|
-
December 6th, 2001, 09:42 AM
#1
Simple CGI-Hacking Tutorial
Newbie? Wanna start looking into CGI security? Alrighty then 
The original can be found at
http://neworder.box.sk/newsread.php?newsid=1351
Paris2K writes:
I wrote this tutorial a while back, originally for the Blacksun Research Facility.
However, since the new laws in the US BSRF have a few new policies regarding tutorials.
I thought maybe some of you new guys out there would like a tutorial like this to get you started and to get you interested in some basic stuff about CGI and maybe perl. It's like many people have said on the board; You can't learn how to "hack". Hacking is a word for a lot of knowledge that has to do with computers, networking and their security. Maybe this is a place for some of you to start?
The Simple CGI-Hacking Tutorial / Written by P2K for Neworder (http://neworder.box.sk)
<=====================================================================>
01/12/2001, version 1.3 (First Released Version)
Table of Contents
<================>
1.1 Disclaimer
1.2 Introduction
1.3 What are CGI-Scripts?
1.4 Hacking CGI-Scripts / Using CGI-Scripts to hack
1.5 Why are (some) CGI-Scripts easy to hack?
1.6 Vulnerable scripts and how do I hack them?
1.7 How do I find vulnerable sites?
1.8 Possible Solutions
1.9 After Word
1.1 Disclaimer:
<=============>
In no way does the author of this tutorial or Neworder encourage any sort of illegal activities
This tutorial's only purpose is to inform and teach about security problems regarding CGI-Scripts
and possible solutions to these problems. The author nor Neworder can be held responsible for anything you do with regards to the knowledge in this tutorial. Be a true hacker, learn and
help others (to learn).
1.2 Introduction:
<===============>
Some time ago I ended up in some CGI-BIN directory, somewhere on the web. I had seen CGI-BIN directories before, but to be honest I never really knew what they did or what they were there for. Probably out of boredom, I started browsing the subdirectories and saw that these dirs contained all sorts of different scripts. CGI-Scripts. I was rather intrigued when I also found a file named password.txt and another file which contained a username and password combination. Could it be that this kind of information was just lying around here, for anyone to see? The answer is yes. So I decided to read some papers on CGI, perl and CGI-Security. I found out that what I had been doing was a simple sort of.....CGI-Hacking.
1.3 What are CGI-Scripts?
<=======================>
I know you probably can't wait to start learning to hack CGI-Scripts, but first you will have to know a little bit about the CGI-Scripts themself. CGI stands for Common Gateway Interface. CGI-Scripts allow web pages to communicate and interact with executeable programs on the server. For example: When you subscribe to a mailinglist (newsletter) your email-address will be added to some mailinglist so you wil receive a weekly or daily e-mail. This proces is fully automatic. No webmaster has to go and add all these email-addresses to some list. A CGI-Script does this for him. Another example is a Bulletin Board script. When a visitor posts a message on a bulletin board, a CGI script will turn this message into a nice looking html page, containing the posted message.
1.4 Hacking CGI-Scripts / Using CGI-Scripts to hack
<=================================================>
There's an important difference between these two things. Using CGI-Scripts to hack is a way to exploit vulnerabilities in CGI-Scripts to gain acces to a server. This is a somewhat more complicated matter than hacking CGI-Scripts, but these two topics have a lot to do with each other. In this tutorial I will discuss "Hacking CGI-Scripts". "Using CGI-Scripts to hack" might be a subject for a next tutorial. Or not :-)
1.5 Why are (some) CGI-Scripts easy to hack?
<==========================================>
A lot of scripts that are used on the internet are free CGI-Scripts written by hobbyists, who have put a lot of time and effort into them. These scripts are freely available on the web, for anyone to use. But some of these scripts have huge security problems, which could be exploited to hack the script. So why are they easy to hack? They are written by hobbyists, they are often not written with security in mind and since these scripts are free, they are used a lot, which means there's a lot of possible victims out there.
1.6 Vulnerable Scripts and How Do I Hack 'm?
<==========================================>
--> Calendar CGI Script by Matt Kruse
One of the scripts that I found vulnerable is the Calendar Script. This script is, like the name says, a script which makes it possible to have a calendar on your website. The calendar script is located in the CGI-BIN directory, most often in a subdirectory called "calendar". The config file: calendar.cfg contains the administrator username and password that are needed to alter the scripts settings. This username and password combination can be found at the absolute end of the calendar.cfg file. However, they are both encrypted (most often in DES). Just download John The Ripper and a big dictionary and you will easily crack most passwords. (See the blacksun tutorial on how tu use John)
The calendar.cfg file is most often located at the folowing address:
http://www.foobar.com/cgi-bin/calendar/calendar.cfg
After cracking the password/username you should go to the Admin Control Login at:
http://www.foobar.com/cgi-bin/calend...admin.pl?admin (Hence the ?admin after the calendar_admin.pl file)
-->WebBBS Script by Darryl C. Burgdorf
WebBBS Script is a webbased Bulletin Board System. The WebBBS directory contains a profiles dir which in its turn contains profiles of people who have an account for the Bulletin Board. (Passwords) These passwords are also encrypted. (Use John The Ripper!)
