Results 1 to 6 of 6

Thread: CGI reversing?

  1. #1
    MalcolmXXX
    Guest

    CGI reversing?

    Need to get the info's from a cgi file, but haven't got a clue how to retrieve the file.
    I am reversing a script in a website to reveal zip passwords, but need the cgi stuff to use on local drive rather than the net.
    Ideas appreciated,
    tia,
    Malc.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    carpathia
    Guest

    More research needed

    You need to examine all various usage aspects of the CGI, and try to get some insight into what it might be doing on the server. Could it reading from a back end database, or perhaps just from a file ? (ie, flat files generally dont offer options to edit records using the CGI. Databases generally do). If its reading from a file, it may be possible to get the CGI to return itself as output.

    Also, do some research into what web server the CGI is running on. IIS has many exploits, such as the test scripts which get installed by default, allowing you to retrieve known-location text files using the MSADC codeview sample ASP. Search the usual security sites for possible exploits for that web server.

    Anyway, your first port of call should be Fravia's site busting lab. http://tsehp.cjb.net

    Regards

    Carpathia
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    MalcolmXXX
    Guest

    A different approach

    Thanks for your input, however found a different way around problem.
    The project was as follows:
    A web site contained several thousand pass-protected zip files. Three files were available to download for free, but the others had to be paid for.
    Each link to the 3 files gave zip file download link plus password.
    (A small amount of lateral thinkin goes on here whilst having a coctail )....view source of page...save to local drive....change file name in script....save/reload....hey presto.......any pass to any given file
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    disavowed
    Guest
    sounds like you have what it takes to try out for www.disavowed.net

    btw, what's the site?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    the snake
    Guest

    to disavowed : www.disavowed.net

    Hi disavowed

    I realy like the idea of your site, not sure i can pass all the tests right now, but on the programing section, i can't get the file to be calculated. Is it a problem i have or the link in wrong ?
    Thanks
    the snake
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    Quote Originally Posted by kataklismic
    Been trying to brutforce anything i can get my hands on for like a year and a half now. To no avail. But i just can't and won't give up. Probably just my wordlist. But now i've been looking at the whole cgi exploits and they seem fun, just can't get any cgi-bin files to show themselvs.

    be gentle with me.
    hahahahaha... don't tell me you've had jtr running for 3 years straight and not a single password?!? are you sure you're not using 3des when you should be using md5 or something like that?
    Last edited by disavowed; December 17th, 2003 at 03:12.

Similar Threads

  1. VM reversing
    By b3n in forum The Newbie Forum
    Replies: 20
    Last Post: August 16th, 2007, 09:51
  2. reversing a dll
    By 4oh4 in forum Advanced Reversing and Programming
    Replies: 14
    Last Post: June 16th, 2003, 16:22
  3. xxx.reversing.net?
    By gadget in forum Off Topic
    Replies: 1
    Last Post: May 7th, 2003, 00:05
  4. IDA Pro reversing
    By Appendix in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: April 30th, 2001, 16:55
  5. MFC reversing
    By Subaru in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: January 1st, 2001, 14:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •