//==============================\\ || Exploiting CGI Using User || || account access. || || By: Lord Somer || || August 20, 1997 || || For: The Hackers Layer || || http://www.lordsomer.com || \\==============================// Well Recently about a week or two ago I taught this lesson to hawkee of hawkee.com when he noticed his wwwboard was hmm sorta missing. In most systems now you have virtual hosts who are on a sub-comp of a major system so lets say you are a user on one of these virtual hosts now what the hell you gonna do with your shit access, well find out who your host buys from and ftp to thier server you should be able to ftp in just fine. Once in as a user, since most of these servers have cgi-bin dirs, you can just cd .. a few dirs till you hit the main home dir of all the sub domains you might see a dir listing like: . .. /warez950.org /hawkee.com /hpvca.com /7thsphere.com (I'm going to assume your using cuteftp 1.8, www.cuteftp.com) so you find a site that looks interesting to you lets pick hawkee.com, so we: cd hawkee.com then the dir list comes up as: . .. /ftp /html well since we know on our account the cgi-bin is in the html/cgi-bin dir we'll go ahead in there... cd html/cgi-bin dir list: . .. /wwwboard.cgi /wwwadmin.cgi etc.. so lets take the common wwwboard.cgi open this sucker up take a look at the first part which will have tons of comments(lines with # at the beginning.) and several vars($sometext = something;), once we see a done or end of config just delete the rest from the screen and we get: #!/usr/bin/perl ############################################################################## # WWWBoard Version 2.0 ALPHA 2 # # Copyright 1996 Matt Wright mattw@worldwidemart.com # # Created 10/21/95 Last Modified 11/25/95 # # Scripts Archive at: http://www.worldwidemart.com/scripts/ # ############################################################################## # COPYRIGHT NOTICE # # Copyright 1996 Matthew M. Wright All Rights Reserved. # # # # WWWBoard may be used and modified free of charge by anyone so long as # # this copyright notice and the comments above remain intact. By using this # # code you agree to indemnify Matthew M. Wright from any liability that # # might arise from it's use. # # # # Selling the code for this program without prior written consent is # # expressly forbidden. In other words, please ask first before you try and # # make money off of my program. # # # # Obtain permission before redistributing this software over the Internet or # # in any other medium. In all cases copyright and header must remain intact.# ############################################################################## # Define Variables $basedir = "/usr/home/hawkee.com/html/wwwboard"; $baseurl = "http://www.hawkee.com/wwwboard"; $cgi_url = "http://www.hawkee.com/cgibin/wwwboard.cgi"; $mesgdir = "posts"; $datafile = "data.txt"; $mesgfile = "index.html"; $faqfile = "faq.htm"; $ext = "html"; $title = "Web Board"; # Done ########################################################################### So what the hell does this shit mean? well lets delete the comments and get: $basedir = "/usr/home/hawkee.com/html/wwwboard"; $baseurl = "http://www.hawkee.com/wwwboard"; $cgi_url = "http://www.hawkee.com/cgibin/wwwboard.cgi"; $mesgdir = "posts"; $datafile = "data.txt"; $mesgfile = "index.html"; $faqfile = "faq.htm"; $ext = "html"; $title = "Web Board"; Geese that helped ya didn't it? well we dont care about the urls get them outa here along with the title and ext and get: $basedir = "/usr/home/hawkee.com/html/wwwboard"; $mesgdir = "posts"; $datafile = "data.txt"; $mesgfile = "index.html"; $faqfile = "faq.htm"; So what does this mean? Well u see that basedir var well that says all these vars are inside that so lets just plug it in to clear it up: $mesgdir = "/usr/home/hawkee.com/html/wwwboard/posts"; $datafile = "/usr/home/hawkee.com/html/wwwboard/data.txt"; $mesgfile = "/usr/home/hawkee.com/html/wwwboard/index.html"; $faqfile = "/usr/home/hawkee.com/html/wwwboard/faq.htm"; Well we know that this thing has to store it's posts so where they gonna go? the mesgdir obviously so this file must be world writable which is the fatal flaw in cgi, so lets stroll over there: cd /usr/home/hawkee.com/html/wwwboard and you get all these html files: 1.html 2.html ... 321.html etc.. and the mesgfile is also world writable, so wheres the fun in this? Well now we can delete his web board change his index to his webboard, make a sub dir and fill it with files of your choice...(*hint*hint*) So wow we just hacked a wwwboard, well that might not be a big deal but looking in cgi's you'll find hundreds of dirs you can write to thus you can hide your data in their dirs and do what ever u like to their stuff and even if dir listing is off to is sub dirs or his html dir you know he'll have a cgi-bin which will reveal alot of info on his sys. Another way to abuse cgi is to look for password files that it stores, 90% of the cgi's out there dont encrypt those password files and they are always world write and read so u can find out people's passes which might turn out their real pass or at least edit their info if it's a site list. Good luck to all and please check out the sites I mentioned in the beginning and we appreciate your mentions in your hacks if you use this technique. Thanks and hope you can learn something from this method and find ways to use one exploitation to gain others. If you find some other interesting facts or would like to just mail me then just send an e-mail to webmaster@lordsomer.com, should be answered within 2 days or so.