Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: vulnerable perl script?

From: "Ryan Permeh" <ryan () eEye com>
Date: Thu, 18 Oct 2001 18:57:47 -0700
you may also be able to do it via a pipe(|) char in there somewhere.  this
is likely the byproduct of an open command, and pipes can be used to get
input from a program's output.  it depends on the cleaning of input and all,
but it might work.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities

----- Original Message -----
From: "Jay D. Dyson" <jdyson () treachery net>
To: "Penetration Testers" <pen-test () securityfocus com>
Cc: <otaner () gmx ch>
Sent: Thursday, October 18, 2001 11:22 AM
Subject: Re: vulnerable perl script?


-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 18 Oct 2001 otaner () gmx ch wrote:


I'm doing a pen test and I found a perl script, which seems to be
vulnerable. If I do a get, for example:

GET


/cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../etc/passw
d%00


I can see the content of the passwd file. But when I try to execute a
command, for example:

GET


/cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../bin/id%00


I get this garbage and some interesting stuff:


It's not executing the command; the binary itself is being dumped
(just like if you did a 'cat /bin/id' on the command line).

Try encapsulating the last part as `/bin/id`.  That should get you
the desired results.


I'm not sure but I think, the %00 is the problem and without %00, I get
no results. Does anybody know how I can execute my commands? I tried ;
and ¦, but nothing happened. I'm not able to see the source of the perl
file.


To see the contents of the PERL file, try something like:

/cgi-bin/whatever.pl?variable1=test%00&variable2=./whatever.pl%00

If that doesn't work, try standard Apache locations like:

/var/lib/apache/cgi-bin/whatever.pl
/usr/local/apache/cgi-bin/whatever.pl
/usr/local/bin/apache/cgi-bin/whatever.pl

...and so on.  If none of that pans out, just try passing a find
or locate command through variable2.  You're bound to hit paydirt
thataway.

- -Jay

  (    (                                                         _______
  ))   ))   .-"There's always time for a good cup of coffee."-.   >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - jdyson () treachery net ------<) |    = |-'
 `--' `--'  `- Peace without justice is life without living. -'  `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO88PzblDRyqRQ2a9AQH/awQAnlHQFzWyN6NvutvxihGEBFCwynuTskTY
prW19RtauFxgYarxTfDpbFi8zKcX3k9b+OjLXADDZDFUFXDA1ege9UWBCFDBwtl1
rn95LtTPvzyXCnskeKMeKCAXQZlfJyLeUySvURVxVegbuDJxSmCsDA4UfeE3eDjJ
Q4JLIbCe0Zw=
=LJcu
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: