PDA

View Full Version : CGI reversing?


MalcolmXXX
November 1st, 2000, 17:28
Need to get the info's from a cgi file, but haven't got a clue how to retrieve the file.
I am reversing a script in a website to reveal zip passwords, but need the cgi stuff to use on local drive rather than the net.
Ideas appreciated,
tia,
Malc.

carpathia
November 1st, 2000, 17:45
You need to examine all various usage aspects of the CGI, and try to get some insight into what it might be doing on the server. Could it reading from a back end database, or perhaps just from a file ? (ie, flat files generally dont offer options to edit records using the CGI. Databases generally do). If its reading from a file, it may be possible to get the CGI to return itself as output.

Also, do some research into what web server the CGI is running on. IIS has many exploits, such as the test scripts which get installed by default, allowing you to retrieve known-location text files using the MSADC codeview sample ASP. Search the usual security sites for possible exploits for that web server.

Anyway, your first port of call should be Fravia's site busting lab. http://tsehp.cjb.net

Regards

Carpathia

MalcolmXXX
November 16th, 2000, 15:03
Thanks for your input, however found a different way around problem.
The project was as follows:
A web site contained several thousand pass-protected zip files. Three files were available to download for free, but the others had to be paid for.
Each link to the 3 files gave zip file download link plus password.
(A small amount of lateral thinkin goes on here whilst having a coctail )....view source of page...save to local drive....change file name in script....save/reload....hey presto.......any pass to any given file

disavowed
November 16th, 2000, 19:23
sounds like you have what it takes to try out for www.disavowed.net

btw, what's the site?

the snake
November 17th, 2000, 02:06
Hi disavowed

I realy like the idea of your site, not sure i can pass all the tests right now, but on the programing section, i can't get the file to be calculated. Is it a problem i have or the link in wrong ?
Thanks
the snake

disavowed
December 17th, 2003, 03:09
Quote:
[Originally Posted by kataklismic]Been trying to brutforce anything i can get my hands on for like a year and a half now. To no avail. But i just can't and won't give up. Probably just my wordlist. But now i've been looking at the whole cgi exploits and they seem fun, just can't get any cgi-bin files to show themselvs.

be gentle with me.
hahahahaha... don't tell me you've had jtr running for 3 years straight and not a single password?!? are you sure you're not using 3des when you should be using md5 or something like that?