Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Simple CGI-Hacking Tutorial

  1. #1
    Senior Member
    Join Date
    Nov 2001
    Posts
    276

    Simple CGI-Hacking Tutorial

    Newbie? Wanna start looking into CGI security? Alrighty then

    The original can be found at
    http://neworder.box.sk/newsread.php?newsid=1351

    Paris2K writes:
    I wrote this tutorial a while back, originally for the Blacksun Research Facility.
    However, since the new laws in the US BSRF have a few new policies regarding tutorials.
    I thought maybe some of you new guys out there would like a tutorial like this to get you started and to get you interested in some basic stuff about CGI and maybe perl. It's like many people have said on the board; You can't learn how to "hack". Hacking is a word for a lot of knowledge that has to do with computers, networking and their security. Maybe this is a place for some of you to start?

    The Simple CGI-Hacking Tutorial / Written by P2K for Neworder (http://neworder.box.sk)
    <=====================================================================>
    01/12/2001, version 1.3 (First Released Version)


    Table of Contents
    <================>

    1.1 Disclaimer
    1.2 Introduction
    1.3 What are CGI-Scripts?
    1.4 Hacking CGI-Scripts / Using CGI-Scripts to hack
    1.5 Why are (some) CGI-Scripts easy to hack?
    1.6 Vulnerable scripts and how do I hack them?
    1.7 How do I find vulnerable sites?
    1.8 Possible Solutions
    1.9 After Word

    1.1 Disclaimer:
    <=============>

    In no way does the author of this tutorial or Neworder encourage any sort of illegal activities
    This tutorial's only purpose is to inform and teach about security problems regarding CGI-Scripts
    and possible solutions to these problems. The author nor Neworder can be held responsible for anything you do with regards to the knowledge in this tutorial. Be a true hacker, learn and
    help others (to learn).

    1.2 Introduction:
    <===============>

    Some time ago I ended up in some CGI-BIN directory, somewhere on the web. I had seen CGI-BIN directories before, but to be honest I never really knew what they did or what they were there for. Probably out of boredom, I started browsing the subdirectories and saw that these dirs contained all sorts of different scripts. CGI-Scripts. I was rather intrigued when I also found a file named password.txt and another file which contained a username and password combination. Could it be that this kind of information was just lying around here, for anyone to see? The answer is yes. So I decided to read some papers on CGI, perl and CGI-Security. I found out that what I had been doing was a simple sort of.....CGI-Hacking.

    1.3 What are CGI-Scripts?
    <=======================>

    I know you probably can't wait to start learning to hack CGI-Scripts, but first you will have to know a little bit about the CGI-Scripts themself. CGI stands for Common Gateway Interface. CGI-Scripts allow web pages to communicate and interact with executeable programs on the server. For example: When you subscribe to a mailinglist (newsletter) your email-address will be added to some mailinglist so you wil receive a weekly or daily e-mail. This proces is fully automatic. No webmaster has to go and add all these email-addresses to some list. A CGI-Script does this for him. Another example is a Bulletin Board script. When a visitor posts a message on a bulletin board, a CGI script will turn this message into a nice looking html page, containing the posted message.

    1.4 Hacking CGI-Scripts / Using CGI-Scripts to hack
    <=================================================>

    There's an important difference between these two things. Using CGI-Scripts to hack is a way to exploit vulnerabilities in CGI-Scripts to gain acces to a server. This is a somewhat more complicated matter than hacking CGI-Scripts, but these two topics have a lot to do with each other. In this tutorial I will discuss "Hacking CGI-Scripts". "Using CGI-Scripts to hack" might be a subject for a next tutorial. Or not :-)

    1.5 Why are (some) CGI-Scripts easy to hack?
    <==========================================>

    A lot of scripts that are used on the internet are free CGI-Scripts written by hobbyists, who have put a lot of time and effort into them. These scripts are freely available on the web, for anyone to use. But some of these scripts have huge security problems, which could be exploited to hack the script. So why are they easy to hack? They are written by hobbyists, they are often not written with security in mind and since these scripts are free, they are used a lot, which means there's a lot of possible victims out there.

    1.6 Vulnerable Scripts and How Do I Hack 'm?
    <==========================================>

    --> Calendar CGI Script by Matt Kruse

    One of the scripts that I found vulnerable is the Calendar Script. This script is, like the name says, a script which makes it possible to have a calendar on your website. The calendar script is located in the CGI-BIN directory, most often in a subdirectory called "calendar". The config file: calendar.cfg contains the administrator username and password that are needed to alter the scripts settings. This username and password combination can be found at the absolute end of the calendar.cfg file. However, they are both encrypted (most often in DES). Just download John The Ripper and a big dictionary and you will easily crack most passwords. (See the blacksun tutorial on how tu use John)

    The calendar.cfg file is most often located at the folowing address:

    http://www.foobar.com/cgi-bin/calendar/calendar.cfg

    After cracking the password/username you should go to the Admin Control Login at:

    http://www.foobar.com/cgi-bin/calend...admin.pl?admin (Hence the ?admin after the calendar_admin.pl file)



    -->WebBBS Script by Darryl C. Burgdorf

    WebBBS Script is a webbased Bulletin Board System. The WebBBS directory contains a profiles dir which in its turn contains profiles of people who have an account for the Bulletin Board. (Passwords) These passwords are also encrypted. (Use John The Ripper!)

    You can probably find the txt-files containing userprofile at this location:

    http://www.foobar.com/cgi-bin/webBBS/profiles/)



    -->WebAdverts Script by Darryl C. Burgdorf

    WebAdverts Script is a script which allows webmasters to display rotating banners/adds on their webpages. Eventually you can use the password and username combination to replace banners with your own, create new banner accounts, delete accounts, view sensitive info, etc etc.

    The location of the Webadverts password is:

    http://www.foobar.com/cgi-bin/advert/adpassword.txt

    When you have decrypted the password visit:

    http://www.foobar.com/cgi-bin/advert/ads_admin.pl to login as script administrator



    -->WWWBoard Script

    WWWBoard is another webbased Bullentin Board

    The password to the script can be found in a file called "password.txt" (wouldn't you know!)
    Just do a search for cgi-bin/wwwebboard or webboard/password.txt

    -->Mailmachine Script

    Mailmachine.cgi is a webbased mailinglist. You should look for the file addresses.txt which lists all the emailaddresses of people that have subscribed to that particulair list. It is then possible to take these e-mailaddresses and unsubscribe people from the list, at the subscribe/unsubscribe html page. (This also works with several other mailinglist scripts.)

    A lot of other CGI-Maillists have the same problem...they have the maillist itself (the list with the subscribed addresses) visible to the public.

    The lists can often be found at these urls:

    http://www.foobar.com/cgi-bin/mailman/addresses.txt
    http://www.foobar.com/cgi-bin/maillist/addresses.txt
    http://www.foobar.com/cgi-bin/mail/addresses.txt

    You could also just do a search for addresses.txt, but sometimes the addresses file is called different.

    After finding the list, all you need to do is visit a page like this:

    http://www.foobar.com/cgi-bin/maillist/subscribe.htm

    (Snoop around in the maillist dir and the cgi-dir untill you find the page where you can unsubscribe. Often this is on the homepage or on the page for the maillinglist.)

    There are a lot more scripts out there that are vulnerable to these simple kind of attacks.
    You should go browsing CGI-BIN directories, look at all the files you can find and see if you can find anything interesting. You'll learn to find your own vulnerabilities this way.
    I can't mention all vulnerable CGI-Scripts in this tutorial but I think that for the moment you've got enough of 'm to get started.


    1.7 How do I find vulnerable sites?
    <=================================>

    First of all I would like to say that you shouldn't go hacking every CGI-Script you can find.
    Try to learn things, gain knowledge. Maybe even learn Perl (The language in which most CGI-Scripts are written.) Try to find out why these scripts are insecure and search for solutions. I had a lot of fun searching for vulnerable sites and than e-mailing the webmaster about the problem. They all reacted in a very friendly way, thinking that I was some uberhacker warning them about huge securityproblems. (Not entirely beside the truth). This made me feel really good, it was huge ego-boost. These people usually don't know much about anything. They'll be greatfull and look up to you. (Remember to be polite!)

    There's a very easy way to find vulnerable sites. Just visit www.google.com or www.altavista.com. In contrary to other search engines, these search engines are metacrawlers, which basically means that they find every page containing the words cgi-bin or cgi-bin/calendar.cfg or cgi-bin/password.tx etc. etc. Whenever you do a search for cgi-bin/passwords.txt or something else you'll find a lot of results. However, if you do not find what you are looking for in that dir, try going up one level (dir) higher, to the cgi-bin dir. (If it is not locked) Here you'll probably see multiple dirs for different CGI-Scripts. Browse them and look for interesting files, containing passwords or usernames, or other useful information. After a while you'll learn to recognise important data and you'll be on our way to discover your own vulnerabilities. Or other known vulnerabilities in scripts that I have not mentioned in this tutorial.

    Also Intellitamper is a great program to use for this kind of directory browsing. It shows all files on a server. You can download it at www.intellitamper.com
    (Thanks to Thran 'cause I believe it was he, who pointed this prog out to us on the board.)

    1.8 Possible Solutions
    <====================>

    One general solution for all these vulnerabilities is to lock your CGI-BIN directory. Some directories have to be set world-writeable, because the CGI-Scripts need to do stuff, but there is no reason why your CGI-BIN directory should be visible to the public. If they can't see what scripts you're running and if they can't see the files containing the passwords, usernames or maillists than it'll be much more difficult for them to hack the scripts. However, when you decide to close the CGI-BIN to the public, make sure you also close every single subdirectory, 'cause people who can not enter the CGI-BIN dir, can then still enter cgi-bin/webbbs or cgi-bin/calendar (For example) directly.

    Another solution would be to go to the bugtraq archives or any other exploitz website and do a CGI vulnerability search. Than make sure you do not use any scripts with known vulnerabilities. However, new vulnerabilities are found every day.....

    1.9 Afterword
    <============>

    Thanks,
    Read the disclaimer again!

    P2K
    Dear Santa, I liked the mp3 player I got but next christmas I want a SA-7 surface to air missile

  2. #2
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Cool

    hhahhaa guess what? i was just pringting that tut out few mins ago while i was surfing neworder.box.sk... hehe

  3. #3
    Junior Member
    Join Date
    Nov 2001
    Posts
    10

    Arrow

    The tool WebCheck is still available, giving you the possibility to check the vulnerability of your site against those "standard-attacks".

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    There's a way around this from the programming aspect of things.
    Simply store all your files in a different part of the directory tree. So even if the CGI, Perl, ASP, or PHP script is accessing a file with passwords in it, nobody on the web can see it.

    An example. Let's say I have an app that has admin people who can add text to a webpage to do news updates, and etc.. On my Linux/Apache server, my wwwroot is /var/www/html. However, to protect myself this sort of hacking, I could store all my 'sensitive' yet must-be-webserver-accessible content (usernames, passwords, etc., etc..) in /var/www/nonweb, and then you couldn't simply browse to the files.

    I also don't really think this qualifies as hacking. It's more like exploiting a poorly written web app...
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    472
    I was just wondering..... Is there a password generator out there which you can feed URLs and it will make a password file on basis of that? Think about how many words can be found in eg. a newspaper!

    If not, some of use should make something like that.... Just for the fun of it of course.....
    ---
    proactive

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    472
    Hmm... Sorry, what I ment was a dictionary generator of course.....
    ---
    proactive

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Posts
    276

    I dunno

    I dunno but this might not be the right thread to ask the question in
    Dear Santa, I liked the mp3 player I got but next christmas I want a SA-7 surface to air missile

  8. #8
    Senior Member
    Join Date
    Nov 2001
    Posts
    472
    Quite right, I must have replied to the wrong thread. About the dictionary generator, I made one. Here is the link
    ---
    proactive

  9. #9
    another enlightening tutorial.....kind sir or madame, i thank you for spending your time to post this.

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    276

    re: chsh

    But surely one would be able to deduct some fundamentals about CGI- hacking yes?
    Dear Santa, I liked the mp3 player I got but next christmas I want a SA-7 surface to air missile

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •