type=hidden name="n" value="20"><input type=hidden name="fl" value="0"></form>
<div id=yschmw><div></div></div>
</body></html>

Run it as .html and enjoy.

To introduce examples of my list of weak CGI I will start with a short list with the term "search" somewhere in it. Anyway Fravia is on searching lores. The queries are for various platforms and script.
Here we go:

Well next time we look at it from another perspective. Parse your queries well, keep your mirrors up, keep your searching pigeons flying from dungeon to dungeon.
 
Greetings from
 
POLONUS
 
 

Good luck, good hunt!
To ideale
Back to ideale
(c) III Millennium: [fravia+], all rights reserved