You can probably find the txt-files containing userprofile at this location:
http://www.foobar.com/cgi-bin/webBBS/profiles/)
-->WebAdverts Script by Darryl C. Burgdorf
WebAdverts Script is a script which allows webmasters to display rotating banners/adds on their webpages. Eventually you can use the password and username combination to replace banners with your own, create new banner accounts, delete accounts, view sensitive info, etc etc.
The location of the Webadverts password is:
http://www.foobar.com/cgi-bin/advert/adpassword.txt
When you have decrypted the password visit:
http://www.foobar.com/cgi-bin/advert/ads_admin.pl to login as script administrator
-->WWWBoard Script
WWWBoard is another webbased Bullentin Board
The password to the script can be found in a file called "password.txt" (wouldn't you know!)
Just do a search for cgi-bin/wwwebboard or webboard/password.txt
-->Mailmachine Script
Mailmachine.cgi is a webbased mailinglist. You should look for the file addresses.txt which lists all the emailaddresses of people that have subscribed to that particulair list. It is then possible to take these e-mailaddresses and unsubscribe people from the list, at the subscribe/unsubscribe html page. (This also works with several other mailinglist scripts.)
A lot of other CGI-Maillists have the same problem...they have the maillist itself (the list with the subscribed addresses) visible to the public.
The lists can often be found at these urls:
http://www.foobar.com/cgi-bin/mailman/addresses.txt
http://www.foobar.com/cgi-bin/maillist/addresses.txt
http://www.foobar.com/cgi-bin/mail/addresses.txt
You could also just do a search for addresses.txt, but sometimes the addresses file is called different.
After finding the list, all you need to do is visit a page like this:
http://www.foobar.com/cgi-bin/maillist/subscribe.htm
(Snoop around in the maillist dir and the cgi-dir untill you find the page where you can unsubscribe. Often this is on the homepage or on the page for the maillinglist.)
There are a lot more scripts out there that are vulnerable to these simple kind of attacks.
You should go browsing CGI-BIN directories, look at all the files you can find and see if you can find anything interesting. You'll learn to find your own vulnerabilities this way.
I can't mention all vulnerable CGI-Scripts in this tutorial but I think that for the moment you've got enough of 'm to get started.
1.7 How do I find vulnerable sites?
<=================================>
First of all I would like to say that you shouldn't go hacking every CGI-Script you can find.
Try to learn things, gain knowledge. Maybe even learn Perl (The language in which most CGI-Scripts are written.) Try to find out why these scripts are insecure and search for solutions. I had a lot of fun searching for vulnerable sites and than e-mailing the webmaster about the problem. They all reacted in a very friendly way, thinking that I was some uberhacker warning them about huge securityproblems. (Not entirely beside the truth). This made me feel really good, it was huge ego-boost. These people usually don't know much about anything. They'll be greatfull and look up to you. (Remember to be polite!)
There's a very easy way to find vulnerable sites. Just visit www.google.com or www.altavista.com. In contrary to other search engines, these search engines are metacrawlers, which basically means that they find every page containing the words cgi-bin or cgi-bin/calendar.cfg or cgi-bin/password.tx etc. etc. Whenever you do a search for cgi-bin/passwords.txt or something else you'll find a lot of results. However, if you do not find what you are looking for in that dir, try going up one level (dir) higher, to the cgi-bin dir. (If it is not locked) Here you'll probably see multiple dirs for different CGI-Scripts. Browse them and look for interesting files, containing passwords or usernames, or other useful information. After a while you'll learn to recognise important data and you'll be on our way to discover your own vulnerabilities. Or other known vulnerabilities in scripts that I have not mentioned in this tutorial.
Also Intellitamper is a great program to use for this kind of directory browsing. It shows all files on a server. You can download it at www.intellitamper.com
(Thanks to Thran 'cause I believe it was he, who pointed this prog out to us on the board.)
1.8 Possible Solutions
<====================>
One general solution for all these vulnerabilities is to lock your CGI-BIN directory. Some directories have to be set world-writeable, because the CGI-Scripts need to do stuff, but there is no reason why your CGI-BIN directory should be visible to the public. If they can't see what scripts you're running and if they can't see the files containing the passwords, usernames or maillists than it'll be much more difficult for them to hack the scripts. However, when you decide to close the CGI-BIN to the public, make sure you also close every single subdirectory, 'cause people who can not enter the CGI-BIN dir, can then still enter cgi-bin/webbbs or cgi-bin/calendar (For example) directly.
Another solution would be to go to the bugtraq archives or any other exploitz website and do a CGI vulnerability search. Than make sure you do not use any scripts with known vulnerabilities. However, new vulnerabilities are found every day.....
1.9 Afterword
<============>
Thanks,
Read the disclaimer again!
P2K
Dear Santa, I liked the mp3 player I got but next christmas I want a SA-7 surface to air missile
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
